Posts

Personal Knowledge or “Qualifying Questions” as Authenticators

How many times have you forgotten a password? Fortunately the website you were on only needed your username or an email address and they would respond with a few questions for you to answer. Once you responded with what was in the system you then re-set your password and you’re in.  Easy peazy.

What’s your favorite food? Where did you honeymoon? Your first pets name? Name of your first car? The name of your elementary school?  Your fathers middle name? All these questions are meant to replace that used-to-be-secret-obscure word that only you and your parents would know the answer too – your mothers maiden name.

Then came Ancestry.com, Geneology.com, Google and for crying out loud Facebook. Now much of this information is available by doing a quick search online via public records or it’s easy to guess if the “hacker” is an acquaintance.

I’m a member of an organization in which I have been granted access to a bank account we have. But I haven’t accessed the account in months.  Since the last time I logged in the bank instituted a qualifying question as another layer of protection. Instead of calling the other person who was also managing the account I simply guessed the answer. “Where did you go to high school?” I didn’t know where this person went to high school but I knew where his mother lived. I entered the name of the town and BOOM, I was in.

It shouldn’t be that easy.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing hacked email on Fox News.

A Great Way to Ruin an Online Reputation

I’m all about transparency. But that’s just me. Not everyone is so forthright. Most people prefer to fly a click or more below the radar and never have a light shine on them. I prefer to make sure what’s being said, is said by me and not some troll. My brother used to say “the worst thing that can happen to a person is to end up on one of those stupid talk shows.” Then I proceeded to do every talk show including Howard Stern. But that’s just me.

My only regret was doing the Maury Povich show. That guy just played me and took advantage of me and used me as a pawn on his show. He would ask the audience leading questions adverse to my sound advice and continually allow the stupidest person in the room to answer. Controversy is fine, but bad, potentially deadly advice isn’t.

My point in all this? Things are heading in a direction that if you aren’t transparent, if you aren’t doing things to boost your credibility, if you aren’t “open” and someone decides to use the internet to slam you, then they automatically have the upper-hand. Today a person has less control over what is said about them than ever.

Unvarnished is a new website, in beta, you need to be invited. Users connect with Facebook. PC World seems to allude to anonymous posting on Unvarnished that can only happen if someone fakes a Facebook profile. Anything in the form of anonymous posting doesn’t benefit the common good.

For example, when I read the comments in newspapers or blogs, I often see people throwing up all over everyone and saying the meanest, rudest and most hateful things. These cowards can easily do this anonymously. But none of them have the nerve to assign their actual name to it.

PC World reports Unvarnished functions like other social networking sites–especially the popular professional social networking site, LinkedIn. Users can create a profile with their resume and work information, and request reviews from their professional colleagues. The difference, of course, is that users can also “create” a profile for non-Unvarnished users–if you, say, want to leave a review of that shoddy intern from two summers ago and he/she doesn’t have a profile–no worries, you can still leave the review. Shoddy intern can then claim said profile later, if he/she so desires.

The best way to gain more control over this kind of site is to set up your own profile. It’s a start. Then build positive commentary. Another tool for managing online reputation management is to go to Knowem.com and grab up all the social media sites and get your name.

And protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN.

9 Year Old Kid Hacks Schools Computers

Hacking has gone from “phreaking”- hacking phone systems to “cracking”-breaking into networks for fun and fame and over the past 5 years criminal hackers from all over the world are targeting huge databases full of credit card numbers. But hacking is also becoming part of popular culture. The “scriptkiddie” from back in the day is the 9 year old today who is just very intelligent, anxious and doesn’t k now anything other than technology.

Police say a nine year old boy hacked the county school system to change teachers’ and staff members’ passwords, change or delete course content, and change course enrollment. “The boy did not intend to do any serious damage, and didn’t, so the police withdrew and are allowing the school district to handle the half-grown hacker.”

“He’s a very intelligent 9-year-old,” said the police, “with no criminal intent.” Someone give that boy a lollipop.

Meanwhile a study in New York City points to one out of 6 city teens have tried hacking. Roughly 39 percent of the New York City teens said they think hacking is “cool,” and about 16 percent admitted to trying it. Seven percent reported they hacked for money, and 6 percent said they viewed it as a viable career.

I know some are going to look at this study and slam me for even acknowledging it. However in my own informal pole I’m seeing the same thing. Heck I have a 4 year old that’s in the process of hacking my network.  “Da-da, did you install spyware on my laptop?“Yes, but that’s beside the point!

Most kids know more about technology than their parents which makes a ripe situation for the kid heading down a rabbit hole and the parents unable to pull him out. How can mom or dad prevent the kid from doing something bad if they don’t understand it themselves? The solution? Up your technology and security vocabulary.  And install spyware on your kids PC, you might learn something.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing criminal hackers on Fox News.

Google Hack Whacks Passwords

Code named Gaia after “Greek Goddess of Earth” a Google single sign on password system was hacked in December.

The NY Times reports “the intruders do not appear to have stolen passwords of Gmail users, and the company quickly started making significant changes to the security of its networks after the intrusions. But the theft leaves open the possibility, however faint, that the intruders may find weaknesses that Google might not even be aware of, independent computer experts said.”

Google is a significant part of many individuals and businesses online activities. Millions rely on Google every day to be fast, functional and most important, secure. A breach such as this may erode the confidence of Google users, but for many, they have all their eggs in one basket.

The hack occurred when a Google employee in China received an instant message over Microsoft’s IM program, and clicked and infected the link. Once the Google employees computers were hijacked the criminal hackers obtained access to his files and credentials. This gave the bad guy’s access to Google.

Google has since added layers of encryption and beefed up security for its data centers and end users.

However, now is a good time to go through all your passwords and change them up.

I’ve said this multiple times. DON’T CLICK LINKS IN EMAILS AND INSTANT MESSAGES. These links are merely conveniences.  All you have to do is either go to whatever the link may be in your favorites menu or search out the site online. Spend the extra 30 seconds to leapfrog the links and go there manually.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing a Google hack on Shepard Smith with Fox News.

Scareware Incorporates Customer Service

Robert Siciliano Identity Theft Expert

Fake anti-virus software called ’scareware’ pops up in your browser and begins to scan your hard-drive made to look like a legitimate scan. It often grabs a screenshot of your “My Computer” window mimicking your PCs characteristics then tricking you into clicking on links. Pop-ups bombard you and warn you that your PC is infected with an Ebola- like virus and your PC will die a horrible death with fluids running from all ports if you don’t fix it immediately for $49.95.

Information Week reports those behind a new fake antivirus software have added a new social engineering element — live support agents who will try to convince potential victims that their PCs are infected and that payment is the cure.

The rougue software comes equipped with a customer support link leading to a live session with the bad guy. Real scammers on the other end of chat have the ability to offer live remote access support instructed by support to click a link initiating remote access to their PC.

The best way to prevent seeing a pop-up for scareware is using the latest Firefox or Internet Exploer browser. An updated browser lets few, if any pop-ups through. No pop-ups, no scareware. If you are using another browser and a pop-up –pops-up, shut down your browser. If the pop-up won’t let you shut it down, do a Ctrl-Alt-Delete and shut down the browser that way. Never click links in pop-ups.  If the pop-ups are out of your control, do a hard shutdown before you start clicking links.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Breach of 3.3 million Social Security numbers on Good Morning America.

Stealing Identities of the Dead

Robert Siciliano Identity Theft Expert

Stealing the identity of the living is so 2009. Stealing the identity of the dead is so wrong, and so easy. It is made even easier by public records. A provision in federal law that reformed welfare in the 1990’s also created a loophole that could allow swindlers to obtain the Social Security numbers of the recently deceased.

In some state’s, Registry of Vital Records and Statistics include Social Security numbers on all certified death certificates. And anyone can obtain a death certificate from the registry for $18.

Wired reports Identity thieves filed for $4 Million in tax refunds using names of living and dead. A group of sophisticated identity thieves managed to steal millions of dollars by filing bogus tax returns using the names and Social Security numbers of other people, many of them deceased.

The thieves operated their scheme for at least three years from January 2005 to April 2008, allegedly filing more than 1,900 fraudulent tax returns involving about $4 million in refunds directed to more than 170 bank accounts. The conspirators used numerous fake IDs to open internet and phone accounts, and also used more than 175 different IP addresses around the United States to file the fake returns, which were often filed in bulk as if through an automated process.

The scam took advantage of the IRS’ quick turnaround in processing refunds for electronically filed returns. The IRS typically processes a refund request without verifying the taxpayer’s information — such as whether the taxpayer is alive — or confirming that the taxpayer is legitimately owed money.

Generally, a death is reported to the Social Security administration in a relative and timely fashion, but not always. As far as I can tell there is no form for merely “reporting a death” to the IRS. However, the IRS demands a final accounting, and it’s up to the executor or survivors to file the paperwork. When a taxpayer dies, a new taxpaying entity – the taxpayer’s estate – is born to make sure no taxable income falls through the cracks.

The 3 credit bureaus maintain a list of deceased based on the Social Security Administration’s data. However it can take a months for the bureaus to update their databases with information from the SSA. By contacting the credit agencies directly, you can report a death and have more confidence that the information will be used immediately.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Social Security numbers on Fox News.

Caller ID Spoofing Becoming Illegal

Robert Siciliano Identity Theft Expert

AP reports using false caller ID with the intent of tricking people into revealing personal information or otherwise causing harm would become illegal under legislation that passed the House Wednesday. The legislation would only outlaw the use of spoofing technology when the intent is to deceive and harm the recipient of the call. Legitimate uses of the technology, such as a domestic abuse shelter changing its number to protect an occupant of the shelter, would still be permitted.

Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient’s caller ID display which is not that of the actual originating caller. Similar to e-mail spoofing which can make it appear that a message came from any e-mail address the sender chooses. Caller ID spoofing can make a call appear to have come from any phone number. Most people trust caller ID and are unaware of caller ID spoofing. This is obviously a flawed system ripe for fraud.

Legitimate uses of caller ID spoofing have included:

A domestic abuse shelter changing its number to protect an occupant of the shelter.

Law enforcement to disguising themselves when trying to nab suspects.

Someone is trying to evade child support and caller ID spoofing may be a legitimate tool to find them.

Someone who suspects a cheating spouse may use it to do their own investigations.

Doctors on call wanting to block their number may need to change a caller ID if the client requires a phone number to show when calling.

Nefarious uses of caller ID Spoofing have included:

A crazy woman used the caller ID of a pharmacist to trick a romantic rival into taking a drug used to cause abortions.

Spoofing during political campaigns to mislead voters or get voters angry at a candidate they mistakenly think is calling them, perhaps in the middle of the night.

Criminals are also using caller ID of a bank, credit card company, retailer or other phone number to scam someone into revealing Social Security, bank account or credit card numbers. In New York City police busted an identity theft ring that used caller ID spoofing to steal more than $15 million from 6,000 victims.

Protect your identity.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Scammers and Scambaiters on Fox Boston.

Scammers Bait 40,000 Facebook Victims with Ikea Gift Card

Robert Siciliano Identity Theft Expert

It’s just a matter of setting up a fake Facebook page and marketing it to a few people who then send it to their friends and it goes somewhat viral. The Ikea scam hooked 40,000 unsuspecting victims with the promise of a $1,000 gift card.

PC World reports In the past months, fan pages have popped up all over the social networking site, offering too-good-to-be-true gift cards. There’s the $500 Whole Foods card, the $10 Walmart offer, and the $1,000 Ikea gift card. The Ikea page put these gift card scams on the map last month, when it quickly racked up more than 70,000 fans before being snuffed. Facebook has also taken down Target and iTunes gift card scam pages in the past few months.

To get the gift card the users must enter names, address and email address. They are then pointed to other pages where real products and services are offered. From there they enter credit card details if the offer appeals to them.

The root of this scam is believed to be perpetrated by affiliate marketers who make money on click throughs and create a ruse to gather data on potential customers also known as a “sucker list.”

In general, there shouldn’t be any traditional identity theft as it relates to new account fraud as long as requests aren’t being made for Social Security numbers, and the “victim” isn’t giving one out. Otherwise I don’t see this scam as harmful, but is certainly deceptive.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN.

1.5 Million Americans Have Been Victims of Medical Identity

Robert Siciliano Identity Theft Expert

The Smartcard Alliance has released an in-depth report called “Medical Identity Theft in Healthcare.

While identity theft is a global issue that garners much media attention, most do not realize that medical identity theft is a serious and growing threat. Many authorities consider medical identity theft one of the fastest growing crimes in America. With the digital age of healthcare upon us, the risks are expected to increase as electronic medical records become more prevalent and the exchange of this data over expanding networks becomes more pervasive. Heightened concern over personal data security and privacy highlight the importance of having secure electronic medical identities.

According to a recent Ponemon Institute study, nearly 1.5 million Americans have been victims of medical identity theft with an estimated total cost of $28.6 billion–or approximately $20,000 per victim. [1] Further evidence of the significance of the medical fraud problem is the allocation of $1.7 billion for fraud detection in the 2011 U.S. Health and Human Services Department budget. [2] In 2009, 68 reported healthcare data breaches in the U.S. put over 11.3 million patient records at risk of exposure.

Patients whose medical identities are stolen face serious lingering effects. Fraudulent healthcare events can leave erroneous data in medical records. This erroneous information–like information about tests, diagnoses and procedures–can greatly affect future healthcare and insurance coverage and costs. Patients are often unaware of medical identity theft until a curious bill or a surprising line of questioning by a doctor exposes the issue. Then, the burden of proof is often with the patient and it can be difficult to get the patient’s legitimate medical records cleaned up. The consequences can also be life threatening and can lead to serious medical errors and fatalities.

Identity theft prevention services generally will not protect you from medical identity theft. However, if your information is out there on the Net and being scanned constantly by the identity theft protection service, then your risk is lowered. Furthermore, I’m all about layers of protection. If your identity is protected from new account fraud via credit monitoring or credit freezes then the thief may use another identity that has less restrictions.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Medical Identity Theft on the CBS Early Show

Do You Spy on Your Spouse?

Robert Siciliano Identity Theft Expert

Generally in a trusting relationship spying isn’t necessary. I’m sure Sandra Bullock, Kate Gosselin or Tiger Woods wife didn’t think they needed to spy on their husbands, until they did. Reckless behavior like that can bring home a very itchy or very deadly disease.  One that victimizes the innocent.

The fact is humans have a tendency to lie.  Lying is generally done to protect people from the consequences of their actions or to protect others from the emotional hurt because of what they did.

Spying generally occurs when trust is broken or intuition kicks in and someone senses something is askew. Spying is easier today than it’s ever been. According to a recent survey polling 1,000 men and women of various ages, incomes, and locations in the United States, there’s a 38 percent chance you would spy if you’re 25 or younger.

Among respondents, 38 percent of those 25 years old or younger admitted to snooping on their boyfriend’s or girlfriend’s messages, and 36 percent of those who are married admitted to checking their spouse’s e-mail or call history.

Spying can be accomplished by simply picking up a person’s phone and looking at the incoming and out going calls and text messages. Mobile phone spyware is readily available and can monitor almost every aspect of a phones use remotely.

Small wireless cameras installed in lighters, pens, clocks, smoke detectors and just about anything else are readily available. Commercially available spyware can easily be installed on a person’s computer. Undetectable hardware called “key catchers” can be installed in the PS2 or USB ports and the person’s keyboard is piggybacked and logs all their keystrokes.

Identity thieves are using the exact same technologies.

1. Get a credit freeze and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano Identity Theft Speaker discussing Facebook Hackers on CNN