Posts

6 More Holiday Shopping Tips

My goal is to not enter a single mall this holiday season. If I can do the majority of my holiday shopping at trusted online retailers, and the rest at Costco, then I’ve done well. To me, malls seem to be places for people with lots of time on their hands to drive around looking for parking spots and then stand in line with other people who apparently all enjoy being annoyed by each other’s pushiness. But maybe that’s just me.

Keep safe and sane this holiday season:

1. Look for indications of online security. Depending on your browser, there may be an icon of a yellow lock at the top of the window, near the address bar, or at the bottom, near the taskbar. If the website is secure, the yellow lock should be closed. Some browsers use a color coding system, displaying red to indicate that a website is not secure and may potentially be infected, or green to indicate that it’s okay.

2. Update your operating system. If your computer’s operating system is out of date, it may invite trouble when heading out to the wild, wild web. Go to your security center to download the latest critical security patches.

3. Update your browser. While your operating system may be up to date, which would mean that Internet Explorer is most likely up to date as well, if you are using Chrome or Firefox, you may need to update manually. Select “About” in your browser’s toolbar to check for updates.

4. Protect your computer with antivirus software. Antivirus protection that includes a firewall will, in most cases, shield you from “drive by downloads” and other malware. Even a major online retailer with a secure website can be vulnerable to criminal hackers.

5. Beware of phantom websites. Criminals love to pull the wool over unsuspecting eyes. One technique is to use “black-hat SEO” to place fake websites at the top of organic search results. Customers who attempt to make purchases via these fake websites are unknowingly transmitting credit card numbers directly to the hackers, and it’s safe to assume they’ll never receive the products they believe they’ve purchased.

6. Check credit card statements often. I still have to search the Internet for the names of unfamiliar retailers that appear on my credit card statements with unauthorized charges. Check your statements online weekly, and refute unauthorized charges within 60 days.

Most major online retailers are already using multiple sophisticated fraud prevention procedures to protect you. Oregon-based iovation Inc. is one hot technology company offering a device reputation service that alerts businesses to suspicious behavior such as someone attempting to hijack your account or use your stolen credentials (and  many others’) to steal from online businesses.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

6 Tips for Cyber Monday

Bad guys know perfectly well that when the online bargains begin after Thanksgiving, specifically, on the Monday after Thanksgiving, you will be providing your credit card number to retailers all over the world.

1. Go big. Do your online business with major retailers, or those you already know, like, and trust. The chances of a major online retailer stiffing you, or of their database being compromised, are slimmer than those of an unknown.

2. Do your homework. If you search for a particular product and wind up at an unfamiliar website, do some research on the retailer before putting down your credit card number. Search for the company’s name and web address to see if there have been complaints.

3. Don’t give out more personal data than necessary. Many retailers require your name, address, phone number, and credit card information. This is normal. But if you are asked for anything beyond that, like bank account numbers or your Social Security number, run hard and fast.

4. Vary your passwords. Often, online retailers will ask you to register with their website when you make your first purchase. Never register using the same password you’ve already used for another website. Otherwise, if one website is hacked, your password could be used to infiltrate your other accounts.

5. Use HTTPS sites. Websites that have a secure checkout process, with “https://” in the web address (as opposed to “http://”) are safer.

6. Print out and save online receipts. Keeping track of what you bought, where, and for how much can become confusing when making multiple purchases online. You need to pay close attention to your purchases in order to reconcile your credit card statements.

Smart retailers are already protecting consumers behind the scenes by implementing multiple layers of fraud protection. One very effective fraud detection technology is the use of device identification and device reputation to alert businesses to known fraudsters on their site. iovation Inc. provides this service, taking it another level to analyzing the device’s reputation by assessing risk on each transaction.

“The most reputable online sites all ramp up their security processes during the holidays,” says Molly O’Hearn, iovation’s VP of Operations & Co-founder. “This is a very good thing for online consumers because this is the time of year that your identity and credit card information is most at risk.”

Whether you are buying electronics as gifts this holiday season, or sports and entertainment tickets for friends and family, iovation is working hard in the background of these sites to keep the bad guys out so you can have a safe and fun experience.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit card fraud on NBC Boston. Disclosures

5 Security Considerations for a Mobile Phone

Nielsen reports “We are just at the beginning of a new wireless era where smartphones will become the standard device consumers will use to connect to friends, the internet and the world at large. The share of smartphones as a proportion of overall device sales has increased 29% for phone purchasers in the last six months; and 45% of respondents indicated that their next device will be a smartphone.”

Mobile users have recently captured the attention of cyber criminals. The Department of Homeland Security and the STOP. THINK. CONNECT. program recommend the following tips to help you protect yourself and to help keep the web a safer place for everyone.

You can protect yourself from cyber criminals by following the same safety rules you follow on your computer when using your smartphone. These rules include:

Access the Internet over a secure network: Only browse the web through your service provider’s network (e.g., 3G) or a secure Wi-Fi network.

Be suspicious of unknown links or requests sent through email or text message: Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be.

Download only trusted applications: Download “apps” from trusted sources or marketplaces that have positive reviews and feedback.

Be vigilant about online security: Keep anti-virus and malware software up to date, use varying passwords, and never provide your personal or financial information without knowing who is asking and why they need it.

Don’t jailbreak an iPhone: Most of the infections that have plagued iPhone users occur when the phone is jailbroken. Jailbreaking is the process of removing the limitations imposed by Apple on devices running the iOS operating system. Jailbreaking allows users to gain full access (or root access) to the operating system, thereby unlocking all its features. Once jailbroken, iOS users are able to download additional applications, extensions and themes that are unavailable through the official Apple App Store.” Jailbroken phones are much more susceptible to viruses once users skirt Apples application vetting process that ensures virus free apps.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Judge Says Its OK to Post Social Security Numbers Online

B.J. Ostergren is a proud Virginian. She’s known as “The Virginia Watchdog,” but I like to call her “The Pit Bull of Personal Privacy.” She is relentless in her efforts to protect citizens’ privacy, and her primary concern is the posting of personal information online. To make this point, she finds politicians’ personal information, usually Social Security numbers, on their own states’ websites, and republishes that information online.

Publicly appointed government employees known as Clerks of Courts, County Clerks, or Registrars are responsible for handling and managing public records, including birth, death, marriage, court, property, and business filings for municipalities. Every state, city, and town has its own set of regulations determining how data is collected and made available to the public.

The Privacy Act of 1974 is a federal law that establishes a code of fair information practices governing the collection, maintenance, use, and dissemination of personally identifiable information maintained in systems of records by federal agencies.

Over the years, many have interpreted this law to allow public information, including Social Security numbers, to be posted online. I’ve seen Social Security numbers for Jeb Bush, Colin Powell, former CIA Director Porter Goss, Troy Aiken, and Donald Trump, all published on the Internet.

Ostergren so embarrassed the Virginia lawmakers that they passed a law known by some as the “anti-B.J. law,” prohibiting her from doing what public officials have been doing for years.

United States District Court Judge Robert E. Payne signed an order overturning the anti-B.J. law, ruling that privacy advocate B.J. Ostergren may post public records that contain Social Security Numbers on her website, despite a 2008 Virginia law prohibiting the dissemination of such information.

While two wrongs generally don’t make a right, one has to see the irony in this case. And if Ostergren’s actions create awareness that ultimately leads to all Social Security numbers being redacted, then this wrong is right.

With more than 11 million victims just last year identity theft is a serious concern.  McAfee Identity Protection offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your financial accounts. Educate and protect yourself – please visit http://www.counteridentitytheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him explain how to protect yourself from identity theft on CounterIdentityTheft.com. (Disclosures)

 

5 Online Security Using PayPal

Sometimes home security begins online. Many millions use and rely on PayPal for convenient and secure ecommerce transactions. But is it safe? The short answer is “yes”. The longer answer is “it depends”.

PayPal has numerous redundant measures of protection in place to protect their user accounts. PayPal falls under many of the same rules and regulations as banks and retailers.  They don’t have a choice to be secure or not, they have to be.

But PayPal is just like everyone else, they are under constant attack.

Most security issues with PayPal aren’t actually with PayPal at all, but with its users.

1.    Don’t click links in emails that come from PayPal. The emails may not be from PayPal but from scammers trying to phish your information. Always directly log into PayPal to access your account.

2.    Don’t link your bank account to PayPal. If your PayPal account is compromised then the money stolen will be from your bank account opposed to your credit card account. There are many more layers of security in your credit card connected to PayPal.

3.    Keep your PC security updated. Your PC is a path to PayPal, your bank or any other online accounts you have. Many of those accounts are only as secure as your PC. Make sure you have updated anti-virus, firewall, spyware detection/removal etc.

4.    Use a trusted PC. I would never use anyone else’s computer to login to my bank or PayPal

5.    Use a trusted internet connection. Banking online or using PayPal from a free internet café invites trouble. Your best bet is a hard wired connection from home.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures

Auction Fraud is the Third Most Common Internet Complaint

The Internet Crime Complaint Center fielded 303,809 reports of cybercrime in 2010. Of those cybercrime reports, auction fraud was the third most common complaint.

Auction fraud refers to fraudulent transactions on online auctions. Either a product advertised for sale is misrepresented, or purchases are never delivered at all.

The IC3’s annual report explains, “Historically, auction fraud has been the leading complaint reported by victims, with a high of 71.2 percent of all referrals in 2004. However, in 2010, auction fraud represents slightly more than 10 percent of referrals. This demonstrates the growing diversification of crimes related to the Internet.”

In other words, auction fraud is still profitable for scammers, and they’ve also discovered many new techniques for scamming consumers.

IC3 advises consumers against conducting online transactions with anyone who exhibits the following suspicious behavior:

  • The seller creates an online auction as though he resides in the United States, but responds to buyers with an email claiming he’s outside the United States for business reasons or a family emergency. Or, the seller posts the auction under one name, but asks for payment to be transferred to a different name.
  • The seller requests payment via Western Union, MoneyGram, or bank-to-bank wire transfer. This makes the money virtually unrecoverable once the victim discovers the scam. Any transaction involving a money transfer control number (MTCN) may indicate fraud.
  • The seller poses as an authorized dealer or factory representative in a country where there are no such dealers.
  • The buyer asks for a purchase to be shipped to another via a particular method in order to avoid customs or taxes.
  • The buyer uses a credit card for which the billing address does not match the shipping address. Always secure the cardholder’s authorization before shipping any purchased items.

Online classified and auction websites could prevent fraud and protect their users by incorporating device reputation management. One anti-fraud service getting lots of attention for its fast and effective results is iovation’s ReputationManager 360. This service incorporates device identification, device reputation, and real-time risk profiling. It is used by hundreds of online businesses to prevent fraud and abuse by analyzing the computer, smartphone, or tablet connecting to their online properties.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scammers and thieves on The Big Idea with Donny Deutsch. (Disclosures)

Craigslist Scammers Ship Checks Via FedEx

FedEx isn’t responsible for this scam, but their brand unintentionally lends credibility to the scammers, who reference FedEx in their scammy emails, knowing that aligning with FedEx helps their scam proliferate. It’s an insidious ruse that hurts all involved.

FedEx can and should deny suspicious online transactions. Moneygram and Western Union could also make some effort to deter scammers. It’s hard to weed out the bad guys, but there are technologies that help.

What kind of scam am I talking about? A good friend recently called to ask what I know about check scams. He had received a $2,400 check from a major chemical company via FedEx. He had no idea why, but mentioned that he had placed an add on Craigslist, asking $150 for an item he wished to sell, and that a deaf woman had called him through a translating service and offered to FedEx a check.

I explained that this is advanced fee fraud, or a shipping scam, and that he will undoubtedly receive an email demanding that the difference be paid to shippers.

Maybe the scammer pretended to be deaf, using the translator service as a third party to scramble the caller’s location. Or maybe the buyer really was a deaf woman.

But why send a check for $2,400, and why from a chemical company? Probably because it was the only seemingly legitimate check the scammer had printed up at the time, and it’s a nice score if he sends back the $2,250 difference.

My buddy was flabbergasted to think that anyone would fall for such a scam, and insisted that if someone came to his house to pick up the purchased item and demanded he pay the purchaser $2,250, he’d punch them in the face.

Shortly after getting off the phone with me, he received this email:

“Hello Dean,

How are you doing today?

The check has been delivered via Fedex,Thanks for your honesty towards this transaction so far.Well, the overpayment is meant to cover the cost of shipment for the item alongside my other properties including tax and insurance plus the movers and agent fees.

Please deposit the check today so that it clears tomorrow after the check has cleared,All you have to do is go the bank and have the rest of the money withdrawn in cash and have it sent to the movers via money gram

Here’s the movers information below.

Name : Jason Shambaugh

Address : 2330 Contra Costa Blv

City : Pleasant Hill

state : CA

Post code : 94523

Do let me know your schedule for the week regarding pickup as i have some other properties to be moved alongside the item. Please do act accordingly as agreed after deducting your money for the item, make the rest fund available to the movers via money gram Money Transfer at any of their outlet around you or check on www.moneygram.com{click find us} and check for their outlets around and get back to me with the transfer details below (as it appears on the receipt) so i can contact the movers for the pick-up at your location ….Deduct the money gram money transfer charges from my fund also $50 for yourself (meant for any hassle or run around).

1}Sender’s name and address

2}Reference number {which is the 8 digits number on the Money Gram receipt}

3}Actual amount sent after the fee had been deducted

Hope i can trust you with the overpayment? Your Honesty and transparency will be appreciated”

The email also included the FedEx tracking information, with my friend’s address. Looking up the shipping address on Google maps reveals an office building, which most likely has some vacancies. The scammer probably has some connection to the building, allowing for anonymous shipments.

Craigslist could easily prevent the majority of these scams easily by using device reputation management. Many Craigslist scammers based in Ghana, Nigeria, Romania, Korea, Israel, Columbia, Argentina, the Philippines, and Malaysia spend their days targeting consumers in the developed world. But real-time device reputation checks, such as those offered by iovation, can detect computers that have been used for auction fraud and expose all of the accounts associated with the suspicious device or group of devices. This provides Craigslist and other websites with the opportunity to instantly shut down sophisticated fraud rings and thousands of fraudulent accounts.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses scambaiting on Fox News. (Disclosures)

Sex Offender Checks Won’t Stop Assaults

Match.com has begun screening for users whose names appear on public sex offender registries. As I told the E-Commerce Times, “Doing nothing is a poor option. Also, consider that not every sex offender is tech-savvy, and some will get banned.”

My first passion has always been personal security as it relates to violence prevention. I got into this business 20 years ago as a result of violence in my own life, and began to write, speak and train in self-defense. Things are no different today, except that there are now many more ways for bad guys to ensnare their victims.

Studies show online dating and matchmaking services are growing, even in a recession. Many single men and women are signing up and attending speed-dating sessions than ever before. There are a couple of reasons for the increase in online dating’s popularity. First, it is cheaper to join a service than to spend money on countless bad blind dates. Second, in turbulent times, people want the comfort of a romantic partner. Having a companion to share in the fear, uncertainty, and doubt can help people vent and find relief.

Protect yourself from online dating scams and risks.

1. Educate yourself about self-defense techniques and personal security. Watch instructional videos or take a course. The single most effective self-defense offering on the planet is a program called “Impact Model Mugging,” which you can find nearby with an online search. Taking this course is worthwhile, even if you have to drive 500 miles, and bring your children. In this case, knowledge certainly is power.

2. You’ve probably heard this advice before but it merits repeating. Drive yourself to meet your date in a public, populated location, and continue to do this for the first several dates. Get to know the energy of your potential mate, learn what makes them tick, before offering your trust. Be alert for unhealthy behaviors. If they are easily irritated or make offensive jokes, move on.

3. Do not drink alcohol when meeting someone from the Internet, even with a meal. Alcohol lowers inhibitions and leads us to accept inappropriate behavior. Don’t accept drinks from anyone unless you see the drink being poured and it goes straight to your hands. Slipping drugs in drinks happens every day.

4. Be direct about splitting the bill for dinner. While this may seem extreme to some, studies show that a large percentage of men still feel that after buying a woman dinner, she “owes” him sex.

5. Get information about your date. Ask all the questions: name, address, previous address, home phone number, cell phone, place of birth, birth date, workplace, license plate, and if you can squeeze it out of them, I kid you not, get their Social Security number.

6. Do your own sex offender checks. Do background checks, Use Google and Facebook. Vet your potential mate thoroughly, since determining who you might marry is about as important as any life decision can be.

Online dating services must also take on a certain level of responsibility for members’ personal security. One option is to take advantage of new technologies such as device reputation management, which identifies user devices and analyzes their history, allowing websites to ban users whose device history indicates that they pose a threat to other users.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses dating security on E! True Hollywood Story. (Disclosures)

Prankster Creates and Kills Fake Social Media Profiles

This is just weird, but what about social media isn’t weird? We “friend” people we’ve never met. We share our plans, location, and mother’s maiden name with the world.

In New Zealand, weird can be defined as a 28-year-old Auckland woman who created and used several fake online profiles depicting young, pretty women to befriend unsuspecting high school boys.

I can definitely see my 16-year-old self falling for this.

Sometimes, after creating a fake Facebook profile, the woman would use her other online personas to break the news that her fictitious creation had been killed, referring her high-school friends to a tribute website where they could leave messages mourning the dead young woman. So far, around 40 of this scammer’s young victim’s have been identified.

What a bizarre prank, playing on the emotional wellbeing of a kid!

Making it even more macabre, the scammer borrowed profile pictures of real Facebook users, as well as pictures of their children, friends, and family, and created memorial videos eulogizing them. Posing as the mother of one of her creations, she informed one boy that her daughter was in the hospital after a suicide attempt.

The woman committing these acts is either extremely disturbed or extremely intelligent. Either way, it’s very creative and probably prone to copycats. This woman should be banned from the Internet entirely.

Social media sites could go a long way in terms of protecting their users by incorporating device reputation management. Once a user has been banned, device reputation allows websites to analyze the history of that user’s computer or other device, which may have been used for spam, phishing attempts, predatory behavior, profile misrepresentation, or even credit card fraud.  Device reputation alerts businesses to suspicious behavior, uncovers the device’s true location, and exposes hidden relationships to other high-risk accounts and devices.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses social media scams on CNN. (Disclosures)

Teacher Bit by Social Media Identity Theft on Twitter

Here’s an identity theft story you’ll love to hate.

In Panama City Florida a local and respected teachers’ identity was used to create a fake Twitter profile which spouted off derogatory comments about autistic students. The teacher works with special needs students and had no idea this was going on until she was informed by officials questioning her and the profile.

The Twitter profile included the teachers name, photo, and town along with the derogatory comments. People all over the world started contacting locals officials demanding her ouster after they saw what “she” was writing.

When this came to the attention of the school they immediately brought her in for questioning to determine if she was the author. Their initial questioning led them to believe she was not the author; however they made her bring in her laptop and examined her hard drive for further investigation.

As I’ve said before, identity theft is the only crime I can think of where you are guilty until proven innocent.  Once something like this happens it can quickly and easily damage your reputation.

Online Security Tips:

Right now grab your name on all the popular social media sites. Sign up for every one of them even if you don’t intend on using them. If your name is gone use a hyphen or a dash. For free search over 500 popular social networks and over 200 domain names to instantly secure your brand across the social web at Knowem.com.

Set up Google Alerts to determine of your name is being used online. You want to instantly know if someone is using your name for any reason.

The worst thing you can do is nothing. Sitting back and just letting someone use your name can damage your brand, YOU.

Robert Siciliano personal and home security specialist to Home Security Source discussing social media identity theft on Fox Boston. Disclosures.