Insider identity theft can be most damaging

Posted by Robert Siciliano on November 6th, 2009

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Company networks are like candy bars, hard on the outside, soft and chewy on the inside.

Earlier this week, an IT employee was indicted for stealing the identities of 150 of his coworkers at Bank of New York Mellon, to the tune of 1.1 million bucks. He bilked almost $140,000 a year over an eight year period by compromising the online bank accounts of numerous employees and wiring money to fraudulent accounts outside the bank.

This is a classic case of the fox watching the hen house. This guy was an insider terrorist, looking his colleagues straight in the eye and lying to them. I rank him with pedophiles and serial killers.

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks, or government agencies, or by someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, account information etc. If the thief has regular access to a database, this data is right there for the taking. Many credit applications and online accounts request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. box or the thief’s own address, where the new credit card or statement will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued, the account is opened and the fun begins.

In the Bank of New York Mellon case, investigators found dozens of bank and credit statements in the names of the victims at the thief's home address.

Think for a moment about your house or apartment, and how you might break in if you lost your keys. If a burglar knew what you know about where you hide and store your stuff, how much damage could he do? Insiders pose the same problem. They know the ins and outs of all systems in place, and can wreak havoc on your operation as long as they are employed, and sometimes even after they are let go.

The problems begin when we are forced to trust people with complete access in order to allow them to perform their required duties. Ultimately, this is a people problem and needs to be addressed as such.

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human beings to drive down the street while cars are heading toward you, separated only by a thin painted line. Without trust, we couldn’t get out of bed in the morning.

To protect your business and your data, limit sources as much as possible. Minimize the personnel with access to essential systems. Supervise the supervisors. Even your good apples can eventually go bad, so limit access, even for those who are in a trusted position. And require checks and balances, with multiple layers of authorization. If one person is always watching over another person's shoulder, bad apples can't hide or execute scams. Perform due diligence. In the information age, our lives are an open book. Background checks from information brokers are crucial. Failing to do background checks increases your liability. Someone who has been previously convicted of a crime just might do it again. And if a breach of trust does occur, prosecute the guilty. Make an example that other's won't forget. Public hangings are a strong deterrent.

When it comes to protecting your own identity, get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses identity theft on Fox News.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

• Data Breach Alert: 100 million possible victims in what may be the largest data breach ever
• 25 million identities left unprotected in the UK
• Data Breach Alert: Eye center patients may see identity theft in their future
• Texas company uses shredded checks as packing material
• Identity Theft Expert Answers: Robert Siciliano of IDTheftSecurity.com

McAfee protects 3 computers. Do you have any info on the numbers of computers the others protect?

Posted by kent on November 5th, 2009

The following post in our Reader Question series is an actual user submitted question. To maintain the integrity of the original question, we do not edit or change reader questions in any way.

Q: You state how many computers McAfee claims to protect. Do you have any info on the numbers of computers the others protect?

A: Thanks for the question. If an Internet security product has licenses for more than one PC, we list that in the chart with the price. We try to be current with all price/license information, but you should always make sure that the product you're purchasing supports the required number of PCs when you're at checkout. Here's a list of Internet security products we've reviewed that support multiple licenses:

Norton (3)
McAfee (3)
Trend Micro (3)
CA (3)
Webroot (3)
ZoneAlarm (3)
Kaspersky (3)

• What is the most recommended software?
• Can we buy one subscription of Carbonite to back up both our computers?
• McAfee to partner with Mozy to offer online backup services
• Would it be $14.99 per month each for a husband and wife to sign up for Identity Guard?
• New Symantec discount coupon code for Norton Internet security

A bad week for Facebook, MySpace

Posted by kent on November 5th, 2009

I thought I was using hyperbole on Tuesday when I used the headline "Another day, another Facebook attack." Or maybe I should have just saved it for today. While Tuesday's news concerned a phishing attack, today's attack is far more insidious. According to the Facebook application developer that discovered the Facebook security vulnerability, it could potentially exploit Adobe's Flash plugin and Facebook's auto-login feature.

a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally.(sic)

Basically, it works like this: you decide to share some awesome new Flash site (such as a browser-based game), not knowing that it's an exploit. You hit "share." If you have auto-login enabled, your Facebook login data is transferred to the nefarious referring site. Since you're sharing that site, others click on it. It steals their info, ad-infinitum.

It's important to note that so far there's no evidence that this has actually happened. The potential was discovered by a concerned developer and reported so the hole would be closed. The folks at Facebook are aware of the problem, and they claim that no one's data has been compromised. They gave the following statement to TechChrunch:

The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.

MySpace has apparently fixed the bug, and from Facebook's statement it seems that a fix is either in-place or imminent. But it may make you wonder if there's any way, other than cutting your Internet connection, that you can protect yourself. You don't have much control over Facebook's vulnerabilities, but identity theft protection is a good way to protect yourself in the online and offline world.

• Facebook exposes personal information of up to 80 million members
• Facebook phishing scams increase risk of identity theft on the popular social network
• Facebook moves to protect users in partnership with 49 states
• How to report a fake profile page on Facebook
• Fake Facebook profile page victim awarded $43,000 in damages

Congress breached via P2P filesharing…AGAIN!

Posted by Robert Siciliano on November 4th, 2009

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Congress is still considering the Informed P2P User Act, a law that would supposedly make it safer to use peer-to-peer file sharing software, an effort that is similar to banning mosquitoes from sucking blood. It just isn't happening. The only foolproof way to prevent accidental data leaks via file sharing programs is for IT administrators to lock down networks and prevent the installation of rogue software.

Congress suffered another embarrassing P2P breach last week, after a confidential memo regarding an ethics investigation into the conduct of thirty House members was leaked, thanks to file sharing software installed by a junior staff member. This follows similar leaks that occurred earlier this year, which revealed sensitive details regarding the security of the First Family. House leaders have ordered an "immediate and comprehensive assessment" of congressional cybersecurity policies. Rep. Zoe Lofgren, chairman of the ethics committee, pointed out that "individual error and sloppiness is always the Trojan horse of cybersecurity."

Peer-to-peer file sharing allows users to access each other's computers in order to share music, movies, software, and other files. Unfortunately, many people don’t set up their P2P programs correctly, and they unintentionally end up sharing their most important and sensitive files, including bank records, tax files, health records, and passwords. (This is the same P2P software that allows users to download pirated music, movies and software.) This can result in data breaches, credit card fraud and identity theft. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers, and others discovering P2P software on their networks after sensitive data was leaked.

Savvy users lock down their file sharing software to prevent others from tooling around with their settings. If your IT abilities are scant, you should take the following precautions:

• Don’t install P2P software on your computer.
• If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is.
• Set administrative privileges to prevent the installation of new software without your knowledge.
• If you must use P2P software, be sure that you don’t share your entire hard drive. When you install and configure the software, don’t let the P2P program select data for you.
• Make sure your PC has recently updated Internet security software. P2P networks are riddled with viruses.
• Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.
• Invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox Boston.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

• Will Carbonite also backup programs and applications in a form that would allow them to be installed and run without the hassle of rebuilding ones pc in a crash?
• Is online data storage the secret to eliminating many data breaches?
• Facebook exposes personal information of up to 80 million members
• Identity Theft Expert Answers: Robert Siciliano of IDTheftSecurity.com
• Data Breach Alert: Stolen laptop leaves thousands of Connecticut State students exposed

Save $50 on Medifast purchases

Posted by Caitlin on November 4th, 2009

Medifast is a meal delivery diet program designed for rapid, dramatic weight loss. This is the most rigorous diet plan reviewed on NextAdvisor.com, and is focused on helping those who are obese or seriously overweight improve their health. Medifast is currently offering a $50 discount on purchases over $275. In order to take advantage of this exclusive discount, just click through NextAdvisor.com to Medifast's website, and enter the promotional code NOV30C when prompted at checkout. Customers who order a four week supply of Medifast meals will also recieve three bonus meals and a 50% discount on shipping.

To learn more about Medifast and other meal delivery diet plans, see our reviews and comparison chart.

• Mozy 10% discount promotional from July 2008
• Mozy online backup discount promo codes for March 2008
• Mozy discount promo code for April 2008
• Mozy promotional discount code for April 2008
• Mozy offers 25% discount in response to Upline's downtime

New Lunarpages discount coupon

Posted by kent on November 4th, 2009

There's a new coupon code for web-hosting favorite Lunarpages. "Fall24" will save you $24 off two-years of web hosting. Lunarpages is one of our favorite web hosts that we tested. While more expensive than FatCow or Hostmonster, it's a high-quality service that we really enjoyed using. To get the discount, just follow any links to Lunarpages, then enter the "Fall24" coupon code at check-out (of course, you'll leave out the quotation marks when you do that).

To get the complete rundown on Lunarpages and see how it stacks up against other web hosts, check out our web hosting comparisons and reviews.

• New Symantec discount coupon code for Norton Internet security
• Hackers gain access to sensitive data from 100,000 websites
• Three weeks left to win one of two $1,000 cash prizes from NextAdvisor.com
• 50% off McAfee; No discount coupon code required
• What is my fico score?

10 ways to prevent social media scams

Posted by Robert Siciliano on November 3rd, 2009

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

For the past year, I’ve been screaming about the trouble with social media as it relates to identity theft, brand hijacking, privacy issues, and the opportunity social media creates for criminals to "friend" their potential victims in order to create a false sense of trust and use that against their victims in phishing or other scams. I predicted long ago that the problem will get a lot worse before it gets better and there’s no question about it, criminal hackers have taken hold and are in full force.

We hear about a new Twitter phishing scam almost daily, whether it’s via direct messaging or a shortened URL. My spam folder is filled with emails from Facebook phishers, requesting new login credentials, or a "friend" who’s sending me a video that’s actually a virus.

Not too long ago, it was big news when someone had their Facebook account jacked by someone who impersonated the victim, claiming to have lost their wallet in the UK and begging for a money wire. Lately, I see another story about another victim every week.

Last time I checked, Facebook had more than 400 million users and Twitter has more than 50 million. These numbers jump exponentially every month, and old and new users are still being victimized.

James Carnall, manager of the cyberintelligence division at security monitoring firm Cyveillance, says, “Social media cybersquatting is where domain name cybersquatting was ten years ago”.

Scammers aren’t just stealing identities and spreading malware. They are brand jacking in ways that are hurting companies' bottom lines. While many may not have sympathy for the bottoms lines of billion dollar corporations, this hurts the little guy, too. Knock off software, hardware, merchandise, and movies ultimately cost legitimate taxpayers jobs and hurt the economy when the money is heading to criminal hackers elsewhere in the world. Liz Miller, vice president of the Chief Marketing Officer Council, says, "Counterfeiting operations are highly organized, are very global and are picking up steam because of the economy."

MarkMonitor, a company that tracks online threats for its clients, determined that phishing attacks on social networking sites increased by 164% over the past year. And in a CMO Council survey of 4,500 senior marketing executives, nearly 20% of the respondents said they had been affected by online scams and phishing schemes that had hijacked brand names. These statistics undeniably point to organized crime syndicates.

Protect yourself from social media identity theft.

1. Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. You can do this manually or by using a very cost effective service called Knowem.com.
2. Register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting.
3. Get free alerts. Set up Google alerts for your name and get an email every time your name pops up online. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google does of fetching your name on the web.
4. Implement policies. Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do to.
5. Encourage URL decoding. Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
6. Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure. Knowem has a mind blowing list of 4600 as of this writing.
7. Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
8. Maintain updated security. Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
9. Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
10. Invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses social media identity theft on Fox Boston.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

• Facebook security flaw exposes personal information
• Facebook phishing scams increase risk of identity theft on the popular social network
• Your new Facebook friend just stole your identity
• Facebook exposes personal information of up to 80 million members
• Facebook Identity Theft Protection Guide: 6 tips to protect your identity on Facebook

Another day, another Facebook attack

Posted by kent on November 3rd, 2009

Internet security company Symantec is warning Facebook users about a pair of malicious email attacks that claim to come from Facebook. Both use similar messages, informing users they need to change their passwords. Originally Symantec reported that the emails contained trojans that connect to a Russian botnet. Now it seems there's a phishing attack that's coming along with it. The email's call to action, an update link, hits a faux-Facebook site designed to steal your password. There's also a version of the attack gained at MySpace users.

Symantec reports that the emails are using the following subject lines:

Facebook account update
New login system
Facebook Update tool

As always, if you receive an email purporting to come from an online service that you use, it's best not to follow any links in the email. Always go directly to the site by entering the url in your browser. As Symantec points out, "users need to be extra careful of suspicious attachments, especially those including a “password reset” request because legitimate websites will not send an attachment for resetting a password."

Check out our Internet security software ratings and reviews to find out how to better protect yourself from online attacks.

• Facebook phishing scams increase risk of identity theft on the popular social network
• Facebook exposes personal information of up to 80 million members
• Type carefully when looking for a free credit report
• Facebook moves to protect users in partnership with 49 states
• Malicious hack impacts 2.2 million shortened URLs

Can I transfer Carbonite to my new computer?

Posted by kent on October 30th, 2009

The following post in our Reader Question series is an actual user submitted question. To maintain the integrity of the original question, we do not edit or change reader questions in any way.

Q: I purchased your product about a month ago then I bought a new computer because my old one was so stinking slow. Can I transfer Carbonite to my new computer (It even has my old hard drive in it)?

A: It's a great question, but first we should clarify that while we do review and provide links to Carbonite, NextAdvisor.com is a separate company. With that out of the way, here's the answer to your question:

In short: Yes. That's the great thing about a subscription-based services like Carbonite. I found these instructions on the help section on Carbonite's web site. I'm assuming you reformatted your drive when you put it on the new machine, so the first step probably doesn't apply to you. The main thing you need to do is access your Carbonite account online and transfer your subcscription to your new computer, but here are detailed steps:

1) If the computer that Carbonite is currently installed on is still in use, Uninstall Carbonite (using Add/Remove Programs from Control Panel). Otherwise, proceed to step 2.

4) Follow the instructions to download and install Carbonite

Again, some of these steps will depend on whether or not you reformatted your drive. And if you did reformat the drive, you can use Carbonite to restore the files that were on your old machine.

• Can we buy one subscription of Carbonite to back up both our computers?
• How do I login to my Identity Guard account?
• If I install Identity Guard, will it automatically uninstall Norton?
• Will Carbonite also backup programs and applications in a form that would allow them to be installed and run without the hassle of rebuilding ones pc in a crash?
• Wake up and backup!

Lunarpages web hosting discount for a happier Halloween

Posted by kent on October 29th, 2009

One of our favorite top-quality web hosts, Lunarpages, is celebrating the spooky season with a discount on its two-year plans. Normally, if you want their $4.95-per-month price, you have to go for a five-year plan. Currently, the discount code "Halloween" gives you that same $4.95 price on a two-year plan. This is better than their previous Football-themed discount which saved you $33.00 on the sign-up.

We really liked Lunarpages when we reviewed it. We praised the site builder and the speedy data transfer, as well as its simplified control panel. It's a great price on a really great service.

To get the discount, follow any of the links to Lunarpages from NextAdvisor.com. Select the two-year plan, and enter the code "Halloween" before hitting the "next" button.

• If I install Identity Guard, will it automatically uninstall Norton?
• How to set up automated online hard drive backups with Mozy
• Trusted ID offers exclusive 15% discount promotion to NextAdvisor.com readers
• Mozy online backup discount promo codes for March 2008
• 50% off McAfee; No discount coupon code required