Data breaches are like mice, or cockroaches

• Tweet

November 30th, 2009 - Posted by Caitlin

Why are data breaches like mice or cockroaches? Because for every one that you see, there are hundreds or even thousands that you don't see.

According to the FBI's top Internet crimes investigator, the public only knows about a handful of the thousands of data breaches investigated by the FBI. Because companies that suffer from data breaches fear bad publicity, they often fail to report the crime to the FBI, or wait so long that it becomes nearly impossible to track down evidence. When data theft goes unreported, the hackers are free to continue targeting more companies. And since large companies have finally begun to strengthen their data security, hackers have responded by targeting smaller companies that have fewer resources to prevent cybercrime. Since these breaches are smaller, they are less likely to be reported by the press.

If your data is compromised in a large and public data breach, you may be offered a year or two of free credit monitoring or identity theft protection. But if your Social Security data or bank account information is stolen from a small company, you may never even know. In fact, the small company itself may not become aware of the breach for months or years. To proactively safeguard your own identity, consider investing in credit report monitoring or identity theft protection before your data falls into the wrong hands.

MIT says handing over your identifying data protects you

• Tweet

November 30th, 2009 - Posted by Robert Siciliano

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Identity is a simple concept that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money and the ease of obtaining credit and taking over an account. Because identity has yet to be effectively established, anyone can be you.

Currently, identity is generally established when a person provides a single source of data such as a Social Security number, password, credit card number and so forth. Complicating things further, in the U.S. we have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use "for profit" third party information brokers and the lowly vital statistics agency that works for each state to manage the data.

According to a new proposal in New Scientist, our digital identities will be more secure if they are based on data from our everyday life, culled from cell phones and online transactions. The idea comes from the Massachusetts Institute of Technology's Human Dynamics Laboratory. The lab is a pioneer of "reality mining," which is the practice of studying how people behave by using the crumbs of digital data our actions produce.

Reality mining is "what you do and who you do it with." Or in MIT-over-my-head-speak: "Reality Mining defines the collection of machine-sensed environmental data pertaining to human social behavior. This new paradigm of data mining makes possible the modeling of conversation context, proximity sensing, and temporospatial location throughout large communities of individuals. Mobile phones are used for data collection, opening social network analysis to new methods of empirical (information gained by means of observation) stochastic (random) modeling."

Even Google can't define the word "temporospatial." Find it. I dare you.

The research is based on the use of mobile phones to provide insight into individual and group behavior. They captured communication, proximity, location, and activity information from 100 subjects at MIT over a year. This data represents over 350,000 hours (~40 years) of continuous data on human behavior. Some of the research questions include:

• How do social networks evolve over time?
• How predictable are most people's lives?
• How does information flow?

The idea is to capture and harness all this information that represents "what you do and who you do it with." Managing this would consist of the creation of a central body, supported by a combination of cellphone networks, banks and government bodies. The bank, being one of the supporters, could provide "slices" of data to third parties that want to check a person's identity.

This is different than "who you are and what you know." Currently, positive ID is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples static biometrics include your iris, fingerprint, face, and DNA. Dynamic biometrics include your signature gesture, voice, keyboard, and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don't know who the individual is but we try to get as close as we can to verify his or her asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.

Currently, identity isn't established. There is no accountability. That's why we have identity theft. Anyone can become you just by saying so. In the meantime, until the big heads at MIT figure this out, protect your identity.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses Social Security numbers on Fox News.

[youtube]http://www.youtube.com/watch?v=fqoHSACQ34U[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Popular retailers decline personal checks

• Tweet

November 25th, 2009 - Posted by Caitlin

The Dallas Morning News points out that many popular retailers, including Diesel, True Religion, Ed Hardy, and Lululemon Athletica are no longer accepting personal checks. Gap and Whole Foods are toying with the idea, as well. Since few customers use personal checks these days, some retailers no longer consider the convenience worth the risk of check fraud. Only 4% of consumers plan to pay for their holiday purchases with checks, while more than 42% will use debit cards and 28.3% will use credit cards.

Avoiding check fraud is great, but unfortunately, debit and credit cards are also quite susceptible to fraud. Credit cards offer consumers some protection, but debit cards are less secure. If you plan on doing your shopping with a debit card or credit card this holiday season, check your statements often for unauthorized transactions. And consider investing in a credit report monitoring or identity theft protection service, to ensure that fraudulent accounts are not being opened in your name.

Hackers indicted for jacking Comcast

• Tweet

November 25th, 2009 - Posted by Robert Siciliano

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

A single hacked email address led to the defacement of Comcast's homepage. When the hackers called Comcast's technical contact to let him know that the Comcast homepage and all 200 Comcast domain names were vulnerable, he hung up on them.

It has not been disclosed how the email was compromised, but there are many ways it could be. According to the indictment, the hackers got control of the domain with two phone calls, and an email was sent to the company's domain registrar, Network Solutions, from a hacked Comcast email account. That gave them entry to the Network Solutions control panel for Comcast's 200 domains.

The hackers, 19 and 20 at the time, known as Defiant and EBK from a group calling themselves Kryogeniks, scrawled, "KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven" across Comcast's homepage after they were rebuffed by Comcast's technical administrator. Their one mistake was changing the contact information for the Comcast.net domain to Defiant's email address. Not a smart move from these brilliant hackers.

One method of compromising email accounts is simply going to the "forgot password" section of your email provider's website and responding to a preselected personal question that you answered when signing up for the account. With a little research, the hacker has a good shot at finding the correct answer. Some of the current questions could be answered using information found on a user's social networking profile, or through a website like Ancestry.com or Genealogy.com

I suggest that you check out the "forgot password" section on your own web-based email account, to see your current personal question. If it's easy to answer, or would only require a little research to solve, update the question with one that you create based on opinion, as opposed to fact.

You should also beef up your password. Combine uppercase and lowercase letters, as well as numbers. Don't use consecutive numbers, and never use names of pets, family members, or close friends.

Get a credit freeze. Go online now and search "credit freeze" or "security freeze" and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

And invest in identity theft protection. While not all forms of identity theft can be prevented, an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses hacked email on FOX & Friends.

[youtube]http://www.youtube.com/watch?v=WlD8Nu9nmCc[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Mozy discount for Black Friday: Save $15-$20

• Tweet

November 25th, 2009 - Posted by Kent

Mozy is making dramatic price cuts on its annual online backup storage plans for Black Friday. Until November 30th you can save $15.00 off of the single year plan, and $20.00 off of the two-year plan. That brings the prices down to $39.49 and $73.96, respectively. It's a really great deal for unlimited online storage for one computer. You must use the coupon code: MOZY at the time of checkout.

See how Mozy stacks up against similar services with our online backup services reviews and comparison chart.

What happens if my files are corrupted on my home computer and then they are backed up? Will the backup also be corrupted?

• Tweet

November 24th, 2009 - Posted by Kent

The following post in our Reader Question series is an actual user submitted question. To maintain the integrity of the original question, we do not edit or change reader questions in any way.

What happens if my files are corrupted on my home computer and then they are backed up? Will the backup also be corrupted?

A: It depends on when your files became corrupted, when they were last backed up, and what kind of backup history your online backup provider maintains. Your online backup software will back up your data as-is, preserving any file corruption (just as it would preserve a deleted sentence in a Word document). Now, if you backed up on Saturday, and the files were corrupted on Sunday, you could simply restore the files from Saturday's backup. But what if your backup ran after the files became corrupted? What if your service backs up a file any time it's changed?

There's hope. Most online backup services such as Carbonite, SugarSync, Mozy, and IDrive offer "versioning" (sometimes called "history" or "time-line restore") meaning they save copies of different versions that you've backed up, essentially allowing you to go back in time. Here's how Carbonite works:

Carbonite will save one version for each of the previous seven days, one version for each of the prior three weeks, and one version for each of the prior two months.

So, it's possible you may be able to access older, uncorrupted versions of your files. The amount of time older files are kept depends on your service (Mozy, for instance, keeps 30-days worth, while Carbonite keeps three-months worth, and IDrive keeps the last 30 versions). You should check the individual help section of your service provider for details.

Also note that if the corruption occurred because of a virus, you should make sure you're running Internet security software and that your virus definitions are up to date. Do this before you restore your files, so you don't risk re-corrupting your backups.

Lunarpages discount: 50% off

• Tweet

November 24th, 2009 - Posted by Kent

Lunarpages, the web host of ever-changing discount codes, is knocking 50% off of the total cost of your order in celebration of the Thanksgiving holiday. The coupon code is: Thanks. It's actually a tremendous deal, bringing the cost of a single year's hosting to $4.48 per month, and the cost of two years down to $3.48 per month. The discount applies to your entire order, so anything extra you pick up (such as domain privacy) qualifies for the discount as well.

We like Lunarpages a lot. Their site builder is really nice, and the hosting is fast and reliable. Our only real quibble was price, but with at this discount we have no complaints.

Data Breach Alert: Social Security numbers printed on postcards

• Tweet

November 23rd, 2009 - Posted by Caitlin

Last week, the Universal American Action Network, a subsidiary of Universal American Insurance, sent 80,000 postcards to Medicare participants throughout the country. On these postcards, printed above the recipients' names, were their Social Security numbers.

The mistake occurred because Social Security numbers are often used as Medicare account numbers. The Universal American Action Network responded by firing the vendor responsible for the mailing, and offering one year of free credit monitoring to the Medicare members whose Social Security numbers have been compromised.

As important as it is to safeguard your sensitive personal data, particularly your Social Security number, there's just no way of guaranteeing that large organizations treat this data responsibly. Once your data has been compromised by a single careless mistake, your identity is at risk. Credit report monitoring is one way to mitigate this risk. For more comprehensive prevention and detection, you might consider investing in an identity theft protection service.

Norton Internet security discount: 23% off

• Tweet

November 23rd, 2009 - Posted by Kent

At the moment, Symantec is offering Norton Internet Security 2010 for $53.99. That's a discount of 23% off of the regular price of $69.99. 23% is the final discount, when you apply their current 10% off coupon (SYM2010NEW) to their temporary $10.00 price reduction. Norton Internet Security 2010 was our favorite of the new crop of security software. This is a limited time offer, so interested parties should take advantage of it now.

Handwritten signature is inadequate authorization

• Tweet

November 23rd, 2009 - Posted by Robert Siciliano

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Ever forge your husband's signature? Wife's? Parent's? Client's? Do you think the clerk behind the counter at Walmart is skilled in handwriting analysis? I've always viewed a signature as a totally ridiculous form of authentication and a total waste of my time. Signing my name has always been burden and a frustrating task.

Nobody seems to know when a handwritten signature became a form of authorization. From what I can gather, it seems the modern signature was born when kings signed declarations. Eventually, villagers began signing their names to acknowledge accountability. So the signature was born during a time when we had kings and queens, moats, wizards, and dragons. And we continue to rely on this today. Not too smart.

My signature has evolved from a time intensive, physically demanding, well thought out, legible spelling of my first name, middle initial, and last name, to a first initial, middle initial and last name, then to a quick scribe of what might look like an R, and S, and a squiggly line in place of my last name. Today, my signature tends to be a straight line. Who the heck came up with electronic signature pads? Stupid!

Between my driver's license, credit cards, checks, e-signature pads, and whatever contracts I fill out on a yearly basis, my signature is completely different on each document. Total inconsistency.

I spoke with Robert Baier, a forensic document examiner and handwriting analysis expert, and told him about my inconsistent signatures. Between his facial expression, shaking head and other body language, and his verbal response, I got the message that this is a bad thing. Bob is what I call the "Document Whisperer." He has savant-like talents and can size a person up by their signature. Which means I probably disturb Bob.

I don't really care about a signature. I don't know if it's because I find handwritten signatures so ridiculous or because I'm lazy with this task. The fact is, a handwritten signature provides zero proactive security. The way I see it, signing your name to any document ultimately assigns liability. If someone signs your name to a check and you call the bank and say it wasn't you, they look at the signature and determine whether it's yours or not. From there they assign liability. That's dumb.

Other than at the teller line, most banks don't actually view signature cards until there's a problem. Same with credit card issuers etc. There are a few companies that actually have given validity to the handwritten signature. One such company is Orbograph, an image-based fraud detection company north of Boston that actually looks at previous signatures and recognizes potential document fraud before loss occurs. If we are going to rely on signatures, this type of technology needs to be implemented everywhere.

Many smaller credit card purchases no longer require a hand written signature. Visa recently announced it would mandate a move to chip and PIN technology for all Australian Visa cardholders over the next four years, with signatures no longer accepted at the check-out by 2013. This means all card holders will have a password, as opposed to a signature.

Even though passwords aren't all that secure to begin with, a signature is even less secure, unless of course we provide the signature some credibility by implementing image-based fraud detection system-wide, or putting guys like Bob in a booth in every business district on the planet to review the legitimacy of the signature. That ain't happening. Yet we have plenty of coffee shops on every corner. Seems like our priorities are a bit skewed.

Because the system is insecure, you must protect your identity.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft expert, discusses security issues on TBS's Movie and a Makeover.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.