NextAdvisor Daily » Guest Experts

Criminal hacker gets 20. Books, movies and Hollywood starlet next

Robert Siciliano — Fri, 09 Apr 2010 18:47:48 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Albert Gonzalez and his gang of criminal hackers were responsible for data breaches in retailers and payment processors, with some estimates saying they breached over 230 million records combined. Gonzalez, considered a proficient criminal hacker, provided "dumps," a term which refers to stolen credit card data, to "carders." "Carders" are the people who buy, sell, and trade stolen credit card data online.

“Gonzalez and his hacking buddies hacked into computer systems and stole credit card information from TJX, Office Max, DSW and Dave and Buster's, among other online retail outlets, in one of the largest — if not the largest — cybercrime operations targeting that sort of data thus far. They used some of the stolen numbers to remove cash from ATM machines and sold many of the other numbers to other criminals, including those in Eastern Europe.”

Gonzalez provided "sniffer" software used to intercept the credit and debit card numbers for the Russian hackers. Sniffer software or "malware" malicious software, acts like a virus attaching itself to a network and often spreading. The software allows the criminal hacker backdoor access to all the data in the server and provides remote control functionality.

Wired reports "Gonzalez earned $75,000 a year working undercover for the U.S. Secret Service, informing on bank card thieves before he was arrested in 2008 for running his own multimillion-dollar card-hacking operation."

It was reported that Gonzalez buried a million dollars in the backyard of his parents' Miami home. At one point he cracked and drew a map for investigators to find the money. WOW!

How many people in the course of history have actually dug a hole and buried a million bucks in it? I can’t wait to see the movie. I’d be happy playing a part in it. I’ll be the shovel.

Protect your identity:

If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
Invest in anti-virus and keep it auto-updated.
With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.
Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Using Facebook to steal company data

Robert Siciliano — Wed, 07 Apr 2010 18:44:03 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

There is a reason why computer users are called "users." Like crack addicts who are drug users, more is never enough. And when under the influence, people do stupid things. I find myself scanning the Dell catalog like it's the latest (or any) Victoria Secrets catalog. I'm amazed at how many people I know that are online all day long and digitally stoned. The bad guy knows you are obsessed and uses this against you. He sees that you are comfortably numb here. He understands that in the virtual world you're delirious and more apt to respond to his message then log your credentials.

Steve Stasiukonis is vice president and founder of Secure Network Technologies Inc. and publishes to Dark Reading. He tested his client's network using a bogus identity, and joined the company's Facebook site and started mining the names and email addresses of individuals who identified themselves as employees.

As he collected a database full of names for a penetration test in the phish, he secured a domain name similar to that of his client. This domain name took on the appearance of a human resources or benefits portal. When he emailed the employees as "human resources," they were redirected to a Web page, such as https://www.xyzcompany-benefits.com.

He has been able to accumulate significant numbers of emails for phishing targets from Facebook and other social networking sites. When he launched his Facebook spear-phishing attack, he usually got an average response rate of 45 to 50 percent. So nearly half of the employees responded to an email with the logins and passwords they use on their employers' network.

Steve says:

– Officially sponsor the social networking site and assign an administrator who is responsible for permitting employees to join. This will help control somebody infiltrating the site for devious purposes.

– Establish a social networking policy. If your employees are participating in social networking sites (company sponsored or not) make sure company policies dictate what is and is not permissible. For example, divulging your corporate email account on social networking sites should not be permitted.

– Last but not least, if employees feel the need to gather and converse about their day-to-day work, personal lives, and hobbies, consider a corporate intranet. Maybe someday social networking vendors will launch a product that will provide the same features and benefits, but with the security tools needed to keep employees and company secrets safe. But in the meantime, it's up to you.

Sober up and protect your identity.

Protect your identity:

If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
Invest in anti-virus and keep it auto-updated.
With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.
Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Top 8 worst Twitter social media hacks

Robert Siciliano — Wed, 03 Feb 2010 22:20:36 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger.

In the past year, the use of Twitter has increased dramatically. And so has the criminal hacker's attention to the opportunity to use it for illicit gain. Here are the top-eight worst types of Twitter social media hacks:

Jacked Twitter Accounts: Numerous Twitter (and Facebook) accounts, including those belonging to President Obama, Britney Spears, Fox News and others, were taken over and used to ridicule, harass, or commit fraud.
Social Media Identity Theft: Hundreds of impostor accounts are set up every day. Sarah Palin, St Louis Cardinals Coach Tony LaRussa, Kanye West, Huffington Post and many others have had Twitter accounts opened in their names or names similar to theirs.
Twitter Worms: Worms infiltrate Twitter sending requests to click on links that, in turn, infect user accounts and begin to multiply the message. Followers of infected accounts get the requests, and then their followers get them, causing more grief than anything else.
Twitter DOS Attack: Twitter itself was victimized by a denial-of-service attack that left the site dark for more than three hours. Reports indicated that a politically motivated attack in Russia seemed to be the cause.
Twitter used as a Botnet Controller: A Twitter account produced links that led to commands to download code to run a botnet.
Twitter Phishing: Cybercriminals use tweets to draw users to spoofed sites and trick them into entering account or financial information. It's a crime that's on the rise.
Twitter Porn: Please, "Misty Buttons" stop sending me another invite to chat or see your pics.
Twitter Spam: The use of short URLs has made Twitter's 140-character limit the perfect launch pad for spam leading to diet pills, Viagra and whatever else you don't need.

With Twitter now a part of the daily routines of millions of people, who login from home or work, it will undoubtedly play a big role in the criminal hacking community in 2010.

Protect your identity:

If you're a victim of identity theft, get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief, but it also makes it impossible for you to open any new accounts yourself.
Invest in social media protection at Knowem.com.
Go to my website and get my FREE ebook on how to protect yourself from the bad guy.
Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Robert Siciliano, identity theft speaker, discussing social media identity theft on CNN.

10 business identity theft risks in 2010

Robert Siciliano — Thu, 21 Jan 2010 00:02:12 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Advancements in technology over the past decade have created a tremendous amount of opportunity for the savvy businessperson. Whether it's mobility, streamlined processes, marketing, or the ability to sell to a global market, there's never been a better time to be in business.

Like anything good, there is always a negative. While there are certainly many negatives in technology, like the headaches when something doesn't work correctly and the constant learning curve we must all endure, the biggest negative is security issues.

So for the SMB (that's you, the savvy businessperson), here are ten considerations for the new decade:

Back up your back up. Numerous reports of cyber-war, thousands of new viruses weekly, and even Mother Nature reeking havoc on the Internet, have caused concern among industry professionals. Doing business in the cloud is fantastic; however, make sure you have redundant local backups of your data.

Protect against all Internet security threats, not just viruses. The sheer volume of attacks and new viruses created will keep the antivirus vendors busy. But there is no way they can keep up the pace 100% of the time. There are numerous technologies that will immunize your PC and make any virus or spyware impotent, and any data typed in your browser useless to a thief.

Social media identity theft is the act of creating a blog or social media site that models your day to day operations. At any time, someone can register domains or social media sites with your brand as the face. They then sell products that they never ship and/or do things to damage your brand. Scoop up your social media identities with Knowem.com.

Social network nitwits. One of the easiest ways into your companies' networks is via social media. The explosion of "I just made a tuna" communications has brought out the dumb in many people. The simple act of setting up a group on Facebook and getting your employees to join can open up a treasure trove of data that can facilitate social engineering attacks. Create policies and procedures that involve appropriate use.

Social engineering, the ruse of a confidence man, is back in full force. It never really went away, but with the amount of security in place, sometimes the path of least resistance is simply asking your cleaning crew for the keys to the building. By gaining the trust of employees over the phone, via email or in person, a conman can get almost anything he needs in order to get whatever he wants. The best defense is effective policies coupled with ongoing awareness training.

Insider identity theft can ruin your business. Most companies have done their due-diligence to keep the bad guy from hacking from the outside. But many organizations have neglected the risks associated with employees gone bad and the internal damage that can be done. Numerous technologies monitor and control access to sensitive information. But preventing bad employees from doing bad things starts with not hiring bad people.

Phishing scams still work. Despite consumer and employee awareness, a carefully crafted and well designed email that looks like it's coming from another employee is probably the most effective spear phish. Going after the CEO or high level executive, or "whaling," can often be even more successful. The bigger they are, the harder they fall, as they say. From my experience, it's often the smartest ones in the room that lack all common sense. Test your employees and see what they will fall for. Then test them again.

Tighten up employee remote access. Allowing Suzy Admin to access the company's VPN from a home PC that Suzy's son Steve uses to play games on servers hosted in North Korea will end up bad. Malware on a home computer can compromise user names and passwords, resulting in spyware on the network. Set up Suzy with her own laptop that's fully locked down and prevents Steve from doing anything fun.

Peer to Peer (P2P) file sharing is a fantastic way to leak company and client data to the world. Obama's helicopter plans, security details and notes on congress members being deposed were all leaked on government controlled computers via P2P. Setting admin privileges and installing numerous technologies that will prevent P2P is essential.

Identity theft will get worse before it gets better. And whether it's your identity, your family's or your employee's identity that is stolen, it can be a huge time suck and a costly event. The best defense involves a three legged stool. First, awareness training of all the scams that lure people in, and how to appropriately respond to numerous communications. Second involves a little time and investment in a "credit freeze" or "security freeze." Third is an annual investment in identity theft protection. In today's cybercrime climate, and with the recession making people desperate to make money any way they can, NOT investing in identity theft protection is, in my opinion, irresponsible. The worst thing you can do is nothing.

Robert Siciliano, identity theft speaker, discusses identity theft on Fox News.

Google gets hacked

Robert Siciliano — Mon, 18 Jan 2010 21:32:43 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Last week, Google disclosed that it had been breached by Chinese hackers, who were apparently targeting Chinese dissidents:

"The cyber-assault came to light on Tuesday when Google disclosed to the public that the Gmail Web service was targeted in a highly-organized attack in late December. Google said that the intrusion attempt originated from China and was executed with the goal of obtaining information about political dissidents, but the company declined to speculate about the identity of the perpetrator."

McAfee found evidence that the attack exploited a vulnerability in Internet Explorer. Google Enterprise president Dave Girouard blogged to inform Google App clients their data was safe: "This incident was particularly notable for its high degree of sophistication. This attack may understandably raise some questions." Girouad stated, "We believe our customer cloud-based data remains secure."

The most successful techniques of Chinese hackers involve phishing and social engineering. These hackers determine their targets, then send a "spear phish," or targeted email, to a specific employee, in which they pose as a coworker or a vendor. Once the target clicks a link, a remote control or malicious software is automatically downloaded. On a broader scale, hackers may send a blast to everyone in the company and ultimately hook a few employees, giving them access to company accounts.

The recent Google attack indicates that criminal hackers with financial incentives aren't necessarily the only ones attempting to penetrate your networks. There is a strong possibility that hacking is being sponsored by foreign governments with a much bigger agenda.

All the more reason to be aware and alert in regards to your security.

Never click on links in the body of an email. NEVER!
Always be suspect of any external or internal communications. You could be a target of a phisher.
Before divulging a user name and password in response to an email, pick up the phone to verify the legitimacy of the request.
Make sure your PC's critical security patches are updated fully and automatically.
Antivirus software must be run automatically and kept fully up to date.
It's not enough to just run antivirus software. Run a program that also protects against keyloggers.
Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
Invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.

Impostor poses as Secret Service agent and police officer

Robert Siciliano — Tue, 12 Jan 2010 00:52:25 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

At a friend's 40th birthday party, we wound up discussing my Craigslist ATM, and that led to a conversation about how easily people can be conned. One friend's new boyfriend began telling us how frequently he is able to con people in order to get into bars and clubs. "I never wait in lines," he claimed, "and I always get VIP treatment." I hate lines, too, but I have a hard time lying to get what I want.

He says he finds the phone number of the bar or club and calls ahead of time, claiming to be the manager of a Boston Celtics player and explaining that he'll be coming to the bar with a few people and that his player will arrive later. He gets the name of the club manager and someone from security. That night, he goes straight to the front of the line and drops the manager or bouncer's name and acts as if he's entitled to enter. He says his success rate is 100%, and I believe him.

When a couple can crash a formal event at the White House despite Secret Service presence, then almost anything is possible. People successfully pose as health inspectors, police officers, and even Secret Service agents. As I demonstrated on The Montel Williams Show, I once posed as a "water inspector," gaining access to people's homes by saying I needed to "check the colorization of their water." Any kind of fake badge and uniform can do wonders.

One recent example is a Massachusetts man who has been accused of posing as a Secret Service agent in order to enter the U.S. Department of Health and Human Services and pleaded guilty to disorderly conduct, trespassing, and impersonating a public official after attempting to enter a U2 concert without a ticket by impersonating a police officer:

"Authorities say he flashed what appeared to be a gold Massachusetts State Police badge and entered Gillette Stadium in Foxborough, Mass., on Sept. 21. They say he didn't have a ticket to the concert.

He repeatedly asked to see the fire chief and where the ambulances were parked. When he refused to identify himself, stadium security called police, who then arrested him."

A criminal can easily impersonate you online or in person to commit financial identity theft as it relates to new account fraud and account takeover, or to commit social media identity theft. This is why a credit freeze and an identity theft protection service are essential. Because identity theft will flourish until we are properly identified and systems are in place that point towards effective authentication and identification which leads to accountability.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses imposters and home invasions on The Montel Williams Show.

I wasted four hours with a criminal hacker

Robert Siciliano — Thu, 07 Jan 2010 00:44:31 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Lately I've been coming across "advertisements" on forums, posted by criminal hackers looking to sell our stolen information. They are "carders," selling "dumps" and "fullz." Well, I decided to make contact with one of them to see what the deal is. It turns out the one I connected with was less than forthcoming, but was very persistent and more than likely has and will continue to scam people. Here is an example of a post advertising illegal services.

The hacker I contacted immediately returned my email. I told him I was a journalist and wanted to do a story on him. I couldn't have been more upfront with my intentions. I even provided him with a link to my website, but that didn't seem to matter. He just wanted my money. First he wanted me to open up an instant message and connect with him via his Yahoo email. That way we could chat. But I wasn't about to let him in via IM, because there are known hacks that can allow a bad guy into your PC via an IM service. So instead, I set up a private chat at tinychat.com.

What follows is an abridged version of our conversation. (The full version is here.) I am robertsicili, and the scammer is dskimmed2009 (how appropriate).

[11:50] robertsicili: who is here?
[11:51] dskimmed2009: yes its me man
[11:52] robertsicili: nice meeting u
[11:52] robertsicili: where are you from
[11:52] dskimmed2009: I Have told you already man
[11:52] dskimmed2009: or have u forgotten that man
[11:53] robertsicili: you havent told me
[11:53] dskimmed2009: oh okay man

He avoided the question.

[11:55] robertsicili: why did you agree to speak to me?
[11:55] dskimmed2009: what do u mean ?
[11:56] robertsicili: well, your business isnt a normal one and usually guys like you try to stay 100percent under the radar
[11:56] dskimmed2009: ahahaha
[11:56] dskimmed2009: very good man
[11:56] dskimmed2009: so u too which country are u from ?
[11:57] robertsicili: US
[11:57] dskimmed2009: VERY GOOD

"VERY GOOD" in all caps tells me right away he thinks I'm an idiot.

[11:57] dskimmed2009: I'm 27 years of age and u?
[11:57] robertsicili: im 41
[11:58] dskimmed2009: wow…….then am small boy to u right
[11:58] robertsicili: youll be 40 before you know it

More small talk, getting used to each other.

[11:59] robertsicili: what country? your english is fine
[11:59] dskimmed2009: CVV,FULZ,DUMPS,BANKLOGINS,BANK TRANSFER,WU TRANSFERS,SKIMMING,ETC

And it's down to business.

[12:00] dskimmed2009: What do you need to buy now man?
[12:00] robertsicili: all business, i get it.
[12:00] robertsicili: i want to tell your story. you are very interesting.
[12:01] dskimmed2009: yes am interesting man ok
[12:01] dskimmed2009: dont be serious let finish the deal at least today now ok
[12:01] robertsicili: i write for numerous US papers and find what you do facinating. Id like to understand your process.

This seemed to have gone right over his head because he never acknowledged it.

[12:06] robertsicili: so its not a problem for you to be public? how do you keep from being traced?
[12:06] dskimmed2009: i have many securities upon me so u dont need to be worried about that at all man ok
[12:07] dskimmed2009: becoz i do genue and valid business here with many and more costumers man
[12:07] dskimmed2009: so no one will traced upon me ok
[12:07] robertsicili: not worried, just curious, youre very smart
[12:07] dskimmed2009: why are u saying that am smart
[12:08] robertsicili: because you are able to be public, but still anonomous
[12:08] dskimmed2009: of course man becoz if i were to be bad i will never be in public annoucenment forums
[12:09] robertsicili: what is your "valid business"
[12:10] dskimmed2009: My valid business is to just do long term business with the other costumers man

He begins to tell me how honest he is with his customers.

[12:10] dskimmed2009: always i do give them what they will paid me for ok
[12:10] dskimmed2009: i dont dissapoint them as some ppl's are doing to the other costumers
[12:10] robertsicili: so you are an hoinest business man who doesnt stiff his customers.
[12:11] dskimmed2009: i never stiff my costumers ok
[12:11] robertsicili: i see you take pride in that. and you should.
[12:11] dskimmed2009: am not interesting to do that to my costumers to loose my market man
[12:11] dskimmed2009: i always want to do long term business with my costumers
[12:12] robertsicili: there must be a lot of dishonest people in your business who stiff people
[12:12] robertsicili: how long have you been doing it?
[12:12] dskimmed2009: of course and they are those who used to spoiled most of the hackers business man
[12:13] robertsicili: so you are a "hacker", do you get the data directly?
[12:13] dskimmed2009: i have been in this business for very good 17 years of age man

He loosens up a little and begins to give me history and a bit about his process.

[12:14] dskimmed2009: i use to go to Ho Minh Chin…Vietnam to hack softwares and come back to russian again man
[12:15] dskimmed2009: i have 3 types of softwares i use for my work man
[12:15] robertsicili: what are they called?
[12:15] dskimmed2009: One if for use to skimmed dumps
[12:15] dskimmed2009: software to skimmed dumps called Skimmer
[12:16] dskimmed2009: i have one too hacking software it used to hack credit card numbers and bank logins man
[12:16] dskimmed2009: i have western union bug software version 2010 with an activation code
[12:17] dskimmed2009: used to do online western union wireing and also hacking an mtcn numbers out from fullz man
[12:17] dskimmed2009: i have all types of skimming
[12:18] robertsicili: "hacking software" so on other peoples computers?
[12:18] dskimmed2009: OH YES

He's all happy now.

[12:22] robertsicili: are you russian?
[12:23] dskimmed2009: am not a russian man
[12:23] dskimmed2009: i have been there for good 8 years just to study how to hack very experiencely and perfect way man
[12:26] robertsicili: in the US we are hacked by many countries. The chinese are great hackers, Romanians too.
[12:27] robertsicili: I have heard of vietnamese hackers too but not as often.Ukraine have many good hackers
[12:27] dskimmed2009: oh yes man
[12:27] dskimmed2009: RUSSIAN,VIETNAM,THIALAND,ROMANIA,UKRAINE,NIGERIA ,GHANA
[12:28] robertsicili: Yes. All hacking Americans or all over the world?
[12:28] dskimmed2009: All those countries i just mention they contain alot of fake and good hackers
[12:29] dskimmed2009: they hack EUROPE,UK,US,CANADA,ASIA,WESTERN PART OF AFRICA

We discuss family!

[12:29] robertsicili: do you have kids?
[12:29] dskimmed2009: they hacked all over the world man
[12:29] robertsicili: ok
[12:29] dskimmed2009: i have 2 kids and my personal wife

Back to business.

[12:35] robertsicili: how do you get paid?
[12:35] dskimmed2009: they are sooo many ways of means to get money easy but they dont like it on that way
[12:36] dskimmed2009: Through Western Union,Money Gramm,Liberty Resrve and Web Money
[12:38] dskimmed2009: u can also do western union online transaction money transfer with fullz
[12:39] robertsicili: define fullz
[12:39] dskimmed2009: fullz contain , SSN : SOCIAL SECURITY NUMBERDOB : DATE OF BIRTHDL : DRIVING LINCENSEMMN : MOTHER MAIDEN NAME
[12:40] robertsicili: I now understad fullz, but how do I turn that data into money?
[12:40] dskimmed2009: i will teach u if u buy either the fullz or the software ok
[12:40] dskimmed2009: u will just process and operate the software thats all
[12:41] robertsicili: how much for the software?
[12:41] dskimmed2009: 700$
[12:41] robertsicili: damn!~
[12:42] dskimmed2009: Don't make noise
[12:42] dskimmed2009: i can reduce the price for u if u are ready at any time ok
[12:42] dskimmed2009: am not difficult hacker ok\

Such a great guy and all around good business man. Now I want more details. I want raw data, I want proof.

[12:48] robertsicili: when you get a chance send me samples of what I can get with the software. CVV2?
[12:49] dskimmed2009: all my software are containing security password and codes so i cant just give out like that man
[12:49] dskimmed2009: unless u have make payment for it
[12:49] dskimmed2009: b4 i can give u man

He is refusing to send me samples of data he hacked. I'm beginning to think he has nothing.

[12:50] robertsicili: if im going to make an investment in your softwareI need to understand what it does.
[12:51] dskimmed2009: it will hack the amount on the fullz as mtcn numbers for u to get out with the rest of the infomations man
[12:51] robertsicili: what is mtcn
[12:52] dskimmed2009: Money Transfered Control Number

But he never tells me what it does or how it works. I spend the next hour trying to pull that from him.

[12:54] robertsicili: you sell logins, how do you get them?
[12:55] dskimmed2009: bank logins ?
[12:55] robertsicili: is that what you sell?
[12:55] dskimmed2009: i have software to hack that from bank personal and company account's
[12:55] dskimmed2009: yes i sell bank logins too man
[12:55] dskimmed2009: CVV,FULLZ,DUMPS,LOGINS,TRANSFERS
[12:56] dskimmed2009: I Do bank transfer,western union transfer and paypal verified account transfer toooo
[13:12] robertsicili: How do you get login data?
[13:14] dskimmed2009: i hack from online banking with software
[13:14] dskimmed2009: i have boa,rbc,wamu,wachovia
[13:14] dskimmed2009: icici,hsbc,abbey
[13:37] dskimmed2009: u need banking software for bank login date?\
[13:38] robertsicili: if im to start a business of hacking data I want to know what to buy from you.
[13:38] dskimmed2009: yes man
[13:38] dskimmed2009: please give me ur western union infomations now ok
[13:38] dskimmed2009: with ur phone number
[13:39] robertsicili: and what will you do with my western union info?
[13:39] dskimmed2009: i want to send some money for u to cash it out and send it to me on my infos in ghana man ok

Now he wants my Western Union account data so he can send me money, so I can send his partner money in Ghana. He's beginning to try an "affinity" scam on me.

[13:39] dskimmed2009: one of my business patner man
[13:39] dskimmed2009: he is online now am talking with him
[13:40] dskimmed2009: so i want to give him us infos to send the money
[13:40] dskimmed2009: through money gramm
[13:40] dskimmed2009: becoz right now all the banks is close
[13:40] dskimmed2009: here in ghana now
[13:41] robertsicili: why do you want to send me cash?
[13:41] dskimmed2009: i want him to send the money to us country so that u cash it out send it to me here in ghana now man ok
[13:41] dskimmed2009: becoz right now all banks is close in ghana now ok
[13:44] robertsicili: OK so he sends me money and i send it back to you because the banks are closed?
[13:44] dskimmed2009: oh yes
[13:44] dskimmed2009: that is it my brother
[13:45] robertsicili: In the US we call that an "advanced fee" scam. At least thats what someone told me.
[13:46] dskimmed2009: okay then stop ok
[13:46] dskimmed2009: don't do it again ok
[13:46] dskimmed2009: we continue our business now

"Don't do it again," he tells me. Hilarious.

[13:47] robertsicili: I want to buy your software that hacks online banks. Tell me what it does and how much money it will cost me.
[13:49] dskimmed2009: it cost 1300$ for online banking software to hack bank logins both personal and company account
[13:51] robertsicili: tell me how it works, I want to undersyand the technology. Is it sql-injection, spyware? Password hacks, Phishing?
[13:52] dskimmed2009: 2 COMERSUS SOFTWARE WITHOUT BANK LOG IN AND BANK CREDIT CARD CODE ==========1000$
[13:52] dskimmed2009: 3 NEW WESTERN UNION HACKING BUG FOR WORLD WIDE TRANSFER ==========700$4 NEW PAYPAL LOG IN HACKWARE FOR HACKING FRESH PAYPAL ==========250$
[13:53] dskimmed2009: 7 NEW CREDIT CARD VALIDATOR FOR VALIDATING ANY FULL CC INFO ==========120$
[13:53] dskimmed2009: WESTERN UNION ONLINE SOFTWARE(WESTERN UNION BUG)VERSION 2009/2010PRICE:700$

I begin to get confused as he describes his process, because it makes no sense.

[14:22] robertsicili: explain to me me how it brings the infos and what the software hacks
[14:22] dskimmed2009: it will hack the bank u will choose on the list of the software processor
[14:23] dskimmed2009: then u will wait for 30 minutes for that bank u choose it's infomations
[14:23] dskimmed2009: every infomations that will appear within that 30 minutes if valid infomations
[14:25] dskimmed2009: It's not difficult to understand but if u understand i will be very happy man ok
[14:25] robertsicili: so the software is hacking the banks processor and getting consumer logins?
[14:28] dskimmed2009: it's like bank transfer
[14:36] robertsicili: explain how th bank transfer works?
[14:36] dskimmed2009: a'm worry about how u dont understand man
[14:36] dskimmed2009: infact its pains me

Too funny: "infact its pains me"

[14:36] robertsicili: Im skilled in software but want to understand how it works. is it a sql injection?
[14:38] robertsicili: if I am to spend thousands of dollars I needd to know how the tech nology works. you are selling hacking softeware but wont tell me how it works
[14:38] dskimmed2009: it will bring that bank u choose all its infomations will appear on it within that 30 minutes time man

None of this makes sense.

[14:40] dskimmed2009: u see someone's bank account
[14:40] dskimmed2009: he is from usa
[14:40] dskimmed2009: his account was hacked by the software last weeks monday
[14:41] dskimmed2009: 38k was withdraw from it by one of my costumer who come to buy the software man
[14:43] robertsicili: ok
[14:43] dskimmed2009: u see ?
[14:44] robertsicili: soft of. I think there mayt be a language barrier here
[14:45] dskimmed2009: what do u mean by that man?
[14:45] robertsicili: so the software gives me access to the server and shows the banks customers accounts?
[14:45] robertsicili: then I can withdraw from the account and make a transfer?
[14:46] dskimmed2009: oh yes man
[14:46] dskimmed2009: that is it
[14:46] dskimmed2009: u can make the transfer ur self to ur account either company or personal account

So I ask him how he hacks Paypal. It can't possibly be as easy as he claims.

[14:50] robertsicili: ok. how does it work with paypal?
[14:51] dskimmed2009: We have Verified and Non Verified Account
[14:51] dskimmed2009: just the id and the password
[14:51] dskimmed2009: we have ones with an empty balances and with ones with founds tooooo
[14:59] robertsicili: how does it work?
[15:00] dskimmed2009: for that one is not difficult man
[15:01] dskimmed2009: u will just put the id on it,it will show the password and the amount in the account

What? He says that his software just needs an account number and it shows the password? I smell a rat.

[15:01] dskimmed2009: then u transfer to ur bank account or ur paypal account or uur personal account or any of ur company accout man
[15:02] dskimmed2009: that'sall
[15:02] robertsicili: serious? you have software that will show a persons user ID and their passwords and whats in the account? How does it do that?
[15:03] dskimmed2009: the software self will show the password and the amount on it
[15:03] dskimmed2009: infact i have sell this to 2 costumers only
[15:03] dskimmed2009: it's too cost but simple to operate
[15:05] robertsicili: This sounds to good to be real. How can you prove this works before i send you money?
[15:05] guest-14953 entered the room
[15:06] dskimmed2009: i dont have any thing to show man

So he's got nothing. Or at least won't give up anything.

[15:07] dskimmed2009: if u are ready u go to send money now so that i send u the software man
[15:07] dskimmed2009: becoz with the software u will make alot of money
[15:07] dskimmed2009: and am going to do long term business with u for ever man
[15:07] robertsicili: if what you say is true then the entire banking and paypal security is non existent.
[15:08] dskimmed2009: so u must to trust me and to be honest with me that alll
[15:08] robertsicili: dude, i find it hard to trust in this situation.
[15:09] dskimmed2009: ok
[15:09] dskimmed2009: any way thanks for contacting me ok
[15:09] dskimmed2009: bye

I learned he wasn't much of a hacker, or at least didn't have a very good handle on his technology, or he just didn't want to tell me. But the mere fact that he is sitting in a hut or Internet café somewhere and communicating like this tells me someone somewhere has sent him money.

Protect yourself from scammers and hackers. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses credit and debit card fraud on CNBC.

Profile of a real hacker

Robert Siciliano — Mon, 28 Dec 2009 21:09:55 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

The wild, wild web never ceases to amaze me. My daily routine includes a tremendous amount of research, keeping me on top of what's new in information and personal security. Every day, I spend about three hours simply "consuming" information via news alerts, feeds, and subscriptions, then breaking it down for others.

Recently, I was shocked to come across a website created by a self-declared "real hacker," advertising his services.

"I SELL CCV2,tracks+ ATM PIN,FULLZ, BANK LOGIN, BANK TRANSFER… PRICE FOR CCV us (visa or master)= 2$ us (amex or dis)= 3$ uk (visa or master)= 4$ uk (amex or dis )= 6$ US Amex 3 $ UK master/visa 6$ … All Our PayPa Acc Have Full Info And With Email Access and With All Security Answer . And With Orginal Ip And A Program For Fake Your System Ip To Orgina Ip For Full Access To PayPal Acc. Ebay Login : Fresh And Verified And Unlimited Ebay Account"

This guy is a "black hat hacker," a carder selling stolen credit card data, referred to as "fullz" and "dumps." His website includes live examples of his wares, including names, address, phone numbers, bank account numbers, credit card numbers, CCV2 numbers, Paypal account logins, you name it.

On his "Rates and Services" page, he states:

"We are a group of Ethical Hackers based in the Turkey but our staff comprises of Experienced hackers around the world, we have over the years strategically recruited the best hackers from the UK,USA,Russia,India,Philippians,Vietnam and Egypt.

Our policy is simple "making the world a better place by creating an equal balance" in other words, hack the rich and give to the poor, Robin Hood style

The way we do this is to sell Carding Stuff and hacking softwares and tools at really cheap prices so that everyone can afford it and also be able to hack.You can definitely be a hacker with our new approach tutorial. We can offer you pre-written tutorials but we will also allocate you your own specialist hacker, who you can add to your yahoo messenger and will give you a more hands on approach by teaching you everything you want to know over instant messenging.

We are ethical hackers and here to help not make money, we only charge because of the cost,time and effort involved in the services and products we offer.

Enjoy your stay and we hope we can help. Thank you!! :-"

And on his "About Us":

"GOOD HACKER WITH GOOD PRODUCE HIEN_HACK IS A GOOD HACKER WITH FRESH PRODUCE…ALL STUFFS HAVE THEIR PRICE AND ALL STUFFS GOT GOOD LIMIT AND GOOD BALANCE..WE HAVE MANY SOFTWARE FOR HACKING STUFFS…HE IS A GOOD HACKER AND NEVER RIPP HATE RIPPERS IN IS LIST…HE DO GOOD DEAL FOR LONG ….WITH GOOD CUSTOMER WHO IS READY TO HAVE GOOD DEAL…ANY THING U NEED CONTACT HIM AND HE WILL HELP GET ANY STUFFS…HE DO BANK TRANSFER FOR REAL AND WESTERN UNION TRANSFER,GOT FRESH CC ETC…TRY HIM AND YOU WILL BE HAPPY OF HIM….IF U NEED HIM JUST GO TO IS CONTACT AND GET IS YAHOO ID OR EMAIL ADDRESS ALSO HE HAVE IS NUMBER THERE CONTACT HIM AND CALL HIM FOR GOOD DEAL OKAY..BE FAST SO THAT STUFFS WILL NOT GET FINISHED….."

This is the epitome of scum. He and his band of delusional criminals have convinced themselves they are good and their victims are bad. Unfortunately, this is what we have to contend with. Hackers have been selling raw, stolen data to one another for a while now. But the fact that this type of underground activity is so prevalent that it's begun showing up in my Google News Alerts is alarming, and indicates that it isn't getting any better any time soon.

Most of the raw data being sold online is used for account takeover, but can also lead to new account fraud. In many cases, it's your own computer that's compromised, while other hacks target retailers or banks. Either way, you are ultimately responsible for the charges made in your name, unless you do something about it.

Check your bank and credit card statements frequently, and refute unauthorized charges within 60 days.
Be alert for phishing emails asking for personal information, credit and banking data, etc. These emails may appear to come from a trusted source, but look more closely and delete them if they are at all questionable.
Install Internet security software, and keep it updated. If your computer becomes infected with a virus that allows it to be controlled remotely, a criminal can access all your important files and financial data.
Get a credit freeze at ConsumersUnion.org. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
Invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses credit and debit card fraud on CNBC.

2010 Identity Theft Resource Center predictions

Robert Siciliano — Fri, 18 Dec 2009 22:45:00 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

I've joined forces with the Identity Theft Resource Center to expand the pool of knowledge about identity theft issues. As nationally recognized experts in this crime, we have come up with ten predictions for what the nation can expect in the area of identity theft in 2010 and beyond.

1. More Scams: The recession will lead to more scams. Whenever our nation has faced a difficult time, thieves have found a way to use the problem to their advantage. In my adult life, I've never seen more variations of old scams and the degree of sophistication in newer scams.

2. Job Scams: Criminals will take advantage of increasing unemployment rates by tricking desperate people searching for job listings. These fake job listings and work-at-home scams will eventually end with the job seeker providing Social Security numbers to criminals. If the job description is not one that you would see printed on a business card or you are asked to front money, it's a scam.

3. Newbie Low Tech "Desperate" Identity Theft: Additionally, there will be an increase in the number of individuals – who have no criminal history – beginning to explore the crime of identity theft for financial gain. For these thieves, it will be about quick money. Once desperate people max out their credit limits and wreck their own credit histories; they will start to use Social Security Numbers that they can easily access.

These new identity thieves will take advantage of low tech methods – stealing credit card numbers, dumpster diving, making phone calls, or phishing for credit card numbers. These techniques may also include placing ads in auctions and Craigslist for phantom products for sale to get either credit card numbers or cash.

4. All-in-the-Family ID Theft: Desperation will lead to more child identity theft and "all-in-the-family" cases, as well as the fraudulent use of numbers belonging to close friends, roommates and fellow workers. It has long been documented that a significant percentage of identity theft cases are perpetrated by people close to the victim. We predict that this number will increase during these tough economic times.

5. Child Identity Theft: The ITRC has noted that nearly 10 percent of its case load, for the past six months, involved child identity theft issues. These cases often involve more varied components of identity theft than ever before. Some people have finally realized that a child's SSN can be used for more than just opening a line of credit.

6. Medical Identity Theft: While not a new crime, this will reflect the distress of those who have become unemployed. High COBRA premiums, growing individual medical insurance costs, or the inability to afford insurance or medical care will cause a spike in this area of identity theft. The Social Security Administration has noted an increase in uninsured people using the coverage of a friend, relative or even a stranger to get medical care.

7. Insider Identity Theft: In the coming year, this will increase due to the failure to follow simple security protocols in the workplace. This will create opportunities for thieves to gain access to personal identifying information retained in databases or paper files. Additionally, the lack of computer security measures and the increasing skill levels of hackers will lead to larger and more financially harmful breaches. Although a few sophisticated hackers have been arrested recently, these large, extremely damaging hacking events will continue to occur. These thieves are educating young protégées on high tech methods to access "secured" information and will likely continue to coordinate malicious attacks from their jail cells.

8. Governmental Identity Theft: More individuals will discover that they have become identity theft victims as they apply for government assistance and/or benefits. Not only will their own SSNs be used, but they may be temporarily denied benefits due to the use of their child's SSN, which has been used fraudulently. This type of identity theft, identified as "Governmental Identity Theft," may be associated with complications with the IRS, Social Security Administration, Departments of Motor Vehicles, Medicare and Welfare.

9. Criminal Identity Theft: The number of cases of criminal identity theft will continue to grow. This type of crime is defined as the use of an individual's personal information to avoid being tied to their own criminal record. In the current environment, the effects of criminal identity theft on the victims will be more apparent with the loss of employment, loss of benefits and the increased number of arrests of victims ranging from failure to appear warrants for traffic citations all the way to felony level crimes. Criminals will continue to exploit the weaknesses of the current system and revictimize the individual whose information has been used.

10. Social Media Identity Theft: The meteoric rise in social media use has also created a launch pad for identity thieves. Social media identity theft happens when someone hacks an account via phishing, creates infected short URLs or creates a page using photos and the victims identifying information. My prediction for 2010 is that the increase in social networking activity, along with a user's failure to implement security and privacy settings and protocols, will lead to an increased exposure of not only the user's personal information but possibly that of their "friends."

Bottom line, there will be an increase in identity theft crimes and the number of victims over the next two years unless significant changes are made in information security. Our most important asset is our identity. And we are functioning under a completely antiquated system of identification with wide open credit and few safeguards to protect the consumer. When state governments agree with federal agencies on effective identification and industry comes together, not to profit from the problem but to solve it, only then will we prevail.

Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses social media identity theft on Fox Boston.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

My Craigslist ATM causes industry stir

Robert Siciliano — Thu, 17 Dec 2009 00:33:21 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Apparently I raised a hackle or two. Seems my little stunt got the attention of industry insiders, and not all of them believe that I bought a used ATM on Craigslist, which turned out to contain thousands of credit card numbers. Well, it did actually happen, and despite what many say, that the ATM couldn't have contained 16-digit credit and debit card numbers on it, it did.

The most intense resistance to my experiment came from one Boston cop who watched me plant this thing in Downtown Crossing. He crossed his arms, glared at me, and when I walked away from the ATM, asked what I was doing. When I told him, he yelled for the women who were already using my ATM to stop, then took down my information while screaming at me. He later told me that his main concern was the possibility that the ATM might have contained a bomb!

According to ATMmarketplace.com, the ATM industry is braced for a backlash in the face of security concerns. There should be a backlash. We definitely need some regulation as to who can or can't buy an ATM. And according to Mike Lee, the chief executive of the ATM Industry Association, "while ATMIA does not condone the auctioning of ATMs, online or otherwise, the association has little control over how they are sold."

Personally, I think that the association needs to start establishing some control, and throwing your hands up in the air is lame. Both eBay and Craigslist have prohibited certain items. Why can't I buy an old credit card off eBay, but I can buy an ATM with thousands of credit and debit card numbers on it? I can't buy a "traffic signal control device" off eBay either. Because someone recognized in the wrong hands, the device can wreak havoc.

James Phillips, director of North American sales for ATMGurus, a Triton company, says that "an ATM that has old software or one that retains card numbers does not provide enough information for the owner to compromise consumer accounts," but that my experiment still "has the potential to be so damaging to the industry's reputation." First of all, a 16-digit number is enough to turn data into cash. Even without a PIN, the 16-digit number can be used to buy goods online, or encoded on a blank card to buy goods in a store. This is why Visa and MasterCard require new software to block out the numbers. Second, Jim, you're right, this is damaging. So please, fix it, and don't allow lame excuses. And my machine is a Triton 9100. She's a beauty by the way. Works nice off a 12-volt car battery, too.

Wendy Amaral, an account manager at Nationwide Money Services, says that while it's possible that some companies could provide processing without collecting the required background information about the ATM owner, Visa, MasterCard, and other financial institutions are firm about the rules, and that audits are unlikely but possible. I think "possible audits" sounds like another cop out. For those of us who use ATMs, the idea that we are protected by "possible audits" is a slap in the face.

George McQuain, chief executive of ATM ISO Global Axcess Corp., which provides ATM processing, says he's skeptical that I was able to set up my ATM for processing without a background check or even any questions. I haven't revealed the processors who agreed to set up my ATM because they seemed to be small shops, and I don't intend to destroy their livelihoods in my attempt to point out the inadequacy of the industry's regulations. But the first processor set me up over the phone, and all I had to do was fill out a PDF and fax it back. The second showed up to my house in a pickup truck to service the ATM in my garage.

McQuain also says that it is rare for an ATM to have such outdated software that it would allow the owner to print so much customer information. But it was easy for me to find one. And even when they are replaced with newer models, where do they go? Where does the data go? I'll tell you. On Craigslist, and then to the criminals.

There have been tons of reports on my story:

You can protect yourself from ATM scams by paying attention to your statements and refuting unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the machine's appearance, such as wires, double sided tape, error messages, a missing security camera, or if the machine seems unusually old and run down, don't use it. Don't use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!

And invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, rolls an ATM around on Fox.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Laptop insecurity leads to identity theft

Robert Siciliano — Tue, 15 Dec 2009 01:53:28 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

In 2003, an estimated 1.5 million laptops were stolen worldwide. Today, that number has climbed to 2.6 million. That's a 70% increase in just a few years. That's one stolen laptop every 12 seconds.

Laptop computers have been the source of some of the biggest data breaches of all time. 800,000 doctors were recently put at risk for identity theft when a laptop containing their personal data went missing from the Chicago-based Blue Cross and Blue Shield Association.

As the years pass, laptop prices come down and their computing power goes up, making them increasingly vulnerable.

According to yet another interesting Ponemon Institute study, more than half of IT and security professionals worldwide believe their companies' laptops and other mobile devices pose security risks, and only half of them have CEOs who are strong advocates and supporters of data security efforts. Kelly Jackson Higgins' article at Dark Reading gives a good summary of these findings.

In the United States specifically, the situation is even worse, with only 40% of IT and security pros believing their CEOs to be security supporters. When it comes to compliance with regulations, "US firms were also less inclined to consider compliance helpful to security of their endpoints."

This report is both quite troubling and yet unsurprising. It models the philosophies that produce what we see in the real world: data breaches are quite commonplace, decent security is quite achievable, and most businesses just don't really care, at least until they learn the hard way. It's akin to a widespread lack of interest in wearing seat belts, with only those who experience accidents deciding that, sure enough, it's not very hard to buckle a seat belt and the benefits are enormous.

Many businesses have a department, or at least a group or individual, that handles security. (Note that the report also exposes a woeful lack of collaboration with this section of the business.) Yet "the security department," or the IT department in general, tends to find that upper management just doesn't "buy in" with security efforts.

Dan Yost, Chief Technology Officer of MyLaptopGPS, states, "It seems good to let the upper management take a serious fall when (not if) breaches happen. They choose not to support the buckling of seat belts, because it's 'not important' or at least not a priority. It's only fair that their necks be on the line during the next 'accident'."

Unfortunately your security, or lack thereof, is in the hands of others. Take control. Protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses laptop security on The Today Show.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Tips for secure online holiday shopping

Robert Siciliano — Fri, 11 Dec 2009 20:46:44 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

UK officials shut down more than 1,200 online retailers who scammed millions from unsuspecting shoppers. Most of the sites, which appeared to be legitimate retailers selling jewelry and other high end items from brands such as Tiffany & Co. and UGG Australia, were created by identity thieves in Asia. When victims entered their credit card data or bank details, or sent checks, their money was stolen. Some victims did receive counterfeit versions of the merchandise they ordered, while others were left with nothing. Nobody responsible for the fake websites has been caught.

Criminals who set up fake websites go through the same process as legitimate online retailers, using search engine optimization and marketing, and online advertising via adwords. They use keywords to boost their rankings on Internet searches, which means they show up alongside legitimate sites. These same techniques are being used to infect victims' computers with malicious software. Many victims are lured to scam websites after recieving phishing emails offering high-end products for low prices.

It's easy enough to avoid spoofed websites when phishing is the gateway. Common sense says to automatically be suspicious whenever you recieve an unsolicited offer through email. The same goes for offers recieved through tweets or other social media messages. Scammers commit social media identity theft every day.

If you aren't familiar with a particular online retailer, don't even bother clicking the links, especially if an offer seems too good to be true. And if the email does come from a known website, make sure the address is legitimate before clicking on a link. Beware of cybersquatting and typosquatting, which trick you into believing you're headed to a legitimate site.

When placing an order, look for "https" and an image of a closed padlock in the address bar, signifying that it's a secure page. Scammers don't generally bother to set up secure sites.

Beware of emails coming from eBay. I've been getting ten a day lately. It's difficult to tell if these are real or fake, and you may be directed to a spoof of the eBay website. If you're looking for deals on eBay, disregard emails and go directly to the site. You can use the search function to look for deals that were advertised in emails. And when you do decide to make an eBay purchase, check out the seller's history. eBay works based on an honor system, and if the seller has a pattern of great feedback, they are probably legitimate.

Pay close attention to your credit card and bank statements. Check them at least once every couple of weeks, and refute any unauthorized charges within two billing cycles. Don't use debit cards online, since they offer less protection and more liability than credit cards. And avoid paying buy check, since it's difficult if not impossible to put that money back into your account once it's gone.

Do business with people or companies you know, like, and trust. On occasion, I do buy from online retailers with the best deals, but only cheaper items, generally under $50.00. When I'm buying something more expensive, I stick to companies that also have brick and mortar locations.

Invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses holiday scams on Fox's Mike and Juliet Show.

[youtube]http://www.youtube.com/watch?v=Ixn26vVTfns[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Holiday temps make the best scammers

Robert Siciliano — Wed, 09 Dec 2009 23:42:23 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

This is the absolute best time of the year to be a dishonest temporary worker. Holiday hustle and bustle overwhelms managers and supervisors and they can't possibly see everything their employees are doing. It has been said that only 10% of employees are honest, 10% of employees will always steal and 80% will steal based on circumstances. Hiring temps during the holidays becomes the perfect storm for employee theft.

Estimates reveal that 40-50% of all business losses are due to employee theft. Employers need to first vet potential hires so as not to invite a thief into the workplace.

Prescreening

Either use a prescreening service or become a master interviewer. Watch for incongruities.
Resumes are often "false advertising," sometimes including outright lies. Look for red-flags and exaggerations.
Appearance is telling. To be disheveled and unkempt at an interview is a reflection of one's character.
Interviewees who are well-spoken and ace the interview process may have had lots and lots of jobs.
Use employment applications, and check and verify everything.
Background checks are only one small, but necessary, element of the screening process.
Criminal records checks are insufficient and do not detect employee theft unless prosecuted and convicted.
Juvenile convictions do not show on a criminal records check.
Drug and alcohol testing.
Reference checks.
Credit reports.
Physical exams.

Hire honest people.

Honest people live by the golden rule, "Do as to others as you would have them do unto you." Honest people see stealing as demeaning. Honest people believe in karma. Honest people think of the consequences of their actions over a lifetime, not just in the moment. Hire honest people.

Perception is reality.

Assume that after an apparently honest person has been hired, there is still potential for stealing to begin. Orientation is the first place to discourage this behavior. Policies must be openly discussed. Employees are shown aspects of loss prevention and physical security in place. They are further told incidences of theft will be prosecuted under the fullest extent of the law. They are reminded that previous employees were caught and the expenses in fines and to lawyers in a criminal defense cost far more than the goods or cash that were stolen. In Singapore, Iran, Saudi Arabia, they put an average of 500 people a year to death for various nonviolent crimes. That's perception equaling reality.

Understand the theft probability equation.

Chance of getting caught + consequences of action taken = Level of risk & probability of theft.

Low risk: high probability of theft
High risk: low probability of theft
A reputation for non-action breeds theft. If you fire thieves without prosecution, you will hire thieves in the future.

Increase technology to reduce threats.

ComputerWorld suggests bolstering physical security around temporary cash registers and handheld scanners. It's easy to install a card-skimming device on a satellite register. Install additional video cameras to monitor the use of such devices.

Review log data daily. System and transaction logs can reveal a lot of information about the security of a payment system. Check them daily for red flags.

Implement "hard" firewall policies. Use a white list of known good addresses to preclude the possibility of card and payment data going anywhere outside the enterprise firewall except to your payment processor.

For your own personal security, protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses holiday scams on Fox's Mike and Juliet Show.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Twelve Scams of Christmas (part 4)

Robert Siciliano — Tue, 08 Dec 2009 00:54:04 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

As cybercriminals begin to take advantage of the holiday season, McAfee has revealed "The Twelve Scams of Christmas," the most dangerous online scams that computer users should be cautious of this holiday season. According to Consumer Reports' 2009 State of the Net Survey, cybercriminals have bilked $8 billion from consumers in the past two years, and McAfee warns consumers not to fall victim to the top scams this year.

Since I'm on McAfee's Consumer Advisory Board, I'm advising you to beware of the following scams.

Scams 1-9 are here, here, and here.

10. Password Stealing Scams

Password theft is rampant during the holidays, as thieves use low-cost tools to uncover a person's password and send out malware to record keystrokes, called keylogging. Once criminals have access to one or more passwords, they gain vast access to consumers' bank and credit card details and clean out accounts within minutes. They also commonly send out spam from a user's account to their contacts.

11. E-Mail Banking Scams

Cybercriminals trick consumers into divulging their bank details by sending official-looking e-mails from financial institutions. They ask users to confirm their account information, including a user name and password, with a warning that their account will become invalid if they do not comply. Then they often sell this information through an underground online black market.

McAfee Labs believes cybercriminals are more actively scamming consumers with this tactic during the holidays since people are monitoring their purchases closely.

12. Your Files for Ransom – Ransomware Scams

Hackers gain control of people's computers through several of these holiday scams. They then act as virtual kidnappers to hijack computer files and encrypt them, making them unreadable and inaccessible. The scammer holds the user's files ransom by demanding payment in exchange for getting them back.

McAfee advises Internet users to follow these five tips to protect their computers and personal information:

Never Click on Links in E-Mails: Go directly to a company or charity's Web site by typing in the address or using a search engine. Never click on a link in an e-mail.

Use Updated Security Software: Protect your computer from malware, spyware, viruses and other threats with updated security suites. McAfee^® Total Protection software provides fully-featured protection from current and emerging threats. It also comes built in with McAfee SiteAdvisor® technology, a safe search toolbar to warn consumers of a Web site's safety rating as well as phishing protection. It uses intuitive red, yellow and green checkmarks to rate potentially dangerous Web sites when searched on Google, Yahoo! or Bing.

Shop and Bank on Secure Networks: Only check bank accounts or shop online on secure networks at home or work, wired or wireless. WiFi networks should always be password-protected so hackers cannot gain access to them and spy on online activity.

Also, remember to only shop on Web sites that begin with https://, instead of http://, and seek out Web sites with security trustmarks, like McAfee SECURE^™.

Use Different Passwords: Never use the same passwords for several online accounts. Diversify passwords and use a complex combination of letters, numbers and symbols.

Use Common Sense: If you are ever in doubt that an offer or product is not legitimate, do not click on it. Cybercriminals are behind many of the seemingly "good" deals on the web, so exercise caution when searching and buying.

If you think you may be a victim of cybercrime, visit McAfee's Cybercrime Response Unit to assess your risks and learn what to do next at www.mcafee.com/cru.

Get a credit freeze. Go online now and search "credit freeze" or "security freeze" and go to ConsumersUnion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. And invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses Cyber Monday on Mike and Juliet.

[youtube]http://www.youtube.com/watch?v=Ixn26vVTfns[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Twelve Scams of Christmas (Part 3)

Robert Siciliano — Sat, 05 Dec 2009 00:44:28 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Since I'm on McAfee's Consumer Advisory Board, I'm advising you to beware of the following scams.

Scams 1-6 are here and here.

7. Christmas Carol Lyrics Can Be Dangerous – Risky Holiday Searches

During the holidays, hackers create fraudulent holiday-related websites for people searching for a holiday ringtone or wallpaper, Christmas carol lyrics or a festive screensaver. Downloading holiday-themed files may infect one's computer with spyware, adware or other malware. McAfee found one Christmas carol download site that led searchers to adware, spyware and other potentially unwanted programs.

8. Out of Work – Job-Related E-mail Scams

The U.S. unemployment rate recently spiked to 10.2 per cent, the highest level since 1983. Scammers are preying on desperate job-seekers in the poor economy, with the promise of high-paying jobs and work-from-home moneymaking opportunities. Once interested persons submit their information and pay their "set-up" fee, hackers steal their money instead of following through on the promised employment opportunity.

9. Outbidding for Crime – Auction Site Fraud

Scammers often lurk on auction sites during the holiday season. Buyers should beware of auction deals that appear too good to be true, because often times these purchases never reach their new owner.

Stay tuned for the final three scams of the season. And in the meantime, protect your identity.

Robert Siciliano, identity theft speaker, discusses viruses in Christmas gifts on FOX News.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Twelve Scams of Christmas (Part 2)

Robert Siciliano — Fri, 04 Dec 2009 00:36:40 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Since I'm on McAfee's Consumer Advisory Board, I'm advising you to beware of the following scams.

Scams 1-3 are here.

4. The Dangers of Holiday E-Cards

Thieves cash in on consumers who send holiday e-cards in an effort to be environmentally conscious. Last holiday season, McAfee Labs discovered a worm masked as Hallmark e-cards and McDonald's and Coca-Cola holiday promotions. Holiday-themed PowerPoint e-mail attachments are also popular among cybercriminals. Be careful what you click on.

5. "Luxury" Holiday Jewelry Comes at a High Price

McAfee Labs recently uncovered a new holiday campaign that leads shoppers to malware-ridden sites offering "discounted" luxury gifts from Cartier, Gucci, and Tag Heuer. Cybercriminals even use fraudulent logos of the Better Business Bureau to trick shoppers into buying products they never receive.

6. Practice Safe Holiday Shopping – Online Identity Theft on the Rise

Forrester Research Inc. predicts online holiday sales will increase this year, as more bargain hunters turn to the web for deals. While users shop and surf on open hotspots, hackers can spy on their activity in an attempt to steal their personal information. McAfee tells users never to shop online from a public computer or on an open WiFi network.

Stay tuned for the rest of the season's top scams. And in the meantime, protect your identity.

Robert Siciliano, identity theft speaker, discusses Black Friday and Cyber Monday on FOX Boston.

[youtube]http://www.youtube.com/watch?v=uElaJirHSI8[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Twelve Scams of Christmas (Part 1)

Robert Siciliano — Wed, 02 Dec 2009 22:21:17 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

"Cybercriminals' use their best schemes during the holidays to steal people's money, credit card information, social security number and identity," said Jeff Green, senior vice president of McAfee Labs. "These thieves follow seasonal trends and create holiday-related websites, scams and other convincing e-mails that can trick even the most cautious users."

Since I'm on McAfee's Consumer Advisory Board, I'm advising you to beware of the following scams.

1. Charity Phishing Scams – Be Careful Who You Give To

During the holiday season, hackers take advantage of citizens' generosity by sending emails that appear to be from legitimate charitable organizations. In reality, they are fake websites designed to steal donations, credit card information, and the identities of donors.

2. Fake Invoices from Delivery Services to Steal Your Money

During the holidays, cybercriminals often send fake invoices and delivery notifications appearing to be from Federal Express, UPS, or the U.S. Customs Service. They email consumers asking for credit card details to credit back the account, or require users to open an online invoice or customs form to receive the package. Once completed, the person's information is stolen or malware is automatically installed on their computer.

3. Social Networking – A Cybercriminal "Wants to be Your Friend"

Cybercriminals take advantage of this social time of the year by sending authentic-looking "New Friend Request" emails from social networking sites. Internet users should beware that clicking on links in these emails can automatically install malware on computers and steal personal information.

Stay tuned for the rest of the season's top scams. And in the meantime, protect your identity.

Robert Siciliano, identity theft speaker, discusses Christmas scams on Mike and Juliet.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

MIT says handing over your identifying data protects you

Robert Siciliano — Mon, 30 Nov 2009 22:14:41 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Identity is a simple concept that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money and the ease of obtaining credit and taking over an account. Because identity has yet to be effectively established, anyone can be you.

Currently, identity is generally established when a person provides a single source of data such as a Social Security number, password, credit card number and so forth. Complicating things further, in the U.S. we have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use "for profit" third party information brokers and the lowly vital statistics agency that works for each state to manage the data.

According to a new proposal in New Scientist, our digital identities will be more secure if they are based on data from our everyday life, culled from cell phones and online transactions. The idea comes from the Massachusetts Institute of Technology's Human Dynamics Laboratory. The lab is a pioneer of "reality mining," which is the practice of studying how people behave by using the crumbs of digital data our actions produce.

Reality mining is "what you do and who you do it with." Or in MIT-over-my-head-speak: "Reality Mining defines the collection of machine-sensed environmental data pertaining to human social behavior. This new paradigm of data mining makes possible the modeling of conversation context, proximity sensing, and temporospatial location throughout large communities of individuals. Mobile phones are used for data collection, opening social network analysis to new methods of empirical (information gained by means of observation) stochastic (random) modeling."

Even Google can't define the word "temporospatial." Find it. I dare you.

The research is based on the use of mobile phones to provide insight into individual and group behavior. They captured communication, proximity, location, and activity information from 100 subjects at MIT over a year. This data represents over 350,000 hours (~40 years) of continuous data on human behavior. Some of the research questions include:

How do social networks evolve over time?
How predictable are most people's lives?
How does information flow?

The idea is to capture and harness all this information that represents "what you do and who you do it with." Managing this would consist of the creation of a central body, supported by a combination of cellphone networks, banks and government bodies. The bank, being one of the supporters, could provide "slices" of data to third parties that want to check a person's identity.

This is different than "who you are and what you know." Currently, positive ID is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples static biometrics include your iris, fingerprint, face, and DNA. Dynamic biometrics include your signature gesture, voice, keyboard, and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don't know who the individual is but we try to get as close as we can to verify his or her asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.

Currently, identity isn't established. There is no accountability. That's why we have identity theft. Anyone can become you just by saying so. In the meantime, until the big heads at MIT figure this out, protect your identity.

Invest in identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses Social Security numbers on Fox News.

[youtube]http://www.youtube.com/watch?v=fqoHSACQ34U[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Hackers indicted for jacking Comcast

Robert Siciliano — Wed, 25 Nov 2009 22:00:32 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

A single hacked email address led to the defacement of Comcast's homepage. When the hackers called Comcast's technical contact to let him know that the Comcast homepage and all 200 Comcast domain names were vulnerable, he hung up on them.

It has not been disclosed how the email was compromised, but there are many ways it could be. According to the indictment, the hackers got control of the domain with two phone calls, and an email was sent to the company's domain registrar, Network Solutions, from a hacked Comcast email account. That gave them entry to the Network Solutions control panel for Comcast's 200 domains.

The hackers, 19 and 20 at the time, known as Defiant and EBK from a group calling themselves Kryogeniks, scrawled, "KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven" across Comcast's homepage after they were rebuffed by Comcast's technical administrator. Their one mistake was changing the contact information for the Comcast.net domain to Defiant's email address. Not a smart move from these brilliant hackers.

One method of compromising email accounts is simply going to the "forgot password" section of your email provider's website and responding to a preselected personal question that you answered when signing up for the account. With a little research, the hacker has a good shot at finding the correct answer. Some of the current questions could be answered using information found on a user's social networking profile, or through a website like Ancestry.com or Genealogy.com

I suggest that you check out the "forgot password" section on your own web-based email account, to see your current personal question. If it's easy to answer, or would only require a little research to solve, update the question with one that you create based on opinion, as opposed to fact.

You should also beef up your password. Combine uppercase and lowercase letters, as well as numbers. Don't use consecutive numbers, and never use names of pets, family members, or close friends.

Get a credit freeze. Go online now and search "credit freeze" or "security freeze" and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

And invest in identity theft protection. While not all forms of identity theft can be prevented, an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses hacked email on FOX & Friends.

[youtube]http://www.youtube.com/watch?v=WlD8Nu9nmCc[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Handwritten signature is inadequate authorization

Robert Siciliano — Mon, 23 Nov 2009 20:25:08 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Ever forge your husband's signature? Wife's? Parent's? Client's? Do you think the clerk behind the counter at Walmart is skilled in handwriting analysis? I've always viewed a signature as a totally ridiculous form of authentication and a total waste of my time. Signing my name has always been burden and a frustrating task.

Nobody seems to know when a handwritten signature became a form of authorization. From what I can gather, it seems the modern signature was born when kings signed declarations. Eventually, villagers began signing their names to acknowledge accountability. So the signature was born during a time when we had kings and queens, moats, wizards, and dragons. And we continue to rely on this today. Not too smart.

My signature has evolved from a time intensive, physically demanding, well thought out, legible spelling of my first name, middle initial, and last name, to a first initial, middle initial and last name, then to a quick scribe of what might look like an R, and S, and a squiggly line in place of my last name. Today, my signature tends to be a straight line. Who the heck came up with electronic signature pads? Stupid!

Between my driver's license, credit cards, checks, e-signature pads, and whatever contracts I fill out on a yearly basis, my signature is completely different on each document. Total inconsistency.

I spoke with Robert Baier, a forensic document examiner and handwriting analysis expert, and told him about my inconsistent signatures. Between his facial expression, shaking head and other body language, and his verbal response, I got the message that this is a bad thing. Bob is what I call the "Document Whisperer." He has savant-like talents and can size a person up by their signature. Which means I probably disturb Bob.

I don't really care about a signature. I don't know if it's because I find handwritten signatures so ridiculous or because I'm lazy with this task. The fact is, a handwritten signature provides zero proactive security. The way I see it, signing your name to any document ultimately assigns liability. If someone signs your name to a check and you call the bank and say it wasn't you, they look at the signature and determine whether it's yours or not. From there they assign liability. That's dumb.

Other than at the teller line, most banks don't actually view signature cards until there's a problem. Same with credit card issuers etc. There are a few companies that actually have given validity to the handwritten signature. One such company is Orbograph, an image-based fraud detection company north of Boston that actually looks at previous signatures and recognizes potential document fraud before loss occurs. If we are going to rely on signatures, this type of technology needs to be implemented everywhere.

Many smaller credit card purchases no longer require a hand written signature. Visa recently announced it would mandate a move to chip and PIN technology for all Australian Visa cardholders over the next four years, with signatures no longer accepted at the check-out by 2013. This means all card holders will have a password, as opposed to a signature.

Even though passwords aren't all that secure to begin with, a signature is even less secure, unless of course we provide the signature some credibility by implementing image-based fraud detection system-wide, or putting guys like Bob in a booth in every business district on the planet to review the legitimacy of the signature. That ain't happening. Yet we have plenty of coffee shops on every corner. Seems like our priorities are a bit skewed.

Because the system is insecure, you must protect your identity.

And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft expert, discusses security issues on TBS's Movie and a Makeover.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Introducing Carlisa, our Online College student

Carlisa — Thu, 19 Nov 2009 01:11:26 +0000

I'm a new "blogger" and like most people today, I had personal goals and dreams that changed as life happened around me. In this blog, I invite you to follow along in my journey of getting an online college degree through AIU (American Intercontinental University).

I graduated high school in Alabama in 1979 (OMG, I just realized, it's been 30 years!). To make long story short, "Life Happened". I met a guy, got married, had children, became a gymnastics/ballet/girl scout/soccer mom, a Sunday school teacher, and worked in various radio stations.

Jump ahead 27 years. I'm now divorced, my kids are grown and I have 2 grandchildren. The state of the economy caused the group of radio stations that I worked with to downsize, so I lost my job. I moved to Georgia to be near my parents and tried desperately to find another radio job. In my attempt to find "work" I saw the same requirements, over and over. It was quite apparent that to get a good job – a career – I needed to get a Bachelors Degree. All of a sudden I realized that the ringing in my ears was actually my dad's voice in my head – something about having a "back-up plan"!

The thought of going back to school seemed crazy, but exciting! I mean, I barely graduated high school (again, 30 years ago!). I'm not a particularly "scholarly" person and just couldn't imagine myself being able to follow through. Plus, I'll be turning 50 on my next Birthday. "Is there really any sense in getting a college degree at this age", I asked myself. Also "isn't college expensive"? But everywhere I looked, there were ads enticing me "Moms, Go Back to School"! All the talk about getting government grants, student loans and scholarships to further my education peaked my interest.

My first step was to start researching all the possibilities. I'm not one to make quick decisions. I had to do a lot of investigating and compiling and comparing of information. It turns out that I was indeed eligible for grants, scholarships and student loans. I started calling area schools and researching the many online college and "brick and mortar" college options. I took lots of notes as I asked loads of questions and compared the details for all the colleges that I was considering. My phone was ringing off the hook as admission advisors were constantly calling me back trying to win my enrollment.

I weighed the pros and cons of being in an actual classroom with other students for classes, vs being at home alone with my computer for online classes. There were many decisions to be made. In my next blogs, I'll walk you through getting into AIU and my online college experiences.

Money mules facilitate identity theft and fraud

Robert Siciliano — Wed, 18 Nov 2009 22:13:38 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Mules are relatively unaware people who get hooked into a "small business" or employment that is a function of a criminal enterprise. The mules often respond to "help wanted" ads from online job placement sites. Shipping scams are a common tactic criminals use in which they employ mules to receive goods bought with stolen credit card numbers, who then ship to people who buy them in online auctions. The mules in this process are essentially facilitating selling hot goods and money laundering.

An RSA study revealed laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before one scam ended earlier this year.

These scams generally have a virtual store front posing as a shipping company, giving the ruse a legitimate appearance. The efficiency of money mule operations has increased due to the amount of money being generated from data breaches and scams.

There have been dozens of significant data breaches over the past few years, in which millions of credit card numbers have been compromised. Once the data is in the hands of a criminal, they scheme to turn it into cash.

Credit card numbers are often bought and sold by "carders" who sell thousands of cards numbers for pennies each. In many cases when a PIN is present the criminal hacker will use the card number as a debit card at any ATM.

But when turning the data into cash isn't so easy, they will burn the data to a white card and make in store purchases using mules. That can sometimes be a slow and riskier process. Recently, fake shipping scams have proven to be a profitable model that involves leveraging hundreds of naive people.

The mules are often baited into setting up bank accounts that the criminal controls. These bank accounts will be set up under the name of the mule to avoid detection and generally programmed to transfer money overseas in increments of less than $10,000 to avoid detection.

Most mules end up pulling money out of their pockets to front shipping costs with the promise of a big payoff. In the end the mule is often bilked and ends up with an empty bank account.

These scams hurt a lot of people. The banks and retailers lose because money and goods go out the door. The mules often end up losing thousands. And worse, many organized criminals are associated with terrorists groups who use the money to fund violence.

If the credit card companies and banks would adopt widely available technologies that make the data useless to the thief in the form of effective authentication of the user, then none of this would be happening. But until the industry changes its ways, they will keep tossing fuel on the fire.

Generally my readers don't need to be told the following, but maybe someone you know is naive enough to fall for one of these ruses. So keep in mind, if you are looking for a job online and see "shipping manager" or "buy and sell products on eBay with no inventory or money" or anything involving virtual transactions that involves shipping any thing overseas, then chances are it's a scam. Also, never be suckered into opening a bank account that you don't control. That's just plain dumb.

And protect your identity by investing in identity theft protection. While not all forms of identity theft can be prevented, identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses money mules on Fox News.

[youtube]http://www.youtube.com/watch?v=WtBLu4WxsYY[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Used ATM contains thousands of credit card numbers

Robert Siciliano — Mon, 16 Nov 2009 22:43:31 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

After the DefCon ATM debacle, in which hackers hacked hackers by setting up a fake ATM in front of the facility's security office, I needed to find out how stupidly easy it is to buy and install an ATM. So my search began.

I found plenty of new and used ATMs at prices ranging from $500 to $2500 on eBay, but quickly decided that I didn't want to pay another $300 for shipping. Next was Craigslist, where anyone can rent an apartment, buy a boat, get an erotic massage, or buy an ATM.

I quickly found an ad from a bar north of Boston. They were selling pool tables, neon Budweiser signs, and an ATM. I took my hacker friend with me to meet Bob, who lived above the bar and was taking care of the sale on the owner's behalf. The bar was closing and liquidating its assets. The ATM was sitting right next to the bar, sticky with beer. Fortunately, the keypad was protected by clear plastic. While Bob was giving us the history of the ATM and explaining how to operate it, he farted.

Needless to say, I wanted to unbolt this thing as quickly as possible, get out of there, and douse myself in hand sanitizer. After my hacker friend played with the manual, got it working, and determined that it was worth the financial risk, we loaded it on my trailer, paid $750 (negotiated down from a grand), and brought it back to my garage.

There's something about having an ATM in your garage that makes for a restless night of sleep, as if the next day is Christmas. Around 5 AM the next morning, I used an entire bottle of Windex, a whole roll of paper towels, and four pairs of rubber gloves to give this thing an enema.

My hacker friend came over to my garage, manual in hand, all giggly, and says, "Watch this." He punched in the master codes to access the machine's stored data, and hundreds of credit and debit card numbers began falling all over the floor. A few days later, another friend and I devised an evil plan to scam millions of dollars from unsuspecting suckers and then spend the rest of our lives island hopping and buying a villa in Sicily. But my wife said no.

Here's the first of a few upcoming videos of what happened next. I'll share more of my ATM adventures as they occur. There's a lot more to this story, so stay tuned!

To protect yourself from these types of scams, pay attention to your bank and credit card statements, and refute any unauthorized charges within 60 days. You might consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details and look for anything that seems out of place. If your card gets stuck or you notice anything odd about the machine's appearance, such as wires, tape, error messages, or a missing security camera, or if the machine seems unusually old and run down, don't use it. Try to use ATMs in more secure locations. Cover your PIN as you enter it.

And invest in identity theft protection. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses ATM scams on Fox.

[youtube]http://www.youtube.com/watch?v=5zJRzSqad-A[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

The latest Twitter phishing scam

Robert Siciliano — Fri, 13 Nov 2009 19:19:03 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

I've been getting the same "direct message" from several of my Twitter followers. Apparently, their accounts have been hacked, because it's a phishing message that says, "ROFL this you?" and contains a shortened URL.

The link leads to a page that resembles Twitter's log in page. The web address is /videos.twitter.zoltykatalogfirm/. Don't go there.

Your account will only get hacked if you enter your account information on this spoofed page. Warn your friends. Retweet this.

Protect yourself from this and similar scams. Don't mindlessly click on links, even if they appear to be coming from someone you know and trust. Attackers understand that you are more likely to click on a link if it appears to be coming from someone within your network. If you receive a direct message from a friend, urging you to click on a mysterious link, the account may be controlled by a criminal. Before clicking on any shortened URL, find out where it leads by pasting it into a URL lengthening service like TinyURL Decoder or Untiny.

Install Internet security software and set it to update automatically. Vary your passwords. Don't use the same password for Twitter or other social networking sites that you use for email or financial accounts.

Consider getting a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief. And invest in identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses hacked accounts on Fox News.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Why is child pornography on your PC?

Robert Siciliano — Wed, 11 Nov 2009 23:12:17 +0000

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Anti-virus protection, critical security patches and a secure wireless connection have always been essential processes on my networks. My main concern has always been to protect my bank account by keeping the bad guy out.

In my presentations, I've always stressed the importance of making sure your wireless connection is secured, to prevent skeevy sex offender neighbors or wackos parked in front of your business from surfing for child porn and downloading it to your PC.

Once a predator uses your Internet connection to go to into the bowels of the web, your Internet Protocol address, which is connected to your ISP billing address, is now considered one that is owned by a criminal. If law enforcement happens to be chatting with that person, who's using your Internet connection to trade lurid child porn, then someone may eventually knock on your door at 3 AM with a battering ram. And in another freakish and relatively new twist, hackers can use a virus to crack your network and gain remote control access, and then store child porn on your hard drive.

An AP investigation found plenty of people who have been victimized in this way. Maybe their PCs were being used as a virtual server, or maybe they were being framed by someone with a vendetta against them, but either way, they had child pornography planted on their computers. Once that porn is discovered by a friend, family member, or computer technician, the victim is arrested.

This is the kind of "breach" that can cost you thousands in legal fees, your marriage, relationships, your job, and your standing in society. In one case, a virus changed the default home page on a man's PC, and his seven year old daughter discovered it. The guy was arrested and eventually lost custody of his daughter. And you think you've got problems.

When you click a link in an email or a pop up advertisement in your browser, you may inadvertently download one of these viruses, which can then visit child pornography websites and download files onto your hard drive.

Make sure your Internet security software is up to date and set to run automatically. Update your web browser to the latest version. An out of date web browser is often riddled with holes that worms can crawl through. Update your operating systems critical security patches. Lock down your wireless internet connection with WPA security protocol.

And invest in identity theft protection. Not all forms of identity theft can be prevented, but an identity theft protection service can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses viruses on Fox News.

[youtube]http://www.youtube.com/watch?v=yK6du0O8TfE[/youtube]

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Uni-Ball to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.