Copy machines can store your private info

Posted by Robert Siciliano on March 17th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Today, copy machines, fax machines and many printers are just like computers; they’re smart and they have hard drives or flash drives and can store data that can be extracted. Peripherals in the olden days, just like dot-com-heavy stock portfolios, were dumb.

Because of the increased demand of networked technologies, manufacturers of all these peripherals met the demand and built them so they can be easily accessed by everyone in the office.  These same peripherals are often wireless too. They also have memories, or caches, which allow them to store printing jobs when the copier is busy. This kind of memory has a consequence.

The issue here is that these devices are not always treated with the same security considerations as a computer. After all, PCs are often locked down, access is limited and the data might be encrypted. When someone upgrades to a new PC, the old PC’s data is supposed to be removed, reformatted, etc. This procedure is often overlooked on a copier/printer/fax.

Consider what kind of data is copied (and therefore stored) at your doctor's, bank's, mortgage broker's and accountant's offices. There might be personally identifiable information that someone could use to create new accounts or take over existing accounts.

Where do old peripherals go? Many of them head to warehouses to be resold. Others end up on eBay. A quick search on eBay results in 13,314 copiers for sale, 1,874 of them are used . If I can buy an ATM off Craigslist with over 1,000 credit and debit card numbers on it, how much data do you think we can get from used copiers?

All the more reason to protect your identity:

1. If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
2. Invest in anti-virus and keep it auto-updated.
3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.
4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Robert Siciliano Identity Theft Speaker discussing copy machine scams on CBS Boston

Pay-at-the-Pump Skimming Using Bluetooth

Posted by Robert Siciliano on March 12th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Skimming data off of debit and credit cards has been happening at ATMs, gas pumps and electronic funds transfer point of sale terminals for quite some time.

When criminals plant skimming devices, they have to physically attach a skimming device that fits over the face of the ATM’s card slot. Then they install a small camera that shoots video of the pinpad which allows them to extract user PIN codes. The camera is often housed inside of a brochure holder or little box that may have a mirror glued to its face. The mirror is made to loom like a security feature preventing shoulder surfing.

Once the criminals attach the devices, they have to wait it out for someone to then use the ATM or gas pump before they can remove the device and download the data. It is in the best interest of the criminal to leave the skimmer on the machine for as long as possible to skim as many cards as possible. Because every time the skimmer is removed and replaced it becomes another opportunity for the thief to get caught or for something to go wrong.

In Utah, a group of criminals one-upped other ATM scammers by installing Bluetooth enabled skimming devices that broadcast the skimmed data to a nearby storage devise, probably a laptop. Bluetooth’s range can be just a few feet to as much as a city block. So the criminals had to be in a car nearby.

What makes these devices even more sophisticated is that they skim the card data and grab the PIN code via the all-in-one combo skimmer and PIN pad device affixed to the face of the pump.

This entire process allows the criminal to steal data on demand and immediately turn it into cash. Further, it provides the criminal with the freedom to decide whether or not they want to retrieve the skimming device, thereby lessening their chances of being caught.

You can’t protect yourself from this kind of skimmer by covering your PIN entry due to the fact that the device is the PIN pad. So if you use a device like this you may be screwed. Ultimately, you must pay close attention to your statements. Also, pay close attention to details, and look for anything that seems out of place. Refute unauthorized transactions within 60 days. Check with your bank to determine what their timeframe is to refute unauthorized withdrawals. In some cases it can be as early as a week.

Protect your identity:

1. If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
2. Invest in anti-virus and keep it auto-updated.
3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.
4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Robert Siciliano Identity Theft Speaker discussing Pay-at-the-Pump skimming on Fox News.

Hacking humans' naiveté

Posted by Robert Siciliano on March 10th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Naiveté: A lack of sophistication or worldliness. That sums up a lot of people I know. "There's a sucker born every minute" is a phrase often credited to P.T. Barnum (1810 – 1891), an American showman. It is generally taken to mean that there are (and always will be) a lot of gullible people in the world.

Predator: A predator is an organism that feeds on another organism. That also sums up a lot of people I know. I observe them in person and in the news daily.

There are many ways how, and motivations why, a predator stalks their prey. Often it is just their nature to do so. Control and money top the list of motivations.

In the world of Information Security the “how” is “social engineering”.

Social engineering is the act of manipulating people into performing actions or divulging confidential information, rather than by breaking in or using technical hacking techniques (essentially a fancier, more technical way of lying).

Social engineering or “social penetration” techniques are used to bypass sophisticated and expensive hardware and software in a corporate network. Smart organizations train their employees to be aware of and resist the most common attempts to trick them into letting down their guard.

The Register reports that pentesters, a.k.a ethical hackers, "regularly send client employees emails informing them that the strength of their login passwords is being tested through a new website. They are then instructed to follow a link and enter their credentials. The success rate: as high as 50 per cent."

As the article points out, humans have a tendency to trust one another. It's a survival instinct built on millions of years of evolution. "When one person saw that a group of his peers ate a particular berry and didn't die, he ate the same fruit – and survived as a result." That's trust, and it's exploitable.

This is where we throw around words like “naïve” and “sucker.” You don’t really need to be naïve, a sucker or stupid to respond to emails like this. Really, you just need to be nice, helpful and trusting.

I found a website called “Hacks4Sale” (a site which Norton Internet Security deems unsafe, so go there at your own peril) which employs similar tactics, but they claim are for different reasons:

A very large portion of our clients are the victims of spousal infidelity, nowadays the primary means people employ to communicate with their lover are e-mails and social networking websites, both of witch we can help you gain access to through our software. Our software solutions enable our clients to retrieve (no physical access to the user's computer is required) the login credentials to accounts at all the major e-mail and social networking providers (Yahoo,Gmail,Hotmail,Myspace,Facebook and many others).

Recognize that the predator uses these tactics to get what they seek. They will stop at nothing and consider you their natural prey.

Always question authority or those who claim authority.

Don’t automatically trust or give the benefit of the doubt.

When the phone rings, an email comes in or you are approached, proceed with caution.

Protect your identity:

1. If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
2. Invest in anti-virus and keep it auto-updated.
3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.
4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

The $10,000 fake ID

Posted by Robert Siciliano on March 8th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

When I was 17, my friend “Baldo,” as he was known by all, was the Fake ID Master. He also fixed TV’s and still does today. But he didn’t actually create “fake IDs,” he altered real ones. The technology he used back then is still used today. It’s called Crayola Crayons. He would take a Massachusetts ID and heat the laminate over the stove and peel it back. Then he’d dab a premixed batch of liquid aqua green/blue crayon on the left side of an 8 to make it a 3. He’d bust out his heating iron and some wax paper and seal up the laminate. Then a 17-year-old became 22, using the same technology my 1 year old eats. Packy run, anyone?

Today is a little different. It’s not so easy to peel back the laminate. Most cards today are treated plastics: PVC, styrene, polypropylene, direct thermal, and teslin hybrids. However, while all that sounds technically challenging, it’s really not. Some of the do-it-yourself ID making machines are the size of a shoebox. It is however a tad more complicated than that. Sure you can go to your local office supply and buy ID making materials or simply buy fake IDs online, but will they pass the muster when put in front of numerous technologies that look for tampering?

That’s where the $10,000 fake ID comes in. In New York, authorities busted an identity theft ring and charged 22 people with selling driver's licenses and other identification documents.

Among those implicated in the ring are two New York State Department of Motor Vehicles employees, who are believed to have earned over a $1 million dollars issuing more than 200 licenses and other documents over the past three years. The alleged ring leader of the group was identified as Wilch Dewalt, also known as "Sharrief Sabazz" Muhammad' and "License Man." Authorities say he acted as a broker who, in exchange for a fee of between $7,000 and $10,000, served as a one-stop shop for fraudulent documents.

In this case, the clients who were dropping 10G on IDs were people who were hiding from the law in plain sight, including felons, a drug dealer whose claim to fame was once a cameo on "America’s Most Wanted," and someone from the government's No Fly List. These were people that: A) could afford it and, B) needed the best of the best in real fake identification.

In the meantime, identity theft is again the top 2009 consumer complaint, the FTC reports. The number of American identity fraud victims rose 12% last year to 11.1 million, with losses hitting $54 billion, according to an annual report from Javelin Strategy & Research.

Protect your identity:

1. If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
2. Invest in anti-virus and keep it auto-updated.
3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.
4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Assassin or identity theft victim?

Posted by Robert Siciliano on March 5th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

The assassination of senior Hamas terrorist Mahmoud al-Mabhouh has made a little buzz in the States, but over in Dubai, as more details become available, it is becoming apparent to some (depending on which side of the wall you live on) that the real assassins stole the identities of several Israelis who carried foreign passports.

The purported identity theft stems from the accessibility of passport data from Israelis who hold dual citizenship from Israel, Britain, Australia and other countries. “Six more Britons had their passports cloned by the killers of a senior Hamas official," Dubai police said yesterday, as they revealed a total of 15 new suspects in the assassination. One of the victims/accused assassins stated, "I was in total shock. I don't know what's happening—I don't know how they got to me or my information. I haven't left the country in about two years, and I've never been to Dubai. I don't know who was behind this. It's just scary, because powerful forces are involved in this."

The Dubai police went ahead and released information on 26 suspects in the assassination. The pictures of the suspects were also released. One of the accused stated, “Even my mother asked if I'd been abroad.”

Freaky Stuff.

I was interviewed in a yet-to-be-released AP story from Jerusalem about how something like this can happen. It seems simple to me. If, in fact, the accused are what I would label as criminal identity theft victims, then we are all susceptible to this type of crime. I’ve always believed this to be the scariest of all identity theft and if the above story concludes as factual, then it’s a perfect example.

In the USA, we have as many as 200 forms of ID circulating, including passports from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. These are paper and plastic documents that can be recreated with a PC, scanner, printer and laminator. We use numerical identifiers that aren’t physically associated with us. Pictures are attached to some documents that may not look like the document holder, especially if there are changes to characteristics such as eye glasses, beards, hair coloring, hair removal, or weight change. Some identification documents are absent of a photo. This is not effective authentication. Worldwide, the system isn’t much more secure.

This is criminal identity theft waiting to happen.

At least you can protect your financial identity.

1. Get a credit freeze if you think you've been a victim of identity theft. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated.

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

When FTC sends a warning, data theft has jumped the shark

Posted by Robert Siciliano on March 3rd, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

When Fonzie jumped the shark, that spelt the end of Happy Days.

The FTC's warning to 100 companies and agencies, that their employees are leaking client and sensitive data on the web via Peer to Peer file sharing (P2P), is the single most pathetic and embarrassing communication to come across the desk of an IT professional. This is old news, and the FTC seems far behind. As Trautman tells Rambo, "it’s over, Johnny, it's over!"

The FTC certainly has their hands full with the mess of information security that we call identity theft. I’ve met some from the FTC. These are smart people who are doing the best they can with what they have to work with. But government is usually the last to be on top of what is new and ahead of what is next. Especially, with technology issues. Generally, they are reactive and fix it after it’s broke. They step in when there is a problem and work to fix it so it’s not a problem in the future.

How is it that after hundreds of data breaches and numerous articles that all point to leaks via P2P, there are still companies who allow the installation of technology that opens a big hole in your network?It's a hole big enough for a car bomb.

As Byron Acohido eloquently stated, “the Federal Trade Commission today finally voiced concern about the long-known problem of data leaking into criminal hands via LimeWire, BearShare, Kazaa and dozens of other peer-to-peer (P2P) file sharing networks.” The operative word here being “finally.” Why are we having this conversation?

For the under a rock crowed, P2P has been around since before the days of Napster. Peer to peer file sharing is a great technology used to share data over peer networks. It’s also great software for getting your computer hacked.

Last year the House Committee on Oversight and Government Reform responded to reports that peer to peer file sharing allows Internet users to access other P2P users’ most important files, including bank records, tax files, health records, and passwords. This is the same P2P software that allows users to download pirated music, movies and software.

An academic from Dartmouth College found that he was able to obtain tens of thousands of medical files using P2P software. In my own research, I have uncovered tax returns, student loan applications, credit reports and Social Security numbers. I’ve found family rosters which include usernames, passwords and Social Security numbers for an entire family. I’ve found Christmas lists, love letters, private photos and videos (naughty ones, too) and just about anything else that can be saved as a digital file.

Installing P2P software allows anyone, including criminal hackers, to access your data. This can result in data breaches, credit card fraud and identity theft. This is the easiest and frankly, the most fun kind of hacking. I’ve seen reports of numerous government agencies, drug companies, mortgage brokers and others discovering P2P software on their networks after personal data was leaked.

Blueprints for President Obama’s private helicopters were recently compromised because a Maryland-based defense contractor’s P2P software had leaked them to the wild, wild web.

Here's how to stay out of the P2P mess:

• Don’t install P2P software on your computer.

• If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is you’ve found.

• Set administrative privileges to prevent the installation of new software without your knowledge.

• If you must use P2P software, be sure that you don’t share your hard drive’s data. When you install and configure the software, don’t let the P2P program select the shared data for you.

Robert Siciliano Identity Theft Speaker video hacking P2P getting lots of fun data.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

RATs are committing identity theft via webcams

Posted by Robert Siciliano on March 2nd, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

A webcam is certainly one way the bad guy can gain intelligence about you. They can use it to spy on you. They can listen in to everything you say all day. They know when you are home or not, whether or not you have an alarm—they watch you. But in my opinion, the real issue here isn’t the webcam, but the technology that allows for full remote control access to your network.

If you are a cave-dwelling unabomber you may have missed the story about the family, who is already involved in numerous civil judgments, suing their son's school for spying on him with the school issued laptop. Apparently, it’s not OK to spy on students who are issued a school laptop.

The school apparently installed laptop tracking software that is designed to find a stolen laptop. Laptop tracking often uses GPS, or IP-based technology that provides location-based information when plugged into the Net. The trick to this particular laptop tracker was a peeping Tom technology called a RAT, aka a Remote Access Trojan.

RATs can capture every keystroke typed, take a snapshot of your screen and even take rolling video of you. But what’s most damaging is the full access to your files, and if you use a password manager they may have access to that as well.

RATs generally monitor a PC without the user’s knowledge. RATs are a criminal hacker's dream and are the key ingredient in spyware. Common RATs are Backdoor Orifice and LANRev Trojan. It was the latter RAT that allowed the school district full remote access to the student’s laptop, at his home and in his bedroom. Creepola!

Now the FBI is in the fray. According to the original complaint, the student was accused by his school’s assistant principal of "improper behavior in his home" and shown a photograph taken by his laptop as evidence. That kind of backdoor slap on the hand for home-based bad behavior certainly raises an eyebrow. For every action there is a reaction, as they say.

RAT installation can be done by someone with full onsite access to the machine, or remotely through malware propagated by an infected attachment, malicious links in a popup, or a permissioned toolbar or other software. A RAT can come from a thumb-drive found on the street or in a parking lot, and even from off-the-shelf peripherals like a digital picture frame or an external hard drive that’s infected in the factory. The bad guys can also trick a person when playing a game as seen here in this YouTube video.

There are plenty of remote access programs that use legitimate back door technology that we use every day. Examples include Radmin and GoToMyPC remote access. Your desktop has “remote desktop” which acts in a similar way. There are a dozen iPhone Apps that do the exact same thing.

Considerations:

An unprotected PC is the path of least resistance. Use anti-virus and anti-spyware. Run it automatically and often.

A PC that's not fully controlled by you is vulnerable. Use administrative access to lock down a PC, preventing the installation of unauthorized software.

Many people leave their PC on all day long. Consider shutting it down when it's not in use.

Unplug your webcam if you are freaked out by it. If it’s built in to your laptop cover it up with tape. You may also be able to disable it on startup, uninstall it and remove the drivers that make it work.

And invest in identity theft protection.

Protect your identity.

1. If you think you're a victim of identity theft, find out how to get a credit freeze. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated.

3. With your iPhone get my book as an App or go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing Webcam Spying on The CW, New York

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Fostering awareness & improving security education

Posted by Robert Siciliano on February 17th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

Financial institutions have the most to gain by improving security education of their clients and employees—and the most to lose if they don't.

A while back I appeared on a local TV show talking about phishing. Amazingly, still, not everyone knows what phishing is. A good friend saw the show and was shocked by what she learned… about her bank.

She received a phishing email and didn’t know what it was. The email asked her to update her account. It was confusing so she called her bank. She spent 20 minutes on the phone with a bank rep discussing her account and the bank could find no record of the communication or any issues with her account. At the conclusion of the call the bank rep said, “I don’t know why you received this email; your account information is in order.” Click.

That night she saw my phishing clip and wondered why the bank never mentioned a single word about phishing. Her bank failed her. They failed to educate her and therefore failed to protect her. She is no longer a client of that bank.

The mindset of financial institutions needs to change drastically when it comes to educating their clients about identity theft and security issues. The old school don’t-discuss-it-because-it-will-scare-people school of thought is dead. People want, need and require information to protect themselves.

The game has changed. People are concerned for their personal security and are hungry to learn. The fact that you or anyone reads this blog is a testament to the fact that society as a whole wants to learn. Soccer moms are now security moms.  I’ve seen major industry players in the anti-virus space catering to these mommy bloggers and others because they understand the public is hungry for this. Banks, well, not so much.

Engage the public and they will respect you and want to do further business with you.

Linda McGlasson, Managing Editor at BankInfoSecurity.com interviewed me for a segment on this issue. Listen to the Podcast here. It requires a login but its worth your time.

Protect your identity.

1. Get a credit freeze if you think you're a victim of identity theft. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in antivirus software and keep it auto-updated.

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano Identity Theft Speaker discussing the lack of security in online banking on CBS Boston.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

Targeted injection attacks on the rise

Posted by Robert Siciliano on February 11th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

In the latter half of 2009, criminal hackers went from mass SQL injection campaigns to targeted attacks. SQL is abbreviation of Structured Query Language, pronounced ”Ess Que El” or ”Sequel.” The shift in strategy has switched to a focus on high-profile websites, concluded Websense's State of Internet Security report for the third and fourth quarter of 2009. SQL injections have evolved in their purpose and sophistication. Originally meant as a tool to attack a merchant’s database and steal data, the attack was reconfigured last summer to install viruses that contain a remote control component on a user's computer.

Matt Chambers with Corporate IT Solutions says, “Web applications are one of the most outward facing components a corporation contains in its network design, and one of the least protected. Applications typically take input information and send it to a database for storage and processing. We interact with these kinds of applications every day, whether it’s a signup form or a login page for a favorite networking site.”

Patrik Runald, senior manager of security research at Websense, told SCMagazineUS.com “the bad guys are going after high-profile, high-volume websites, instead of going after the smaller websites, which are easier to inject code into.” The report says attackers have increasingly launched targeted attacks, which often start with an email containing a malicious link. During the second half of 2009, 81% of emails contained a malicious link, the report states.

When an employee receives a spear phish (a.k.a., a targeted email attack with a malicious link), based on information gathered from the company’s website, and that employee clicks that link, the link may download a program that disables the company's antivirus and defeats all security measures. This is why one must never click on links in the body of an email. There are hardly ever links in emails that can’t be worked around, either via a user's favorites menu or by manually typing the address in the browser.

1. NEVER click links in email. It’s shear laziness, naiveté or stupidity when someone clicks links in the body of an email today.

2. Get yourself an ethical hacker to test your network and see what damage he can do before the bad guy does.

3. Invest in antivirus software and keep it auto-updated.

4. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.

419 scams double, over $9 billion in profits

Posted by Robert Siciliano on February 8th, 2010

Robert Siciliano is a NextAdvisor.com Expert Guest Blogger

A recent study by Dutch investigation firm Ultrascan shows we are half as smart (or twice as dumb) as we were in 2008, as advanced fee scams, a.k.a. 419 scams, doubled in losses to over $9 billion. 419 Advance Fee Fraud Statistics 2009 (PDF)

It is believed that while the scams are known to be Nigerian in nature, coined after the 419 Nigerian code making them illegal, scams were launched from 69 other countries in 2009.  The jump in the amount of victims is due to the broader reach of the scammer. Scammers aren’t just targeting English-speaking nations anymore. As people in developing countries get computers and Internet connections, they become susceptible to the same old scams that other countries got snagged by a decade ago.

Big targets have become China, India, South Korea, Vietnam, and others. Many of the scams of the past had an “insurance fee” pitch that required a percentage of money sent in order to ensure that so many millions made their way to another bank somewhere. This “investment” by the victim was supposed to get them a percentage of the big pot. Once the scammer got a hold of the victims, they would build a relationship with them, in many cases a romantic one, to get them emotionally involved in the ruse.

However, in China, the Chinese get hooked by lottery scams. And in India, a culture of hard workers, people fall for student visa and job placement scams. The hook in all these scams is that the victim believes an inbound communication to be legitimate. From there, the scammers will say and do anything to get the victims to wire money. But it usually doesn’t end there. Once they get a rube on the hook, they will come up with as many reasons as possible to completely drain the victim of all their money.

Criminals aren’t any smarter than we are, but they know how to capitalize on our stupidity. They pull on emotional strings, they use greed, lust and many other human impulses to trigger us. It's up to everyone to just be a little smarter about the emails they receive. And tell those in your life who are less than cognizant, just hit delete.

Protect your identity:

1. If you think you're a victim of identity theft, get a credit freeze. Click on the preceding link and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

2. Invest in anti-virus and keep it auto-updated.

3. Go to my website and get my FREE ebook on how to protect yourself from the bad guy.

4. Invest in identity theft protection and prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano, identity theft speaker, discusses various scams on TBS’s Movie and a Makeover.

Robert Siciliano is CEO of IDTheftSecurity.com, an identity theft expert, professional speaker, security analyst, published author and television news correspondent. Siciliano works with Fortune 1000 companies and startups as an advisor on product launches, branding, messaging, representation, SEO and media. Siciliano's thoughts and advice on all these matters appear often in both the televised and print news media including CNN, MSNBC, CNBC, FOX, Forbes and USA Today. He has 25 years of security training as a member of the American Society of Industrial Security. He is the author of two books, including The Safety Minute: Living on High Alert; How to take control of your personal security and prevent fraud. He's also partnered with Intelius to help raise awareness about the growing threat of identity theft and to provide tips on how you can protect yourself.