A bad week for Facebook, MySpace

Posted by kent on November 5th, 2009

I thought I was using hyperbole on Tuesday when I used the headline "Another day, another Facebook attack." Or maybe I should have just saved it for today. While Tuesday's news concerned a phishing attack, today's attack is far more insidious. According to the Facebook application developer that discovered the Facebook security vulnerability, it could potentially exploit Adobe's Flash plugin and Facebook's auto-login feature.

a active session, or a “auto login”-cookie and a URL which hosts a exploiting Flash file. For example when accessed, a automatic “post update” could be made, that would lure friends of the user to access the exploit URL, and the exploit would spread virally.(sic)

Basically, it works like this: you decide to share some awesome new Flash site (such as a browser-based game), not knowing that it's an exploit. You hit "share." If you have auto-login enabled, your Facebook login data is transferred to the nefarious referring site. Since you're sharing that site, others click on it. It steals their info, ad-infinitum.

It's important to note that so far there's no evidence that this has actually happened. The potential was discovered by a concerned developer and reported so the hole would be closed. The folks at Facebook are aware of the problem, and they claim that no one's data has been compromised. They gave the following statement to TechChrunch:

The security of our users is a top priority for Facebook and we worked with the researcher who identified the issue to fix it. We have not received any reports that it was ever exploited.

MySpace has apparently fixed the bug, and from Facebook's statement it seems that a fix is either in-place or imminent. But it may make you wonder if there's any way, other than cutting your Internet connection, that you can protect yourself. You don't have much control over Facebook's vulnerabilities, but identity theft protection is a good way to protect yourself in the online and offline world.

• Facebook exposes personal information of up to 80 million members
• Facebook phishing scams increase risk of identity theft on the popular social network
• Facebook moves to protect users in partnership with 49 states
• How to report a fake profile page on Facebook
• Fake Facebook profile page victim awarded $43,000 in damages

Don't open that email from the FDIC…

Posted by Caitlin on October 28th, 2009

Because it isn't really from the FDIC. There has been a recent rash of phishing emails that appear to be sent by the FDIC. The emails say, "You have received this message because you are a holder of a FDIC-insured bank account. Recently FDIC has officially named the bank you have opened your account with as a failed bank, thus, taking control of its assets." The emails also ask recipients to download and open a "personal FDIC insurance file" to check their deposit insurance coverage. This download is certainly not an FDIC document, and is most likely some form of malware. The emails also contain links to malicious websites.

If you recieve an email that appears to be from the FDIC and prompts you to visit a website or download a file, delete it. Do not click on any links within the email and do not download any attachments. The FDIC is working to uncover the details of this scam, but in the meantime, recipients are instructed to "consider the intent of the software as a malicious attempt to collect personal or confidential information, some of which may be used to gain unauthorized access to online banking services or to conduct identity theft."

To protect yourself from this and other phishing scams, be cautious when downloading attachments or clicking on links in any unexpected email from an unknown source. These emails often appear to be from banks or other trusted institutions. You should also be sure to install Internet security software on your computer, and you may wish to consider investing in identity theft protection, since identity theft is often the ultimate goal of phishing scams.

• Identity Guard adds 30 day free trial and free ZoneAlarm software
• Data Breach Alert: HSBC loses hundreds of thousands of customer records
• How to recover from a lost or stolen iPhone
• Identity Theft Shield from Kroll and Pre-Paid Legal Review
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers

ZoneAlarm offers 50% off: Virus and identity theft protection in one

Posted by kent on October 27th, 2009

ZoneAlarm is offering a deal that almost seems to good to be true. ZoneAlarm is taking 50% off of the regular price of its Internet Security Suite which comes with one-year of Identity Guard's Good Start identity theft protection. At $24.95 a year for a three-PC license, it's by far the cheapest Internet security software we've reviewed.

While we weren't completely in love with ZoneAlarm's virus warning system, we did appreciate many of the other new features. The inclusion of Good Start is a sweet bonus. All-in-all, this is a good deal for those looking to try out basic identity theft protection and anti-virus software, but aren't ready to make a huge investment in either. You can read our complete review of ZoneAlarm and see how it compares to the competition with our Internet security software reviews.

• Identity Guard adds 30 day free trial and free ZoneAlarm software
• If I install Identity Guard, will it automatically uninstall Norton?
• What is the most recommended software?
• Identity Guard Good Start review launched on NextAdvisor.com
• LifeLock… Now with frequent flier protection!

TrustedID introduces Identity Threat Score

Posted by Caitlin on October 27th, 2009

TrustedID, our favorite identity theft protection service, has just added a new feature to help determine your personal risk of identity theft. TrustedID will assess millions of records on hundreds of public and private databases and analyze that information for patterns that could indicate if you have been or are about to be a victim of identity theft. Your personal risk will be represented by your Identity Threat Score, a number between zero and 500. That score will make it easy to understand your risk level, and it will also help TrustedID's protection specialists ensure that the necessary steps are taken to protect your identity. Since your financial and personal information is constantly being updated, your Identity Threat Score will be automatically recalculated regularly.

This new feature makes TrustedID's protection even more comprehensive. New TrustedID customers will enjoy this additional layer of protection at no extra charge.

To learn more about TrustedID and other identity theft protection services, see our reviews and comparison chart.

• TJ Maxx parent company offers 15% off to victims of massive data breach
• TJ Maxx to send follow up fraud alert letters to victims
• Facebook exposes personal information of up to 80 million members
• Equifax offers free 3-in-1 credit report and 3 bureau credit report monitoring
• TJ Maxx may have know about identity theft threat two months earlier than reported

It's easier to steal a passport than a television

Posted by Caitlin on October 26th, 2009

A British insurance firm recently conducted a survey of burglary victims, and found that many burglars are looking for personal documents. In 2008, 15% of British burglary victims were targeted specifically for sensitive information, and 74% of burglaries resulted in the theft of some personal or financial documents. LV, the firm that conducted the survey, said that credit cards, passports, and other sensitive personal documents are easy for burglars to sell on the black market. And they're certainly easier to steal than a television or other bulky possession. John O'Roarke, the company's managing director, suggested that homeowners store personal documents securely and, if possible, separately,  since several documents with the same identity can be sold for a great deal more money.

It's unlikely that British burglars are the only ones who've caught on to the potential value of personal documents. Identity theft is easier and more lucrative than theft of possessions. And while victims rarely suffer financial losses in the long run, the time and effort required to restore your identity can be an even harsher consequence. You probably have homeowner's or renter's insurance. To spare yourself the suffering that comes with identity theft, consider investing in identity theft protection.

• LifeLock selected as exclusive id theft prevention service for a variety financial firms
• WalletLock takes the worry out of losing your wallet
• Dumpster diving remains a major identity theft risk
• How to steal Colin Powell's identity
• 25 million identities left unprotected in the UK

PYIW: Protect Your Identity Week

Posted by kent on October 20th, 2009

I guess it's fitting that in a month of costumes and masks we spend some time thinking about identity theft. The week of October 17th is National Protect Your Identity Week. A program of the Better Business Bureau, PYIW seeks to raise awareness about the growing threat of identity theft. The site, protectyouridnow.org, site has statistics, consumer resources, a blog by regular NextAdvisor Daily contributor Robert Siciliano, and links to identity theft games designed to test your ID theft instincts.

For information on services that can help protect your identity, check out our reviews and comparisons of identity theft protection services.

• NextAdvisor.com launches state specific identity theft protection guides
• Reader Question: Which identity theft protection service is best if I've already been victimized?
• California identity theft protection guide: facts, trends and resources
• Texas identity theft protection guide: facts, trends and resources
• Arizona identity theft protection guide: facts, trends and resources

Second PayChoice breach in one month

Posted by Caitlin on October 19th, 2009

Earlier this month, PayChoice, a payroll processing firm, was breached by hackers. Last week, PayChoice was hacked yet again. The last hack was unusually complex, involving a data breach, phishing emails, malicious websites, and a Trojan horse. The latest attack hinged on a security vulnerability in PayChoice's online portal, OnlineEmployer.com. It appears as though hackers have exploited this vulnerability in order to steal customers' usernames and passwords. The stolen credentials were then used to add fictitious employees to customers' payrolls, in an attempt to have recurring payments made to fraudulent bank accounts.

PayChoice is a leader in the payroll services and software industry, with over 125,000 business customers. It shouldn't come as a surprise that hackers have targeted a company that facilitates so many financial transactions. But what is surprising is the hackers' persistance and creativity.

To defend yourself from cybercriminals, be sure to install Internet security software, and set it to update automatically. Since the end goal of the most nefarious attacks is usually the theft of personal information that can be used to open fraudulent accounts, you might also consider investing in identity theft protection, which is designed to prevent fraudulent accounts from being opened in your name.

• Data Breach Alert: 100 million possible victims in what may be the largest data breach ever
• Data Breach Alert: Eye center patients may see identity theft in their future
• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• America's largest retail pharmacy to offer LifeLock's identity theft protection services
• LifeLock selected as exclusive id theft prevention service for a variety financial firms

Identity theft victim spends weeks in jail

Posted by Caitlin on October 12th, 2009

Some identity theft victims are never able to completely repair the damage to their credit. Some victims are declined mortgages or student loans. Some victims suffer monetary losses. Nearly all victims have to devote a great deal of time and effort to the restoration of their identities. But only a few victims suffer the worst consequence of identity theft: jail, due to mistaken identity.

Joe Salazar of Omaha is one such identity theft victim.

Several years ago, Joe left his wallet in a restaurant. When he went back to retrieve it, it was gone. About a year later, police arrested a man for cocaine possession, and that man gave police Salazar's identification, date of birth, and Social Security number, and pleaded no contest to possession of cocaine. When this unknown man failed to appear for sentencing, a warrant was issued for Joe Salazar's arrest. On December 24, 2008, Joe Salazar was pulled over for speeding, and the officer discovered the warrant in his name. Joe explained that it was a case of mistaken identity, and his fingerprints confirmed that he was not the same man who had been arrested for cocaine possession. Nevertheless, Joe Salazar spent Christmas Eve in prison. He also spend Christmas in prison. And New Year's Eve, and New Year's Day. He was finally released on January 7, 2009. A judge renewed the warrant and added a note: "Please re-verify identification of Joe Salazar due to mistaken arrests."

Last week, Joe Salazar's home was burglarized. When the police arrived to file a report, you guessed it, Joe was arrested once again. This time, Joe was released after just one day in jail.

There are many procedures in place, including fingerprinting and mug shots, that should have spared Joe from spending time in prison. But they haven't helped so far, and since the warrant still hasn't been dropped, there's no guarantee that Joe won't be arrested again.

While most identity theft victims don't spend their holidays in prison, once a criminal has your personal information, there's nothing preventing him or her from using it in a pinch, to avoid going to prison him or herself. To avoid suffering any of the many possible consequences of identity theft, consider investing in an identity theft protection service, which will provide numerous layers of defense.

• A lost purse or wallet could land you in jail
• College football player commits identity theft against deceased woman
• 8 tips to protect your children from identity theft
• Palin hacker faces up to 20 years in prison
• Identity theft finds a new target – your kids!

FBI chief falls for phishing email

Posted by Caitlin on October 12th, 2009

Last week, FBI chief Robert Mueller spoke about the dangers of cybercrime, and admitted that he had once been fooled by a phishing email. At first, Mueller believed the email to be a "perfectly legitimate" message from his bank, requesting that he verify some personal information. He followed a link to a spoofed website, where he answered the first few questions before being prompted to enter his password. At that point, it occurred to Mueller that "this might not be such a good idea." He then changed all his passwords and described the incident as a "teachable moment" to his wife, who responded by declaring, "It is not my teachable moment. However, it is our money. No more Internet banking for you!"

If the chief of the FBI can be so easily fooled by a common phishing scam, it's probably a good idea for us all to have a few extra lines of defense when navigating the Internet. So install Internet security software and set it to update automatically. And consider investing in identity theft protection, in case you or someone else slips up and compromises your personal information.

• Facebook phishing scams increase risk of identity theft on the popular social network
• Data Breach Alert: Harvard hack exposed more data than initially thought
• H&R Block offers tax refund loan to the military
• Identity Theft Restitution Act adds harsher federal penalties for identity thieves and hackers
• Your new Facebook friend just stole your identity

More phishing news…

Posted by Caitlin on October 7th, 2009

Today, the FBI charged 53 defendants with conspiracy to commit bank fraud and wire fraud, the largest number ever charged in a cybercrime case. 33 have already been arrested and the remainder are being sought by law enforcement. Egyptian authorities charged 47 defendants linked to the same phishing operation. The arrests follow a multinational investigation known as "Operation Phish Phry," which began in 2007.

According to the FBI, hackers in Egypt used phishing techniques to obtain banking information and other sensitive personal data, which they supplied to associates in the United States. The U.S. hackers used the stolen data to withdraw funds from their victims' bank accounts. They then wired a portion of the proceeds back to the hackers in Egypt.

Keith Bolcar, acting assistant director of the FBI in Los Angeles, commented, "The sophistication with which Phish Phry defendants operated represents an evolving and troubling paradigm in the way identity theft is now committed. Criminally savvy groups recruit here and abroad to pool tactics and skills necessary to commit organized theft facilitated by the computer, including hacking, fraud and identity theft, with a common greed and shared willingness to victimize Americans."

It is easy to dismiss phishing emails by catagorizing them as spam, a mere nuisance. But phishers are not harmless. They are collecting data that can and will be used for identity theft. When anyone requests your confidential account information, whether it's a username and password or banking information, pause and consider the circumstances before you obediently hand over the data. And, just in case your personal details do find their way out into the world, despite your best efforts, consider investing in identity theft protection.

• Data Breach Alert: Hundreds of thousands of computers infected by Russian hackers
• 1 in 3 Americans exposed to identity theft in 2007
• Identity Guard adds 30 day free trial and free ZoneAlarm software
• LifeLock selected as preferred identity theft prevention service for Illinois State Bank
• Data Breach Alert: Eye center patients may see identity theft in their future