Identity Theft Expert Speaker

Merchant Credit Card Transaction Monitoring

Robert Siciliano (Identity Theft Speaker) — Fri, 11 Dec 2009 11:37:25 -0600

Security professionals intuitively think proactively. Our job is to predict and prevent what the bad guy will do next. My job specifically is to instill this mindset into you, the consumer, SMB or large corporate enterprise.

Bob Russo, General Manager and Rockstar of the PCI Security Standards Council reminds us all in this Business Week article that it’s not all about prevention. Sage advice below.

“Many businesses are familiar with the PCI Security Standards Council’s requirements, yet many card fraud incidents go undiscovered for long periods of time. In fact, according to Verizon’s 2009 Data Breach Investigations Report, 75% of compromises were discovered at least weeks after the compromise.

Data security is not all about prevention; it also requires detection and monitoring. In the event of a breach or card fraud, proper monitoring can detect and eliminate additional fraud quickly. Thus, with the holiday season in full swing, it’s a great time to reconsider your company’s log management and monitoring. Consider the following tips:

1. Ensure your organization keeps timely, accurate, and unaltered records of what has taken place within the cardholder data environment (who, what, when, and how) to protect it in the event of a data compromise and resulting investigation.

2. Monitoring also can include physical surveillance. Closed-circuit monitoring of POS terminals can detect suspicious or fraudulent behavior.

3. Even when you are at your busiest, you simply cannot afford to overlook monitoring as a primary detector of card fraud and the trigger to eliminating ongoing criminal activity.”

And my advice. For your own good, protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. (Disclosures)

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

10 Tips to Secure Online Holiday Shopping

Robert Siciliano (Identity Theft Speaker) — Wed, 09 Dec 2009 20:44:48 -0600

Robert Siciliano Identity Theft Expert

UK officials shut down an amazing 1200 online retailers who scammed millions from unsuspecting shoppers. Most of the sites originated from identity thieves in Asia who tricked victims into believing they were legitimate sites. Victims then lost money by entered their credit card data, sending checks or giving up banking details.

The sites sold high end designer items from Tiffany & Co, Ugg and jewelry. In some cases the victims actually received the items, but were counterfeit. Like Mom said, if it’s too good to be true it probably is. Of course nobody running the fake sites has been caught.

Criminals set up fake websites and then go through the same process legitimate eTailers do in regards to search engine optimization, search engine marketing and online advertising via adwords. They use key words to boost their rankings on Internet searches to show up along side legitimate sites. These same processes are also being used to infect unsuspecting users with malware.

Many victims who end up on scam sites generally get there via phish emails with offers for high end products for little money.

It’s easy enough to avoid spoofed websites where phishing is the gateway. Common sense says any time you receive an offer via an email automatically be suspect. The same goes with offers via tweets and messages received in any social media. Scammers are committing social media identity theft every day.
If you aren’t familiar with the eTailer don’t even bother clicking the links, especially if it’s a too good to be true offer.
If it’s a known site sending the email and you decide to click links, make sure the address you end up at is in fact the actual domain of the eTailer. Beware of cybersquatting and typosquatting which may look like the domain of the legitimate eTailer.
When placing an order always look for HttpS is the address bar signifying it’s a secure page. Scammer generally won’t take the time to set up secure sites. Note the closed padlock in your browser to back up the HttpS.
Beware of emails coming for eBay scammers. I’m getting 10 a day. The fact is it’s difficult to tell a real from a fake. If you are seeking deals on eBay go right to the site and don’t bother responding to emails. If there is a deal you see in an email search it on eBay.
Whenever you decide to make an eBay purchase look at the eBayers history. eBay is set up on the honor system and if the eBayer is an established seller with great feedback then they should be legitimate.
Don’t worry about credit card fraud. But do pay close attention to your statements. Check them every two weeks online and refute unauthorized charges within 2 billing cycles, otherwise you will pay for an identity thieves gifts.
Don’t use a debit-card online. If your debit card is compromised thats money out of your bank account. Credit cards have more protection and less liability.
Avoid paying by check online/Mailorder. In person is OK. But to an unfamiliar virtual site is not. Once the money is taken from your account and you don’t receive the goods, you are going to have a difficult if not impossible task of getting it back. Use a uniball gel pen that prevents check-washing.
Do business with those you know like and trust. I for one am guilty of buying from eTailers who have the best deals. But I only buy low ticket items from them, generally under $50.00. It’s best to buy high ticket items from eTailers that also have a brick and mortar locations.

Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

Holiday Temps Make The Best Identity Thieves

Robert Siciliano (Identity Theft Speaker) — Mon, 07 Dec 2009 20:18:26 -0600

Robert Siciliano Identity Theft Expert

This is the absolute best time of the year to be a dishonest temporary worker. Holiday hustle and bustle overwhelms managers and supervisors and they can’t possibly see everything their employees are doing. It has been said that only 10 percent of employees are honest, 10 percent of employees will always steal and 80 percent will steal based on circumstances. Hiring temps during the holidays becomes the perfect storm for employee theft.

Estimates reveal that 40-50 percent of all business losses are due to employee theft. Employers need to first vet out potential hires so as not to invite a thief into the workplace.

Prescreening

Use prescreening services; Otherwise become a master interviewer. Look for incongruence.
Resumes are often “false advertising” and outright lies, look for red-flags and exaggerations.
Appearance is telling. Someone who is disheveled and unkempt is a sign of character.
Interviewees who are well-spoken and ace the interview process may have had lots and lots of jobs.
Use employment applications: check and verify everything.
Background checks are only one small part of the screening process. But necessary.
Criminal records checks are insufficient and do not detect employee theft unless prosecuted and convicted.
Juvenile convictions do not show on a criminal records check.
Drug and alcohol testing .
Reference checks.
Credit reports.
Physical exams.

Hire honest people.

Honest people live by the golden rule, “do as to others…”. Honest people see stealing as demeaning. Honest people believe in karma, that if they steal then someone will steal from me. Honest people are well thought out and think of the consequences of their actions over a lifetime, not just in the moment. Hire honest people.

Perception is reality.

Assume after an “honest” person is hired the stealing begins. Orientation is the first place to discourage this behavior. Policies must be openly discussed. Employees are shown aspects of loss prevention and physical security in place. They are further told incidences of theft will be prosecuted under the fullest extent of the law. They are reminded that previous employees were caught and the expenses in fines and to lawyers in a criminal defense cost far more than the goods or cash that were stolen. In Singapore, Iran, Saudi Arabia, they put an average of 500 people a year to death for various non-violent crimes. That’s perception equaling reality.

Understand the Theft Probability Equation. Chance of getting caught + consequences of action taken = Level of risk & probability of theft.

Low risk: high probability of theft
High risk: low probability of theft
A reputation for non-action breeds theft. If you fire thieves without prosecution, you will hire thieves in the future.

Increase technology to reduce threats.

Computer World points out to bolster physical security around temporary cash registers and handheld scanners. It’s easy to install a card-skimming device on a satellite register. Install additional video cameras to monitor the use of such devices.

Review log data daily. System and transaction logs can reveal a lot of information about the security of a payment system. Check them daily for red flags.

Implement “hard” firewall policies. Use a white list of known good addresses to preclude the possibility of card and payment data going anywhere outside the enterprise firewall except to your payment processor.

For your own good, protect your identity. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.

Robert Siciliano identity theft speaker discussing holiday scams on Foxes Mike and Juliet Show

Broadcast Radio Sponsored by Intelius.com

Robert Siciliano (Identity Theft Speaker) — Thu, 03 Dec 2009 22:21:52 -0600

Anyone who has the opportunity work a job they love and spend their days helping others is fortunate. For me its helping people protect themselves from violence and theft in the physical and virtual worlds.

Helping me, help others is Intelius.com. Intelius is an information commerce company. They provide consumers and businesses with predictive intelligence for important everyday decisions. Their customers use Intelius to make choices about people, businesses and assets.

The following spots are examples of getting the word out to empower people to secure their personal security.

12.2.9 Montel Williams. Montel Accross America Audio HERE

12.3.9 Lori Wilk: Identity Theft What You Need To Know Audio HERE

MIT Says Handing Over Your Identity Data Protects You

Robert Siciliano (Identity Theft Speaker) — Wed, 02 Dec 2009 08:27:04 -0600

Robert Siciliano Identity Theft Expert

Identity is a simple concept that has become a complex problem. It has become complex due to fraud. Fraud, motivated by money and the ease of obtaining credit and taking over an account. Because identity has yet to be effectively established, anyone can be you.

Currently, identity is generally established when a person provides a single source of data such as a Social Security number, password, credit card number and so forth. Complicating things further, in the U.S. we have as many as 200 forms of ID circulating from state to state, plus another 14,000 birth certificates and 49 versions of the Social Security card. We use “for profit” third party information brokers and the lowly vital statistics agency that works for each state to manage the data.

According to a new proposal in New Scientist, our digital identities will be more secure if they are based on data from our everyday life, culled from cell phones and online transactions. The idea comes from the Massachusetts Institute of Technology’s Human Dynamics Laboratory. The lab is a pioneer of “reality mining,” which is the practice of studying how people behave by using the crumbs of digital data our actions produce.

Reality mining is “what you do and who you do it with.” Or in MIT-over-my-head-speak: “Reality Mining defines the collection of machine-sensed environmental data pertaining to human social behavior. This new paradigm of data mining makes possible the modeling of conversation context, proximity sensing, and temporospatial location throughout large communities of individuals. Mobile phones are used for data collection, opening social network analysis to new methods of empirical (information gained by means of observation) stochastic (random) modeling.”

Even Google can’t define the word “temporospatial.” Find it. I dare you.

The research is based on the use of mobile phones to provide insight into individual and group behavior. They captured communication, proximity, location, and activity information from 100 subjects at MIT over a year. This data represents over 350,000 hours (~40 years) of continuous data on human behavior. Some of the research questions include:

How do social networks evolve over time?
How predictable are most people’s lives?
How does information flow?

The idea is to capture and harness all this information that represents “what you do and who you do it with.” Managing this would consist of the creation of a central body, supported by a combination of cellphone networks, banks and government bodies. The bank, being one of the supporters, could provide “slices” of data to third parties that want to check a person’s identity.

This is different than “who you are and what you know.” Currently, positive ID is only possible by using a biometric. A biometric can be either static (anatomical, physiological) or dynamic (behavioral). Examples static biometrics include your iris, fingerprint, face, and DNA. Dynamic biometrics include your signature gesture, voice, keyboard, and perhaps gait. Also referred to as something you are. Verification is used when the identity of a person cannot be definitely established. Technologies used provide real time assessment of the validity of an asserted identity. We don’t know who the individual is but we try to get as close as we can to verify his or her asserted identity. Included in this class are out of wallet questions, PINS, passwords, tokens, cards, IP addresses, behavioral based trend data, credit cards, etc. These usually fall into the realm of something you have or something you know.

Currently, identity isn’t established. There is no accountability. That’s why we have identity theft. Anyone can become you just by saying so. In the meantime, until the big heads at MIT figure this out, protect your identity.

Robert Siciliano, identity theft speaker, discusses Social Security numbers on Fox News

Handwritten Signature is Stupid Authorization

Robert Siciliano (Identity Theft Speaker) — Mon, 30 Nov 2009 19:12:35 -0600

Robert Siciliano Identity Theft Expert

Ever forge your husband’s signature? Wife’s? Parent’s? Client’s? Do you think the clerk behind the counter at Walmart is skilled in handwriting analysis? I’ve always viewed a signature as a totally ridiculous form of authentication and a total waste of my time. Signing my name has always been burden and a frustrating task.

Nobody seems to know when a handwritten signature became a form of authorization. From what I can gather, it seems the modern signature was born when kings signed declarations. Eventually, villagers began signing their names to acknowledge accountability. So the signature was born during a time when we had kings and queens, moats, wizards, and dragons. And we continue to rely on this today. Not too smart.

My signature has evolved from a time intensive, physically demanding, well thought out, legible spelling of my first name, middle initial, and last name, to a first initial, middle initial and last name, then to a quick scribe of what might look like an R, and S, and a squiggly line in place of my last name. Today, my signature tends to be a straight line. Who the heck came up with electronic signature pads? Stupid!

Between my driver’s license, credit cards, checks, e-signature pads, and whatever contracts I fill out on a yearly basis, my signature is completely different on each document. Total inconsistency.

I spoke with Robert Baier, a forensic document examiner and handwriting analysis expert, and told him about my inconsistent signatures. Between his facial expression, shaking head and other body language, and his verbal response, I got the message that this is a bad thing. Bob is what I call the “Document Whisperer.” He has savant-like talents and can size a person up by their signature. Which means I probably disturb Bob.

I don’t really care about a signature. I don’t know if it’s because I find handwritten signatures so ridiculous or because I’m lazy with this task. The fact is, a handwritten signature provides zero proactive security. The way I see it, signing your name to any document ultimately assigns liability. If someone signs your name to a check and you call the bank and say it wasn’t you, they look at the signature and determine whether it’s yours or not. From there they assign liability. That’s dumb.

Other than at the teller line, most banks don’t actually view signature cards until there’s a problem. Same with credit card issuers etc. There are a few companies that actually have given validity to the handwritten signature. One such company is Orbograph, an image-based fraud detection company north of Boston that actually looks at previous signatures and recognizes potential document fraud before loss occurs. If we are going to rely on signatures, this type of technology needs to be implemented everywhere.

Many smaller credit card purchases no longer require a hand written signature. Visa recently announced it would mandate a move to chip and PIN technology for all Australian Visa cardholders over the next four years, with signatures no longer accepted at the check-out by 2013. This means all card holders will have a password, as opposed to a signature.

Even though passwords aren’t all that secure to begin with, a signature is even less secure, unless of course we provide the signature some credibility by implementing image-based fraud detection system-wide, or putting guys like Bob in a booth in every business district on the planet to review the legitimacy of the signature. That ain’t happening. Yet we have plenty of coffee shops on every corner. Seems like our priorities are a bit skewed.

Because the system is insecure, you must protect your identity.

Robert Siciliano identity theft expert discussing all kinds of security issues on TBS Movie and a Makeover

The Twelve Scams of Christmas,” or Popular Online Attacks This Holiday Season Pt IV of IV

Robert Siciliano (Identity Theft Speaker) — Sun, 29 Nov 2009 12:01:07 -0600

Robert Siciliano identity theft expert

Cybercriminals Take Advantage of the Holiday Season, Aiming to Steal Consumers’ Money, Identities and Financial Information

As cybercriminals begin to take advantage of the holiday season, McAfee, Inc. revealed the “Twelve Scams of Christmas” – the twelve most dangerous online scams that computer users should be cautious of this holiday season. According to Consumer Reports’ 2009 State of the Net Survey, cybercriminals have bilked $8 billion from consumers in the past two years, and McAfee warns consumers not to fall victim to the top scams this year.

Being that I’m on McAfee’s Consumer Advisory Board, I’m advising you to adhere to the following:

Previous first 3 of Twelve Scams of Christmas here. McAfee’s 3 more of Twelve Scams of Christmas below.

Scam X: Password Stealing Scams

Password theft is rampant during the holidays, as thieves use low-cost tools to uncover a person’s password and send out malware to record keystrokes, called keylogging. Once criminals have access to one or more passwords, they gain vast access to consumers’ bank and credit card details and clean out accounts within minutes. They also commonly send out spam from a user’s account to their contacts.

Scam XI: E-Mail Banking Scams

Cybercriminals trick consumers into divulging their bank details by sending official-looking e-mails from financial institutions. They ask users to confirm their account information, including a user name and password, with a warning that their account will become invalid if they do not comply. Then they often sell this information through an underground online black market.

McAfee Labs believes cybercriminals are more actively scamming consumers with this tactic during the holidays since people are monitoring their purchases closely.

Scam XII: Your Files for Ransom – Ransomware Scams

Hackers gain control of people’s computers through several of these holiday scams. They then act as virtual kidnappers to hijack computer files and encrypt them, making them unreadable and inaccessible. The scammer holds the user’s files ransom by demanding payment in exchange for getting them back.

McAfee advises Internet users to follow these five tips to protect their computers and personal information:

1. Never Click on Links in E-Mails: Go directly to a company or charity’s Web site by typing in the address or using a search engine. Never click on a link in an e-mail.

2. Use Updated Security Software: Protect your computer from malware, spyware, viruses and other threats with updated security suites. McAfee^® Total Protection software provides fully-featured protection from current and emerging threats. It also comes built in with McAfee SiteAdvisor® technology, a safe search toolbar to warn consumers of a Web site’s safety rating as well as phishing protection. It uses intuitive red, yellow and green checkmarks to rate potentially dangerous Web sites when searched on Google, Yahoo! or Bing.

3. Shop and Bank on Secure Networks: Only check bank accounts or shop online on secure networks at home or work, wired or wireless. Wi-Fi networks should always be password-protected so hackers cannot gain access to them and spy on online activity.

Also, remember to only shop on Web sites that begin with https://, instead of http://, and seek out Web sites with security trustmarks, like McAfee SECURE^™.

4. Use Different Passwords: Never use the same passwords for several online accounts. Diversify passwords and use a complex combination of letters, numbers and symbols.

5. Use Common Sense: If you are ever in doubt that an offer or product is not legitimate, do not click on it. Cybercriminals are behind many of the seemingly “good” deals on the Web, so exercise caution when searching and buying.

If you think you may be a victim of cybercrime, visit McAfee’s Cybercrime Response Unit to assess your risks and learn what to do next at www.mcafee.com/cru.

Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

Invest in Intelius Identity Theft Protection and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano, identity theft speaker, discusses Cyber Monday on Mike and Juliet

The Twelve Scams of Christmas,” or Popular Online Attacks This Holiday Season Pt III of IV

Robert Siciliano (Identity Theft Speaker) — Sun, 29 Nov 2009 11:43:41 -0600

Robert Siciliano identity theft expert

Cybercriminals Take Advantage of the Holiday Season, Aiming to Steal Consumers’ Money, Identities and Financial Information

Being that I’m on McAfee’s Consumer Advisory Board, I’m advising you to adhere to the following:

Previous first 3 of Twelve Scams of Christmas here. McAfee’s 3 more of Twelve Scams of Christmas below.

Scam VII: Christmas Carol Lyrics Can Be Dangerous – Risky Holiday Searches

During the holidays, hackers create fraudulent holiday-related Web sites for people searching for a holiday ringtone or wallpaper, Christmas carol lyrics or a festive screensaver. Downloading holiday-themed files may infect one’s computer with spyware, adware or other malware. McAfee found one Christmas carol download site that led searchers to adware, spyware and other potentially unwanted programs.

Scam VIII: Out of Work – Job-Related E-mail Scams

The U.S. unemployment rate recently spiked to 10.2 per cent, the highest level since 1983. Scammers are preying on desperate job-seekers in the poor economy, with the promise of high-paying jobs and work-from-home moneymaking opportunities. Once interested persons submit their information and pay their “set-up” fee, hackers steal their money instead of following through on the promised employment opportunity.

Scam IX: Outbidding for Crime – Auction Site Fraud

Scammers often lurk on auction sites during the holiday season. Buyers should beware of auction deals that appear too good to be true, because often times these purchases never reach their new owner.

Stay tuned to part IV.

Robert Siciliano, identity theft speaker, discusses Viruses in Christmas Gifts on FOX News

The Twelve Scams of Christmas,” or Popular Online Attacks This Holiday Season Pt II of IV

Robert Siciliano (Identity Theft Speaker) — Wed, 25 Nov 2009 23:00:01 -0600

Robert Siciliano identity theft expert

Cybercriminals Take Advantage of the Holiday Season, Aiming to Steal Consumers’ Money, Identities and Financial Information

Being that I’m on McAfee’s Consumer Advisory Board, I’m advising you to adhere to the following:

Previous first 3 of Twelve Scams of Christmas here. McAfee’s 3 more of Twelve Scams of Christmas below.

Scam IV: The Dangers of Holiday E-Cards

Cyber thieves cash in on consumers who send holiday e-cards in an effort to be environmentally conscious. Last holiday season, McAfee Labs discovered a worm masked as Hallmark e-cards and McDonald’s and Coca-Cola holiday promotions. Holiday-themed PowerPoint e-mail attachments are also popular among cybercriminals. Be careful what you click on.

Scam V: “Luxury” Holiday Jewelry Comes at a High Price

McAfee Labs recently uncovered a new holiday campaign that leads shoppers to malware-ridden sites offering “discounted” luxury gifts from Cartier, Gucci, and Tag Heuer. Cybercriminals even use fraudulent logos of the Better Business Bureau to trick shoppers into buying products they never receive.

Scam VI: Practice Safe Holiday Shopping – Online Identity Theft on the Rise

Forrester Research Inc. predicts online holiday sales will increase this year, as more bargain hunters turn to the Web for deals. While users shop and surf on open hotspots, hackers can spy on their activity in an attempt to steal their personal information. McAfee tells users never to shop online from a public computer or on an open Wi-Fi network.

Stay tuned to parts III & IV.

Robert Siciliano, identity theft speaker, discusses Black Friday and Cyber Monday on FOX Boston

The Twelve Scams of Christmas,” or Popular Online Attacks This Holiday Season Pt I of IV

Robert Siciliano (Identity Theft Speaker) — Tue, 24 Nov 2009 21:45:50 -0600

Robert Siciliano identity theft expert

Cybercriminals Take Advantage of the Holiday Season, Aiming to Steal Consumers’ Money, Identities and Financial Information

“Cybercriminals’ use their best schemes during the holidays to steal people’s money, credit card information, social security number and identity,” said Jeff Green, senior vice president of McAfee Labs. “These thieves follow seasonal trends and create holiday-related Web sites, scams and other convincing e-mails that can trick even the most cautious users.”

Being that I’m on McAfee’s Consumer Advisory Board, I’m advising you to adhere to the following:

McAfee’s 3 of Twelve Scams of Christmas

Scam I: Charity Phishing Scams – Be Careful Who You Give To

During the holiday season, hackers take advantage of citizens’ generosity by sending e-mails that appear to be from legitimate charitable organizations. In reality, they are fake Web sites designed to steal donations, credit card information and the identities of donors.

Scam II: Fake Invoices from Delivery Services to Steal Your Money

During the holidays, cybercriminals often send fake invoices and delivery notifications appearing to be from Federal Express, UPS or the U.S. Customs Service. They e-mail consumers asking for credit card details to credit back the account, or require users to open an online invoice or customs form to receive the package. Once completed, the person’s information is stolen or malware is automatically installed on their computer.

Scam III: Social Networking – A Cybercriminal “Wants to be Your Friend”

Cybercriminals take advantage of this social time of the year by sending authentic-looking “New Friend Request” e-mails from social networking sites. Internet users should beware that clicking on links in these e-mails can automatically install malware on computers and steal personal information.

Stay tuned to parts II, III & IV.

Robert Siciliano, identity theft speaker, discusses Christmas Holiday Scams on Mike and Juliet.

SWATting, Using Technology To Hurt

Robert Siciliano (Identity Theft Speaker) — Mon, 23 Nov 2009 21:44:31 -0600

Robert Siciliano Identity Theft Expert

Swatting is making prank calls to emergency services. In the field of information security, swatting is an attempt to trick an emergency service (such as a 911 operator) to dispatch an emergency response team, generally a SWAT team. SWAT is (Special Weapons and Tactics).

Caller ID spoofing technologies are used to send law officers on bogus calls along with, social engineering, and phone phreaking techniques combined. 911 systems (including telephony and human operators) have been tricked by calls placed from cities hundreds of miles away.

Caller ID spoofing is the practice of causing the telephone network to display a number on the recipient’s caller ID display which is not that of the actual originating caller. Similar to e-mail spoofing which can make it appear that a message came from any e-mail address the sender chooses, caller ID spoofing can make a call appear to have come from any phone number. Most people trust caller ID and are unaware of caller ID spoofing. This is obviously a flawed system ripe for fraud.

MSNBC reports Doug Bates and his wife, Stacey, were in bed around 10 p.m., their 2-year-old daughters asleep in a nearby room. Suddenly they were shaken awake by the wail of police sirens and the rumble of a helicopter above their suburban Southern California home. A criminal must be on the loose, they thought.

Doug Bates got up to lock the doors and grabbed a knife. A beam from a flashlight hit him. He peeked into the backyard. A swarm of police, assault rifles drawn, ordered him out of the house. Bates emerged, frightened and with the knife in his hand, as his wife frantically dialed 911. They were handcuffed and ordered to the ground while officers stormed the house.

They were victims of swatting that exploits a weakness in the way the 911 system handles calls from Internet-based phone services.

Dallas News reports a group of people met on telephone chat lines who harassed people through swatting. They would pick a target and their caller ID information to make it appear they were calling from that person’s house.

They would phone that person’s local police and pretend they were about to go on a killing spree, triggering a SWAT or patrol officer response. The group pulled this scam across the country.

There were some reports of injuries by police storming houses of innocent, unsuspecting people whom police thought were holding hostages at gunpoint.

This is difficult to prevent. Unlisting your home phone number can help. Not having a home phone number and being mobile based is even better. In the off chance you are ever selected to be swatted, the best response is to “show your hands”. Law enforcements concern is a weapon.

While completely unrelated, protect your identity too.

Hackers Indicted for Jacking Comcast

Robert Siciliano (Identity Theft Speaker) — Sat, 21 Nov 2009 19:52:07 -0600

Robert Siciliano identity theft expert

One hacked email address led to the defacement of Comcasts homepage. When the hackers called Comcasts technical contact to let him know all 200 Comcast domain names and Comcast homepage were vulnerable, he hung up on them.

It has not been disclosed how the email was compromised, but there are many ways it could be. Wired/CNN reports as described in the indictment, the hackers got control of the domain with two phone calls, and an e-mail was sent to the company’s domain registrar, Network Solutions, from a hacked Comcast e-mail account.

That gave them entry to the Network Solutions control panel for Comcast’s 200 domains, according to the indictment.

The hackers ages 19 and 20 at the time known as Defiant and EBK from a group calling themselves Kryogeniks scrawled “KRYOGENIKS EBK and DEFIANT RoXed COMCAST sHouTz To VIRUS Warlock elul21 coll1er seven.” Across Comcasts homepage after they were rebuffed by Comcasts tech admin. Where they screwed up during their stunt was when they changed the contact information for the Comcast.net domain to Defiant’s e-mail address. Brilliant hackers yet not so smart.

One way of compromising email accounts is via simply going to the “forgot password” section of your email provider’s website and respond to a preselected personal question that you answered when signing up for the account. With a little research, the hacker has a good shot at finding the correct answer. Some of the current questions could be answered using information found on a user’s social networking profile, or through a website like Ancestry.com or Genealogy.com

I suggest that you check out the “forgot password” section on your own web-based email account, to see your current personal question. If it’s easy to answer, or would only require a little research to solve, update the question with one that you create based on opinion, as opposed to fact.

You should also beef up your password. Combine uppercase and lowercase letters, as well as numbers. Don’t use consecutive numbers, and never use names of pets, family members, or close friends.

1. Get a credit freeze. Go online now and search “credit freeze” or “security freeze” and go to consumersunion.org and follow the steps for the state you live in. This is an absolutely necessary tool to secure your credit. In most cases it prevents new accounts from being opened in your name. This makes the SSN useless to the thief.

2. Invest in Intelius Identity Theft Protection and Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU.

Robert Siciliano, identity theft speaker, discusses hacked email on FOX & Friends.

Money Mules Facilitate Identity Theft and Fraud

Robert Siciliano (Identity Theft Speaker) — Thu, 19 Nov 2009 07:44:12 -0600

Robert Siciliano Identity Theft Expert

Mules are relatively unaware people who get hooked into a “small business” or employment that is a function of a criminal enterprise. The mules often respond to “help wanted” ads from online job placement sites. Shipping scams are a common tactic criminals use in which they employ mules to receive goods bought with stolen credit card numbers, who then ship to people who buy them in online auctions. The mules in this process are essentially facilitating selling hot goods and money laundering.

An RSA study revealed laptops, iPods, iPhones, Nokia smartphones, digital cameras, Sony PlayStation 3 devices, and DJ equipment were among the items shipped to addresses in Russia and Belarus. RSA estimates that more than $36,000 worth of merchandise was cashed out every month before one scam ended earlier this year.

These scams generally have a virtual store front posing as a shipping company, giving the ruse a legitimate appearance. The efficiency of money mule operations has increased due to the amount of money being generated from data breaches and scams.

There have been dozens of significant data breaches over the past few years, in which millions of credit card numbers have been compromised. Once the data is in the hands of a criminal, they scheme to turn it into cash.

Credit card numbers are often bought and sold by “carders” who sell thousands of cards numbers for pennies each. In many cases when a PIN is present the criminal hacker will use the card number as a debit card at any ATM.

But when turning the data into cash isn’t so easy, they will burn the data to a white card and make in store purchases using mules. That can sometimes be a slow and riskier process. Recently, fake shipping scams have proven to be a profitable model that involves leveraging hundreds of naive people.

The mules are often baited into setting up bank accounts that the criminal controls. These bank accounts will be set up under the name of the mule to avoid detection and generally programmed to transfer money overseas in increments of less than $10,000 to avoid detection.

Most mules end up pulling money out of their pockets to front shipping costs with the promise of a big payoff. In the end the mule is often bilked and ends up with an empty bank account.

These scams hurt a lot of people. The banks and retailers lose because money and goods go out the door. The mules often end up losing thousands. And worse, many organized criminals are associated with terrorists groups who use the money to fund violence.

If the credit card companies and banks would adopt widely available technologies that make the data useless to the thief in the form of effective authentication of the user, then none of this would be happening. But until industry changes what I think is “its evil and selfish ways” then they will keep tossing fuel on the fire.

Generally my readers don’t need to be told the following, but maybe someone you know is naive enough to fall for one of these ruses. So keep in mind, if you are looking for a job online and see “shipping manager” or “buy and sell products on eBay with no inventory or money” or anything involving virtual transactions that involves shipping any thing overseas, then chances are it’s a scam. Also, never be suckered into opening a bank account that you don’t control. That’s just plain dumb.

And, protect your identity.

Invest in Intelius Identity Theft Protection. While not all forms of identity theft can be prevented, you can effectively manage your personal identifying information by knowing what’s buzzing out there in regards to YOU. “Disclosures”

Robert Siciliano Identity Theft Speaker discussing money mules on Fox News

I Bought an ATM off Craigslist for $750 w/1000 CC#s on it. Yup.

Robert Siciliano (Identity Theft Speaker) — Tue, 17 Nov 2009 22:42:53 -0600

Robert Siciliano Identity Theft Expert

After the Vegas DEFCON ATM debacle where hackers hacked hackers by setting up a fake ATM in front of the facilities security office, I needed to see how stupid easy it was to buy and ATM and just set it up anywhere. So my search began.

I started looking on e-bay and found plenty of new and used ATMs ranging from $500-2500 but quickly determined I didn’t want to pay $300 for shipping. Next was Craigslist, where anyone can rent out an apartment, buy a boat, get an erotic massage and buy an ATM.

I quickly found an ad from a bar north of Boston. They were selling pool tables, Budweiser neon signs and an ATM. I took my hacker with me and met Bob. Bob rented a room above the bar and was doing the deed for the owner. The bar was an old relic that was closing and liquidating its grungy assets. The ATM was sitting right next to the bar covered in 5 years of beer. Thank heavens they were smart enough to cover the keypad in clear plastic. While Bob was explaining the ATMs operation and providing us its history, he farted.

Needless to say I wanted to unbolt this thing as quickly as possible, get out of there and douse myself head to toe in pure alcohol hand sanitizer. After my hacker played with the manual, got it working and determined it was worth the financial risk, we loaded it on my trailer, paid $750 (down from a grand) and brought it home and put it in my garage.

There’s something about having an ATM in your garage that makes for a restless night of sleep, kind of like the next day is Christmas. The next day, like 5 am, I used an entire bottle of Windex and a whole roll of paper towels and went through 4 pairs of rubber gloves and gave this thing an enema.

My hacker comes over to my garage, manual in hand, all giggly, like hackers sometimes do and says “Watch this”. He punches the master codes to access the machines data on a device called an eprom and hundreds of credit and debit card numbers just start falling all over the floor.

A few days later a TV producer friend of mine came over and we devised an evil plan to scam millions of $$ from unsuspecting suckers and then spend the rest of our lives hopping from island to island and buying a villa in Sicily. But my wife said “NO”.

Here’s the first of a few upcoming videos of what happened next. I’ll share more of my ATM adventures as they occur. There’s a lot more to this story, so stay tuned!I’ll talk more about my ATM adventures as they roll out.

You can protect yourself from these types of scams by paying attention to your statements. Refute unauthorized transactions within 60 days. Consider never using a debit card again, since credit cards are safer. When using an ATM, pay close attention to details, and look for anything that seems out of place. If your card gets stuck in the machine or you notice anything odd about the appearance of the machine, such as wires, double sided tape, error messages, a missing security camera, or the machine seems unusually old and run down, don’t use it. Don’t use just any ATM. Instead, look for ATMs in more secure locations. Cover your pin!! And invest in Intelius Identity Theft Protection and Prevention. Not all forms of identity theft can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker rolling an ATM around on Fox

Twitter Phish Identity Theft Scam

Robert Siciliano (Identity Theft Speaker) — Sun, 15 Nov 2009 21:34:53 -0600

Robert Siciliano Identity Theft Expert

I’ve been getting the same “direct message” from several of my Twitter followers. Apparently, their accounts have been hacked, because it’s a phishing message that says, “ROFL this you?” and contains a shortened URL.

The link leads to a page that resembles Twitter’s log in page. The web address is /videos.twitter.zoltykatalogfirm/. Don’t go there.

Your account will only get hacked if you enter your account information on this spoofed page. Warn your friends. Retweet this.

How to protect yourself:

1. Don’t just click on any link no matter where it’s coming from. Attackers understand a person is more likely to click a link from someone they know, like and trust. If someone direct messages you requesting you click something, their account may be in control of a criminal.
2. Before you click on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
3. Install McAfee anti-virus protection and keep it updated.
4. Change up your passwords. Don’t use the same passwords for social media as you do for financial accounts.
5. Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name. This makes your Social Security number useless to a potential identity thief.
6. Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano identity theft speaker discussing hacked accounts on Fox News

Why is Child Pornography on Your PC?

Robert Siciliano (Identity Theft Speaker) — Sat, 14 Nov 2009 12:01:43 -0600

Robert Siciliano Identity Theft Expert

Anti-virus protection, critical security patches and a secure wireless connection have always been essential processes on my networks. My main concern has always been to protect my bank account by keeping the bad guy out.

In my presentations, I’ve always stressed the importance of making sure your wireless connection is secured, to prevent skeevy sex offender neighbors or wackos parked in front of your business from surfing for child porn and downloading it to your PC.

Once a predator uses your Internet connection to go to into the bowels of the web, your Internet Protocol address, which is connected to your ISP billing address, is now considered one that is owned by a criminal. If law enforcement happens to be chatting with that person, who’s using your Internet connection to trade lurid child porn, then someone may eventually knock on your door at 3 AM with a battering ram. And in another freakish and relatively new twist, hackers can use a virus to crack your network and gain remote control access, and then store child porn on your hard drive.

An AP investigation found plenty of people who have been victimized in this way. Maybe their PCs were being used as a virtual server, or maybe they were being framed by someone with a vendetta against them, but either way, they had child pornography planted on their computers. Once that porn is discovered by a friend, family member, or computer technician, the victim is arrested.

This is the kind of “breach” that can cost you thousands in legal fees, your marriage, relationships, your job, and your standing in society. In one case, a virus changed the default home page on a man’s PC, and his seven year old daughter discovered it. The guy was arrested and eventually lost custody of his daughter. And you think you’ve got problems.

When you click a link in an email or a pop up advertisement in your browser, you may inadvertently download one of these viruses, which can then visit child pornography websites and download files onto your hard drive.

It also important to point out that most criminal investigators will say that “a virus put the child porn on my PC” is a bunch of hooey and a common defense used by the presumed innocent until proven guilty. Simply don’t give anyone a chance to doubt by doing the following:

Dont be a scumbag child pornographer. Where there’s smoke there’s usually fire.

Make sure your anti virus up to date and set to run automatically.

Update your web browser to the latest version. An out of date web browser is often riddled with holes worms can crawl through.

Update your operating systems critical security patches automatically

Lock down your wireless internet connection with the WPA security protocol

Robert Siciliano Identity Theft Speaker discussing viruses on Fox News

Smarten Up. Increase Your Information Security Vocabulary

Robert Siciliano (Identity Theft Speaker) — Thu, 12 Nov 2009 08:17:57 -0600

Robert Siciliano Identity Theft Expert

Years ago (like 20) a friend was graduating from college and moving away and a bunch of friends were throwing a party for this person. Collectively they asked me if I’d write a small speech as a version of “This is your life”. Stymied as to why they would ask me to do it I asked ”Why me?” My girlfriend at the time said, and I quote “Because you gut good words”. Serious. And my writing and speaking began. Inspiration comes in many forms.

People who generally have to much time on their hands read my posts. Or they simply enjoy my train wreck world view. Anyway there are some fantastic resources that I draw from that help me to break down the complicated issues revolving around how to keep the bad guy from draining your bank account. The following make me look good. (not to insult the following)

READ/CONSUME/RSS:

Finextra Blogs. A vibrant community of finance, IT and security professionals from almost every corner of the planet. A melting pot of diversity that provides a world view on numerous issues. Just don’t piss off Paul.

The Register. A UK based digital diary of all things tech. John Leyden and Dan Gooden are Register rockstars.

Dark Reading. Isn’t as dark as it sounds. They hit on every possible security issue and are well researched. Kelly Jackson Higgins (is tireless) and John Sawyer & Graham Cluley provide great information. Tim Wilson is a must must must read.

COMPUTERWORLD Provides the most detailed exhaustive data of any source. Articles are deep and informative and keep you tuned to industry players too. Jaikumar Vijayan and Robert McMillan wear me out.

Wired.com Has anything and everything wires or wireless. Kim Zetter, David Kravets seem to have the inside scoop on everything. Kevin Poulsen Sr Editor used to run from the law with Kevin Mitnick and now bitch slaps anyone who says stupid stuff.

StorefrontBackTalk.com. Run by Evan Schuman is a smart e-commerce/retail/PCI publication

DataLossDB is run by the Open Security Foundation, an ornery bunch that keeps tabs on insecurity. Provides accurate statistics to CSO’s and CTO’s to assist them in decision making. They and their merry band of volunteers are watching you.

USAToday Michelle Kessler is all technology and Byron Acohido and Jon Swartz are very respected journalists who come up with the best insider stories on the planet, and have never ever called me.

The Washington Post Security Fix by Brian Krebs. Nobody has more crack heads, meth addicts and criminal hackers begging to tell their stories to a well known journalist. At least that’s my impression. You can’t not learn from this guy.

Information-Security-Resources.com a new addition to my feeds is edited by Anthony M. Freed and has contributions by Richard Stiennon and Danny Lieberman who often draw colorful commentary.

Nextadvisor.com/blog/ a consumer based easily digestible take on whats new and current in consumer security issues and product comparison. Kent and Caitlin keep tabs on all things “need to know”.

IAPP Daily Dashboard Mike Spinney, Senior Privacy Analyst , CIPP is a senior privacy analyst with the Ponemon Institute. Dude just rocks.

CNET Elinor Mills does the best job of breaking down complex issues into bite size chunks.

Increasing your information security vocabulary helps keep you and your business secure, like eating good food and exercising helps keep you healthy. So get smart. Up your IT/infosec intelligence. Read these sources and follow these journalists. They all gut good words.

And do yourself a favor: Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker discussing all kinds of security stuff on TBS Movie and a Makeover

Insider Identity Theft Can Be Most Damaging

Robert Siciliano (Identity Theft Speaker) — Mon, 09 Nov 2009 14:27:10 -0600

Robert Siciliano Identity Theft Expert

Earlier this week, an IT employee was indicted for stealing the identities of 150 of his coworkers at Bank of New York Mellon, to the tune of 1.1 million bucks. He bilked almost $140,000 a year over an eight year period by compromising the online bank accounts of numerous employees and wiring money to fraudulent accounts outside the bank.

This is a classic case of the fox watching the hen house. This guy was an insider terrorist, looking his colleagues straight in the eye and lying to them. I rank him with pedophiles and serial killers.

As much as 70% of all identity theft is committed by someone with inside access to organizations such as corporations, banks, or government agencies, or by someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

An identity thief begins by acquiring a target’s personal identifying information: name, Social Security number, birth date and address, account information etc. If the thief has regular access to a database, this data is right there for the taking. Many credit applications and online accounts request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. box or the thief’s own address, where the new credit card or statement will be sent. I’m amazed that a lender or credit card company can be careless enough to send a new credit card to a relatively anonymous P.O. box. The lender just checks the victim’s credit and, since everything matches, no red flags pop up. The card is issued, the account is opened and the fun begins.

In the Bank of New York Mellon case, investigators found dozens of bank and credit statements in the names of the victims at the thief’s home address.

Think for a moment about your house or apartment, and how you might break in if you lost your keys. If a burglar knew what you know about where you hide and store your stuff, how much damage could he do? Insiders pose the same problem. They know the ins and outs of all systems in place, and can wreak havoc on your operation as long as they are employed, and sometimes even after they are let go.

The problems begin when we are forced to trust people with complete access in order to allow them to perform their required duties. Ultimately, this is a people problem and needs to be addressed as such.

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human beings to drive down the street while cars are heading toward you, separated only by a thin painted line. Without trust, we couldn’t get out of bed in the morning.

To protect your business and your data, limit sources as much as possible. Minimize the personnel with access to essential systems. Supervise the supervisors. Even your good apples can eventually go bad, so limit access, even for those who are in a trusted position. And require checks and balances, with multiple layers of authorization. If one person is always watching over another person’s shoulder, bad apples can’t hide or execute scams. Perform due diligence. In the information age, our lives are an open book. Background checks from information brokers are crucial. Failing to do background checks increases your liability. Someone who has been previously convicted of a crime just might do it again. And if a breach of trust does occur, prosecute the guilty. Make an example that other’s won’t forget. Public hangings are a strong deterrent.

And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

It is human nature to trust each other. We are raised to be civil towards one another and to respect those in authoritative positions. It takes a significant amount of trust in your fellow human being to drive down the street while cars are heading toward you only separated by a thin painted line. Without trust we wouldn’t get out of bed in the morning.

Robert Siciliano identity theft speaker discussing identity theft on Fox News

Congress Breached via P2P Filesharing…AGAIN!

Robert Siciliano (Identity Theft Speaker) — Thu, 05 Nov 2009 11:01:31 -0600

Robert Siciliano Identity Theft Expert

Congress is still considering the Informed P2P User Act, a law that would supposedly make it safer to use peer-to-peer file sharing software, an effort that is similar to banning mosquitoes from sucking blood. It just isn’t happening. The only foolproof way to prevent accidental data leaks via file sharing programs is for IT administrators to lock down networks and prevent the installation of rogue software.

Congress suffered another embarrassing P2P breach last week, after a confidential memo regarding an ethics investigation into the conduct of thirty House members was leaked, thanks to file sharing software installed by a junior staff member. This follows similar leaks that occurred earlier this year, which revealed sensitive details regarding the security of the First Family. House leaders have ordered an “immediate and comprehensive assessment” of congressional cybersecurity policies. Rep. Zoe Lofgren, chairman of the ethics committee, pointed out that “individual error and sloppiness is always the Trojan horse of cybersecurity.”

Peer-to-peer file sharing allows users to access each other’s computers in order to share music, movies, software, and other files. Unfortunately, many people don’t set up their P2P programs correctly, and they unintentionally end up sharing their most important and sensitive files, including bank records, tax files, health records, and passwords. (This is the same P2P software that allows users to download pirated music, movies and software.) This can result in data breaches, credit card fraud and identity theft. I’ve seen numerous reports of government agencies, drug companies, mortgage brokers, and others discovering P2P software on their networks after sensitive data was leaked.

Savvy users lock down their file sharing software to prevent others from tooling around with their settings. If your IT abilities are scant, you should take the following precautions:

Don’t install P2P software on your computer.
If you aren’t sure whether a family member or employee has installed P2P software, check to see whether anything unfamiliar has been installed. A look at your “All Programs Menu” will show nearly every program on your computer. If you find an unfamiliar program, do an online search to see what it is.
Set administrative privileges to prevent the installation of new software without your knowledge.
If you must use P2P software, be sure that you don’t share your entire hard drive. When you install and configure the software, don’t let the P2P program select data for you.
Make sure your PC has recently updated Internet security software. P2P networks are riddled with viruses.
Get a credit freeze. Go to ConsumersUnion.org and follow the steps for your particular state. This is an absolutely necessary tool to secure your credit. In most cases, it prevents new accounts from being opened in your name.

And invest in Intelius identity theft protection. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano, identity theft speaker, discusses P2P hacks on Fox Boston.

10 Ways to Prevent Social Media Scams

Robert Siciliano (Identity Theft Speaker) — Tue, 03 Nov 2009 21:26:29 -0600

Robert Siciliano Identity Theft Expert

For the past year, I’ve been screaming about the trouble with social media as it relates to identity theft, brand hijacking, privacy issues, and the opportunity social media creates for criminals to “friend” their potential victims in order to create a false sense of trust and use that against their victims in phishing or other scams. I predicted long ago that the problem will get a lot worse before it gets better and there’s no question about it, criminal hackers have taken hold and are in full force.

We hear about a new Twitter phishing scam almost daily, whether it’s via direct messaging or a shortened URL. My spam folder is filled with emails from Facebook phishers, requesting new login credentials, or a “friend” who’s sending me a video that’s actually a virus.

Not too long ago, it was big news when someone had their Facebook account jacked by someone who impersonated the victim, claiming to have lost their wallet in the UK and begging for a money wire. Lately, I see another story about another victim every week.

Last time I checked, Facebook had more than 400 million users and Twitter has more than 50 million. These numbers jump exponentially every month, and old and new users are still being victimized.

James Carnall, manager of the cyberintelligence division at security monitoring firm Cyveillance, says, “Social media cybersquatting is where domain name cybersquatting was ten years ago”.

Scammers aren’t just stealing identities and spreading malware. They are brand jacking in ways that are hurting companies’ bottom lines. While many may not have sympathy for the bottoms lines of billion dollar corporations, this hurts the little guy, too. Knock off software, hardware, merchandise, and movies ultimately cost legitimate taxpayers jobs and hurt the economy when the money is heading to criminal hackers elsewhere in the world. Liz Miller, vice president of the Chief Marketing Officer Council, says, “Counterfeiting operations are highly organized, are very global and are picking up steam because of the economy.”

MarkMonitor, a company that tracks online threats for its clients, determined that phishing attacks on social networking sites increased by 164% over the past year. And in a CMO Council survey of 4,500 senior marketing executives, nearly 20% of the respondents said they had been affected by online scams and phishing schemes that had hijacked brand names. These statistics undeniably point to organized crime syndicates.

Protect yourself from social media identity theft.

Register your full name and those of your spouse and kids on the most trafficked social media sites, blogs, domains or web based email accounts. If your name is already gone, include your middle initial, a period or a hyphen. It’s up to you to decide whether or not to plug in your picture and basic bio, but consider leaving out your age or birthday. You can do this manually or by using a very cost effective service called Knowem.com.
Register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting.
Get free alerts. Set up Google alerts for your name and get an email every time your name pops up online. Set up a free StepRep account for your name. StepRep is an online reputation manager that does a better job than Google does of fetching your name on the web.
Implement policies. Social media is a great platform for connecting with existing and potential clients. However, without some type of policy in place that regulates employee access and guidelines for appropriate behavior, social media may eventually be completely banned from every corporate network. Teach effective use by provide training on proper use and especially what not do to.
Encourage URL decoding. Before clicking on shortened URLs, find out where they lead by pasting them into a URL lengthening service like TinyURL Decoder or Untiny.
Limit social networks. In my own research, I’ve found 300-400 operable social networks serving numerous uses from music to movies, from friending to fornicating. Some are more or less appropriate and others even less secure. Knowem has a mind blowing list of 4600 as of this writing.
Train IT personnel. Effective policies begin from the top down. Those responsible for managing technology need to be fully up to speed.
Maintain updated security. Whether hardware or software, anti-virus or critical security patches, make sure you are up to date.
Lock down settings. Most social networks have privacy settings that need to be administered to the highest level. Default settings generally leave the networks wide open for attack.
Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk. “Disclosures”

Robert Siciliano Identity Theft Speaker with ID Analytics discussing Social Media Identity Theft on Fox Boston

Once a Predator Always a Predator

Robert Siciliano (Identity Theft Speaker) — Mon, 02 Nov 2009 23:00:50 -0600

Robert Siciliano Personal Security Expert

A necessary diversion from my daily IT security/Identity theft rants.

So what happens when a convicted rapist lures a 21-year-old woman to his bedroom in 1989, then spends 15 years in jail and then gets a free pass in 2005? He does it again. Why? Because that’s normal. It’s not OK, but it’s normal. Its his nature. A psychologist said to me years ago, “You would be amazed at how many levels of normal there are”.

Officers went to this 50 year old guys home to arrest him for assault and rape and emanating from his home was a bad smell. The smell turned out to be 6 dead women. The decomposed bodies were discovered buried in the basement all the way up to the 3^rd floor. The coroner estimates some could be 3-4 years old, which would coincide with his release from prison.

A 43 year old female neighbor has been missing for 6 months. Neighbors are concerned she is one of the 6.

As a convicted sex offender, he was required to report regularly to the sheriff’s office, which said he had complied. This is an obvious false sense of security that all municipalities employ. The system certainly has its flaws. People lose faith in the system and don’t trust their officials to effectively do their jobs.

Law enforcement officers sometimes bear the brunt of the blame, but often undeservingly. They are on the front lines and have the miserable task of dealing with the absolute lowest life forms on the planet. The cop catches the bad guy then he gets off because of some technicality. Judges often make errors but ultimately have a responsibility to work within the law. While common sense would say the guy should be castrated, we can’t do that in a civilized society.

This predator did his time. 15 years is no small stint. But his first victim is still and will always be a victim. She got life. Hopefully she healed to a degree that she could live a balanced life. The rest of his victims got a death sentence.

The question always arises as to whether or not a sex offender can be rehabilitated. I’m sure there is a handful of level ones and level 2s that can be. But once a predator always a predator. It’s their nature. It’s their normal.

With 500,000 registered sex offenders in the US and thousands more unaccounted for and even more who’ve never been caught, know that this can happen to you or your daughter. Know how to fight. Know how to defend yourself from a predator. Understand all the vulnerable points of the human body and what parts of your body can be used as weapons. Go for the eyes, nose, throat, groin, instep of foot. Know how to fight from the ground, if attacked from behind, or when a distraction is used in front.

Determine if you want to carry a weapon, but know your brain is your best defense weapon. Carry a weapon if you are properly trained and not a day before. Years ago my childhood hero was this Chicago cop named JJ Bittenbinder. He would say “If all else fails, let them kiss you, then bite down on their lips until your teeth meet.

Nice.

There are a bunch of free sites you can go to that will let you know the current living situations and general whereabouts for registered sex offenders in your town. Take advantage of every opportunity you can to learn where the bad guy is. Intelius offers “Neighborhood Check” which is a service that keeps you alert to new sex offenders moving in and their addresses. Complacency can result is bad things happening. Be vigilant, alert, and aware and know your options.

Robert Siciliano “Disclosures” Personal Security Expert discussing how to survive and attack on Fox Boston

Identity Theft Myths Part 3of3 During PYIW

Robert Siciliano (Identity Theft Speaker) — Sun, 25 Oct 2009 17:29:53 -0500

Identity Theft Expert Robert Siciliano

The National Foundation for Credit Counselors, which sponsors Protect Your Identity Week, has compiled a number of identity theft myths. To support their efforts, the Santa Fe Group Vendor Council Awareness and Education Subcommittee has helped to clarify some common misinformation with regards to this increasingly common crime. We’ve already discussed a few of these myths.

• I don’t use the Internet, so my personal information is not exposed online. Your personal information is in more places than you think, whether it’s your medical records, a job application, or a school emergency contact form. Many of these records are kept in electronic databases and transmitted online. Social networking sites are another good source of personal information for identity thieves. Even if you do not use them yourself, your friends or members of your family may be sharing personal information about you. Not using the Internet may offer some protection, but it won’t keep you safe from online criminals.
o Data Breach list home page -
http://www.idtheftcenter.org/artman2/publish/lib_survey/ITRC_2008_Breach_List.shtml
o http://www.getsafeonline.org/nqcontent.cfm?a_id=1459
o http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identitytheft.html
• Social networking is safe. Social networking sites like Facebook, MySpace, andTwitter can be fun to use. But they can be dangerous when it comes to your identity. These sites are used by thieves and others to steal information, trick people and promote a variety of scams. To protect yourself, avoid making personal information available to large groups of “friends,” take advantage of the privacy controls offered by most of these sites, and use common sense.
o http://www.getsafeonline.org/nqcontent.cfm?a_id=1459
o http://www.huffingtonpost.com/robert-siciliano/identity-theft-commitedu_b_243305.html
o http://www.ftc.gov/bcp/menus/consumer/tech.shtm
• It is not safe to shop or bank online. Like social networking, shopping andbanking online are safe as long as you use common sense and make good
choices about where and how you do it. Most importantly, always take care to confirm a site is legitimate before you use it, watch out for copycat sites, and keep your computer safe from viruses.
o http://www.getsafeonline.org/nqcontent.cfm?a_id=1121
o http://www.fdic.gov/BANK/INDIVIDUAL/ONLINE/SAFE.html

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano “Disclosures” Identity Theft Speaker discussing hacked email on Fox News

Identity Theft Myths Part 2of3 During PYIW

Robert Siciliano (Identity Theft Speaker) — Wed, 21 Oct 2009 22:48:22 -0500

Identity Theft Expert Robert Siciliano

Myth #5: Checking your credit report periodically or using a credit monitoring service is all you need to do to protect yourself from identity theft.

There are many useful and effective credit monitoring services available. However, no monitoring service is 100% effective, and many do little to protect your identity. If you want to be vigilant about identity theft, you should check your credit report periodically, but you should also keep accurate financial records, review your bank and credit card statements frequently for unauthorized charges, and follow the FTC’s tips for minimizing your risk.

You can obtain one free credit report per year from each of the three credit bureaus from AnnualCreditReport.com. Many consumer groups suggest that you stagger your free reports throughout the year, rather than ordering all three at once.

The FTC offers facts for consumers regarding identity theft protection services, which take additional steps beyond the level of protection offered by credit monitoring services.

The FDIC offers tips for safe Internet banking.

Myth #6: My personal contact information (mailing address, telephone number, email address, etc.) is not valuable to an identity thief.

Any information that could be used by a thief to impersonate you should be protected. For example, many people use their email address as a user ID for online accounts. Consider making your information available on a need-to-know basis only. Often, businesses ask for personal information they really don’t need, and will simply omit information you’re not willing to give.

The U.S. Department of Justice answers the question, “What should I do to avoid becoming a victim of identity theft?”

Myth #7: Shredding my mail and other personal documents will keep me safe.

Shredding documents that contain personal information before you throw them away is a great way to protect yourself from “dumpster diving,” which occurs when thieves search the trash for personal information. But relying on your shredder alone to protect you is like locking one window while leaving the rest of your house wide open. Think defensively: secure your personal information in your home, your car, and at work, and always use safe online security practices.

Get Safe Online offers tips on safe social networking.

The FTC answers the question, “How do thieves steal an identity?”

Robert Siciliano, identity theft speaker, discusses data theft on Fox News.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano “Disclosures” Identity Theft Speaker discussing data theft on Fox News

Identity Theft Myths Part 1of3 During PYIW

Robert Siciliano (Identity Theft Speaker) — Tue, 20 Oct 2009 21:56:45 -0500

Identity Theft Expert Robert Siciliano

During National Protect Your Identity Week we will be taking a fundamental approach to the issues. In the next 3 posts we’ll look at myths, compiled by the National Foundation for Credit Counselors (NFCC) who is sponsoring a “Protect Your Identity Week” October 17 – 24. To help support their efforts, The Santa Fe Group Vendor Council Awareness and Education Subcommittee helped create these tips.

Identity theft is preventable. Like any other kind of crime, there’s always a risk of becoming a victim of identity crime. But there are many things people can do to minimize that risk both online and offline, like keeping financial records protected and private, shredding junk mail, and tracking who sees your personal information.
o http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/deter.html
o http://www.onguardonline.gov/topics/computer-security.aspx

• Identity theft is only a financial crime. While financial identity theft (theft of information for financial gain) is better known, other types of identity theft can be equally dangerous, potentially costly and time-consuming to resolve. For example, with medical identity theft, personal medical records are used to access medical treatment or drugs, or to make false insurance claims. With criminal identity theft, a person uses faulty or stolen identification to avoid prosecution by law enforcement.
o MEDICAL IDENTITY THEFT:
http://www.worldprivacyforum.org/pdf/wpf_medicalidtheft2006.pdf
o CRIMINAL IDENTITY THEFT:
o http://www.privacyrights.org/fs/fs17g-CrimIdTheft.htm
o EMPLOYMENT FRAUD:
http://www.idtheftcenter.org/artman2/publish/v_art_solutions/Solution_27_-_Someone_Working_as_You.shtml

• It’s my bank’s fault I became a victim of identity theft. Some identity crime does originate with the theft of bank records or is perpetuated by lax security practices. However, the majority of identity theft begins elsewhere. Personal information may be stolen with low-tech tools like a lost or stolen wallet, checkbook, or debit/credit card, or more high-tech methods, like skimming, phishing, and hacking.
o http://www.onguardonline.gov/topics/computer-security.aspx
o http://www.ftc.gov/bcp/edu/microsites/idtheft/consumers/about-identitytheft.html#whatdothievesdowithastolenidentity

• It is safe to give your personal information over the phone to a bank if the caller ID shows that it is your bank. It is never safe to give personal information to unsolicited callers, no matter who they say they are. Caller IDs are easily spoofed. If you believe the caller is legitimate, hang up and call the bank back at its listed phone number.
o http://www.ncpc.org/programs/catalyst-newsletter/catalyst-newsletter-
2009/volume-30-number-1/vishing-a-new-twist-on-identity-theft-threatensconsumers
o http://www.onguardonline.gov/topics/computer-security.aspx

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano “Disclosures” Identity Theft Speaker discussing Social Media Identity Theft on Fox Boston

Sphere: Related Content

Filed under: Criminal Hackers, Data Breaches, Identity Theft, identity theft expert, identity theft prevention, identity theft protection, identity theft speaker, intelius

12 Awful Reasons Why Impostors Commit Social Media Identity Theft

Robert Siciliano (Identity Theft Speaker) — Mon, 19 Oct 2009 21:35:35 -0500

Identity Theft Expert Robert Siciliano

Imagine if someone used your name and image, or the name and logo of a business you own, to create a profile on Facebook, Twitter, or any other social networking website. Then they start posting blogs and sending out links while pretending to be you. They may contact your acquaintances, colleagues, or clients, or they may simply show up when others search for your name. Either way, their intentions are fraudulent. Establishing an online presence using someone else’s identity creates unlimited opportunities for a scammer.

Traditional phishing, in which scammers send a fake email that appears to come from a trusted entity, is no longer as successful as it used to be. So identity thieves are taking advantage of social networking sites to build a home base. Once established, they seem as legitimate as any other user. There are few, if any, checks and balances to prevent this.

Social media identity theft occurs for a number of reasons:

An impersonator may be attempting to steal your clients or potential clients.
He or she could be squatting on your name or brand, hoping to profit by selling it back to you or preventing you from using it.
They could be criminal hackers posting infected links that, if clicked on, will infect the victim’s PC or network with a virus that gives hackers backdoor access.
An impersonator may intentionally pose as you, and even blog as you, in order to damage your name or brand. Anything they say to the world that is libelous, defamatory, or just plain wrong hurts your reputation and can even make you the target of a lawsuit.
He or she may be using your identity to harass someone you nkow.
The impersonator may wish to harass you, perhaps as revenge over a percieved slight or because you sold them a defective product or service.
They may wish to use a name or brand that has leverage, such as a celebrity or Fortune 500 company, as a form of social engineering, to obtain priveledged access.
If you or your business sell products or services, identity thieves might pose as you and offer deals with links to spoofed websites, in order to extract credit cards numbers.
They may pose as a government entity for the purpose of extracting data and committing new account fraud.
An impostor may be obsessed with you or your brand, and simply want to be associated with you. Posing as you could yield attention and satisfaction.
They could be parodying you or your brand, by creating a tongue in cheek website that might be funny and obvious, but will most likely not be funny to you.
They could be posing as you to elicit contact from others for the purposes of a relationship, sexual or otherwise, either in person or virtually. A young man was recently caught posing as an attractive girl in his school. He contacted guys in his class through a fake Facebook account and requested naked photos of them. When he revealed who he was, he used the incriminating photos to extort sex from them.

Social media is just a baby. All of the above stems from real world examples over the past few years. Unfortunately, this list is going to keep growing. Varieties of fraud that can occur via social media are only up to the imagination of the thief. Submit your own findings. Let’s hear what other whacked out social media identity thieves are doing.

To prevent social media identity theft, register all your officers, company names and branded products on every social media site you can find to prevent Twitter squatting and cybersquatting. You can do this manually or by using a very cost effective service called Knowem.com.

Invest in Intelius identity theft protection and prevention. Not all forms of identity theft protection can be prevented, but identity theft protection services can dramatically reduce your risk.

Robert Siciliano “Disclosures” Identity Theft Speaker with ID Analytics discussing Social Media Identity Theft on Fox Boston

Sphere: Related Content

Filed under: Criminal Hackers, Identity Theft, Social Security Numbers, identity theft expert, identity theft prevention, identity theft protection, identity theft speaker, intelius, social media identity theft