Consumer Protection | Business Protection

Favorite Articles for the Week of April 14th

April 18, 2014

Jenna here. This week, a security flaw known as ‘Heartbleed’ made headlines and sent shockwaves through the business community. In case you missed any key information, we wanted to share some articles we found to be especially informative from the past week.

Here’s How to Protect Yourself From the Massive Security Flaw That’s Taken Over the Internet, Business Insider

‘Heartbleed’ Hackers Hit Two Websites, ABC News

Heartbleed Roundup: Hacking Made Easy, First Victims Come to Light and Heartbleed Hacker Arrested, Forbes

For more information, you can also visit the Heartbleed website:

Tags: ,

Surprising Tradeoff: Free Speech and Cyber Bullying

Jackie here. The digital age is certainly changing the way we communicate. This affects everyone: employers, employees, and even students. I recently read an interesting article from The Atlantic with some thought provoking points about student privacy. Take a read and see what you think.

Article Highlights

The article discusses the blurred line between protecting students and staff from hurtful online comments and maintaining freedom of speech. Schools have a unique obligation to ensure that students feel comfortable at school while simultaneously protecting their constitutional rights. Cyber bullying is a real problem which has caused many schools to enact strong social media policies, including some that prohibit saying anything negative about a school. Many news stories have highlighted instances where students have taken online comments and bullying too far, highlighting the need for some protections from this harmful behavior. However, there are times in which students need to be able to speak out about bad conditions in their schools to enact positive change and create a better learning environment. This highlights a delicate balance for school administrators as they try to protect students and staff from hurtful comments without outlawing the ability for them to speak out against wrongdoing.

Some worry that the schools are overstepping their bounds, using social media policies to control student’s speech both in and out of school. Others argue that the policies are needed to protect both students and teachers from online bullying. As is often the case, even the best intentioned policies can be taken too far, penalizing students for saying things that are meant to call attention to serious issues.

It is important that we each take some time to think about important issues like privacy, communication, and freedom of speech in the digital age. How can we best protect our students and our families while still upholding their constitutional right to free speech? Share your thoughts and opinions with us!


Financial Services and Retail Band Together to Fight Fraud

April 17, 2014

Robert Siciliano, Identity Theft Expert

Finally, retailers and banks have agreed to work together to fight data breach incidents, foregoing the finger-pointing of who’s responsible for prevention and recovery.

This means both entities will work to improve technology that will protect consumers. Historically, the squabbling consisted of retailers accusing banks of being lethargic at adopting updated, more secure debit card technology; and banks insisting that retailers soak up more of the costs for card replacement following breaches.

However, despite the move forward of joining forces, banks and retailers will surely continue having differences. For example, the cost of getting replacement cards is “not something that the two industries are likely to agree upon,” said Tim Pawlenty to Reuters; he’s chief executive of the Financial Services Roundtable.

So how did both parties decide to join forces? Pawlenty was contacted by Sandy Kennedy, the head of the retail leaders group.

This partnership will develop improved communication so that retailers can have a formal program regarding cyber threats. “We both viewed this as an opportunity to collaborate rather than to wage a public battle,” says Brian Dodge of the retail leaders group.

In addition to card related breaches, the partnership will focus also on smartphone security. Use of mobiles to make payments has stunted progress between retailers and banks.

In fact, MasterCard Inc. and Visa Inc. have named a 2015 deadline to implement “chip and PIN” cards to replace the magnetic stripped cards that are so vulnerable to hacking.

Unfortunately, this switch is pricey, and both retailers and banks are not willing to be the first to take that dive off the high board. Especially since more and more people are using mobiles to make payments.

However, security for mobile users could reinforce the retail-bank partnership, says David Robertson, publisher of The Nilson Report. “We need to make sure that mobile becomes a secure way of doing business,” he says.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: , ,

Top 9 Things to Avoid Online

April 15, 2014

Jackie here. Do you click on pop-ups or sign up for free trial offers online? These two behaviors, along with many others, may increase your risk of ID theft and online fraud. In a report published by AARP called Caught in the Scammers Net, several activities were shown to increase your risk of being an identity theft victim. How do your browsing habits stack up? Check out this list of the top 10 things NOT to do online. Avoiding these potentially dangerous behaviors could help keep you and your family safer.

  • Clicking on Pop Ups- You see an interesting pop up, what should you do? Don’t click on it! Clicking on pop ups is a risky online behavior. Instead, close the pop up immediately and access websites by visiting them directly. You can even install or enable a pop up blocker on your web browser to eliminate the temptation to click. Not all pop-ups are harmful, but it’s often better to be safe than sorry.
  • Selling Products on eBay- While there are a lot of great opportunities for buying and selling products on auction sites like eBay, there is also some risk. The AARP study found that selling items on auction sites increased your risk of fraud. If you do choose to sell, be careful and be on the lookout for fraud—check your credit reports and bank statements carefully.
  • Opening Emails from Unknown Senders- Do you open emails from people you don’t know? This can be a risky behavior, especially if you follow links or open attachments. When opening an unknown email can’t be avoided, use caution and never share personal information with the sender.
  • Downloading Apps- I love a good app just as much as the next person, but each time I download a new one, I carefully review it. Choose apps only from a reputable marketplace and carefully analyze user reviews before downloading. If you want a great app that will actually help you protect your identity, check out the AllClear ID app.
  • Visiting a Website that Requires You to Read a Privacy Policy or a Terms of Agreement Statement- You might not think that a privacy policy could increase your ID theft risk, but the study authors certainly do. They found that both required consent to privacy policies and terms of agreement were risk factors for being a victim of fraud. This doesn’t necessarily mean you shouldn’t visit these sites, but you should be aware that this is a potential problem behavior. To be fair, one reason for this is the fact that websites requiring privacy policies and agreements to terms of use are sites that collect personal information that can sometimes become compromised.
  • Being Impulsive- Do you click before you think? Take time to analyze before you do things online. Many scams can be avoided with a little caution.
  • Signing Up for Free Trial Offers- We all love getting things for free, but is the freebie worth sacrificing your identity for? Be cautious of limited time free trial offers.
  • Purchasing Through a Payment Transfer Website- When it comes to spending money, be very cautious online. Avoid sites that ask you to transfer money to a third party or to an unknown recipient.
  • Believing Everything You See- If you regularly read our blog, you probably know that banks won’t send emails asking for personal information. Just because you receive an email, doesn’t mean it is true. Likewise, don’t believe that a privacy policy means you’re safe from having your personal information shared with other companies.

While you can’t avoid every item on this list, reducing the number of risky behaviors you help you stay safe from online fraud. The study authors found that of 15 risky behaviors, nearly 1 in 5 American respondents had engaged in at least 7. More than half of the respondents (65%) had received at least 1 online scam offer during 2013.

Check out the full study report here.

Tags: , , ,

Data Security Legislation is Inevitable

Robert Siciliano, Identity Theft Expert

A law(s) for data breaching is around the corner. And the time is right, what with the scads of data breaches involving major retailers lately. Details of customers’ addresses, phone numbers, credit cards and other sensitive information have ended up in the hands of hackers. We’re talking many tens of millions of affected consumers.

Despite this mushrooming problem, no consensus has yet arrived regarding just what role the government should assume to protect peoples’ data. But a common thread to the many ideas is customer notification once a data breach occurs. Though 46 states do have notification laws, retailers gripe that this makes them spend precious time complying with this instead of on fighting data infiltrations and repairing the fallout.

“We’ve long said that action is needed and hopefully we can see passage of data breach notification legislation this year,” says Brian Dodge, a senior vice president at the Retail Industry Leaders Association.

Recently the Data Security Act was introduced. It would require companies and banks to have privacy protections and investigate breaches, plus alert customers about big risks of theft or fraud. Banks have complained about the costs of responding to data breaches and have insisted that retailers take more action to the fallout. The DSA could take some of this burden off banks.

“We think it’s important that essentially everybody up their game,” says Kenneth Clayton, an executive VP and chief counsel at the American Bankers Association. This needs to occur whether through law or industry action, Clayton adds.

The FTC may even get involved. But how much should the government get involved, though? “The idea that the government would do a better job than private industry is a horrible idea,” says John Kindervag, a principal analyst at Forrester Research, an advisory firm.

However, a 2014 priority for the FTC is to protect sensitive health and financial information. “The FTC has long been concerned that this type of sensitive data warrants special protections,” says Jessica Rich, head of the FTC’s consumer protection bureau. She adds that the FTC strongly supports the possibility of new laws that would protect consumers.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.


Tags: , ,

Goodbye to 2014 Tax Season

April 14, 2014

Jackie here. Have you filed your taxes yet? As tax season comes to a close we wanted to share one last post with some tax identity theft tips. We are all at risk for this ever growing problem; being aware and remaining educated is one of the best ways to protect ourselves from tax ID theft and fraud.

Finding Out You Have a Problem

How do you know if you’ve fallen victim to tax ID theft? Most people discover the problem when they go to file their taxes. You may be unable to file since a return has already been submitted with your name and SSN. Other people receive a notice that they underreported their income after they have filed (this often happens when someone is using your SSN to work illegally).

If you do discover a problem, don’t despair; there are things you can do. In January Jenna shared her story of tax ID theft which can give you a good starting point for resolving your own problem. Here are some other tips to try:

  • File a police report- A police report is often the first step resolving ID theft. While your local police probably won’t be able to do much in fixing your problem, the police report is a valuable tool you can use to prove that you are a victim when talking to credit bureaus and other agencies.
  • Review your credit- If someone uses your SSN to file taxes, they might use it for other things too. Check your credit reports carefully and look for signs of fraud. You may want to initiate a credit freeze and put fraud alerts on your credit reports as well.

While there is extra attention focused on tax identity theft during tax season, many of the things you should do to protect yourself are ongoing practices that happen all year long. Make sure you regularly check your credit report, and keep an eye on your bank statements for anything suspicious. Remember, even small amounts can idicate trouble. In addition, be cautious when clicking on links and don’t share information that isn’t absolutely necessary.

Here’s a great article about tax ID theft from ABC News.

Tags: , ,

Medical Debt and Your Credit Score

Ben here, AllClear ID Investigator. I am going to step away from ID theft and fraud and touch on a hot issue that is relevant to many of our readers. A lot of myths about medical debt on your credit file are out there circulated by local experts who swear they heard from someone that medical debt will not hurt you.  This thought, however, is a myth and the damage from medical debt is very real. It affects the majority of our population and can often come from a clerical error that could be fixed if caught in time. It is important to know your rights with collections agencies and what bills are being passed that could change how our medical billing and collection system is run.

Any collection item including medical debt can lower the FICO score by as much as 100 points. The good news though is that the FICO credit score now ignores collection items less than $100. The hard truth here is that once a medical bill is turned over to collections there is no difference between medical and other collection accounts. FICO does not distinguish between medical and non-medical debt and sometimes a single collection on a “prime” score can drop it by 105 to 125 points resulting in an “off-prime or “subprime” score.

What to Watch For

It is important to make sure the billing and insurance for your medical claims is completed properly. Mistakes are often made when someone gets overcharged or the insurance company fails to pay for a covered expense. Also, failure to receive a bill does not prevent the debt going to collections. Bills can be sent to the wrong address, or even sent after the debt already went to collections, causing damage before you even see the bill. If you have a debt you feel is a mistake, dispute it with the medical company and your insurance provider if they were supposed to take care of it.

You do have rights when it comes to the collections process under the Fair Debt Collection Practices Act or FDCPA, enforced by the Federal Trade Commission. A debt collector may not contact you before 8 in the morning or after 9 at night unless you have previously agreed to it. If you inform a collections group over the phone or in writing that you do not wish to be contacted at work, they must adhere to your request. You can submit a letter in writing to cease communication from a collector and at that time they would only be able to communicate to inform you of an action such as if they are filing a lawsuit or informing you they will no longer attempt to communicate with you. You should note this does not mean you no longer owe the debt and the debt collector can sue you to collect.

Even if you pay a bill in full, medical or non-medical, if it is reported as a debt in error, it will remain on your credit report for seven years. During this time, even when paid, the damage is still reflected on your score. Newer systems will ignore collections accounts lower than $250, however, most mortgage lenders use an older FICO model when evaluating applications.

Tags: ,

Favorite Articles for the Week of April 7th

April 11, 2014

Jenna here. This week produced a lot of cyber security and identity theft news. Here are a few of our favorite articles (and a video) from this week.

The Truth About Using Debit vs. Credit, USA Money

If you are unable to see the video, click here to watch:

Why U.S. Retailers Are Still Vulnerable to Card Fraud, Bloomberg Businessweek

Tags: ,

Don’t Open that RTF File!

April 10, 2014

Jackie here. Before you open that RTF attachment, stop and think! Microsoft recently issued a warning about RTF files, encouraging all users to avoid opening them. Apparently hackers have found a way to utilize this file type to gain control of your computer. Play it safe and avoid all RTF (Rich Text Format) files until the problem is resolved. This file extension is commonly used in Microsoft Word, but other formats like .doc or .docx are available and are still safe to use.

The Better Business Bureau shared the warning in a post on their blog. The compromised files are “booby trapped” which can mean big destruction should the file be opened. These files have the potential to gain control of your computer, leading to the potential for ID theft.

Until a security fix is available Microsoft recommends disabling the opening of all RTF files. This way you won’t forget and accidentally open a file, or compromise your computer when a user that doesn’t know about the problem opens a file. You can do so easily from Microsoft’s site using a special tool created just for the problem. Midway down the page you’ll see a button labeled “Enable this fix it”. Click and follow the on-screen instructions. You can disable the fix once the problem is resolved using the same process and the “Disable this fix it” link.

Tags: ,

Cyber Insurance vs. General Liability

Robert Siciliano, Identity Theft Expert

One of the biggest data breaches of all time involved that of Sony Corp. The hackers stole confidential information from tens of millions of Sony PlayStation Network users. Despite this humongous breach, something surprising happened: New York Supreme Court Jeffrey Oing ruled that Mitsui Sumitomo Insurance Co. and Zurich American Insurance Co. owed NO defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

And why? Oing said that the coverage can’t be triggered through a third-party action: that by the hackers.

It seems, then, in order to get coverage, Sony itself would have to do the hacking. “They’re being held liable even though the wrongdoing was done by a third party,” explains Robin Cohen to Law360. Cohen heads a law firm that handles insurance recovery.

To determine coverage obligations, Zurich filed a lawsuit against Sony, which had to shut down its PlayStation Network for a month.

Oing’s ruling will likely motivate companies to obtain policies that specifically insure against data breach claims. However, many companies believe that such specific insurance is already built into their current general liability policy.

Insurers all across the nation are wanting to put language in their policies that exclude coverage of losses stemming from data breaches, which include loss of credit card information. However, courts have the final say-so in just how far these exclusions can go.

Companies need to seriously consider cyber insurance policies that specialize in coverage of data breach losses.

K&L Gates LLP partner Roberta Anderson told Law360, “Irrespective of whether the Sony trial court’s view is widely adopted, it’s ill-advised for policyholders to rely on general liability policies for data breaches.”

It’s expected that Sony, which has strong arguments for their appeal according to policyholder attorneys, will challenge Oing’s decision.


Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.


Tags: , ,

Gmail’s Recent Privacy Change: How Will It Impact You?

April 9, 2014

Jackie here. Do you use Gmail? Not a day goes by that I don’t receive or send at least one email from a Gmail account. As I’m certain that the same applies to many of you, I thought I would share this interesting privacy update regarding Gmail accounts. Recent changes to the way Gmail opens email messages may mean you’re sharing extra information with some senders.

Until recently, Gmail didn’t automatically open image files. Now many embedded images are allowed to automatically display. While the change is more convenient for many email users, it provides an opportunity for senders to gather information about those receiving the email. Certain embedded images may contain HTML markup language, which requires contact with the sender’s servers for the email to display. When the email is opened, this contact may provide information about which emails you open and when.

Capturing information about opened embedded images is a complex process, so the change won’t likely impact the emails you receive from friends and family, but large companies that send out regular email blasts may employ the process to gather information about consumers and further monitor their marketing efforts. According to an article on Wired, MailChimp, a company that specializes in bulk emailing, plans to use the change to better track email campaigns and to more accurately determine the number of emails that are opened.

What do you think of this recent privacy change?

Tags: , ,

Is it Safe to Visit Shortened URLs?

April 8, 2014

Jackie here. If you’re on social media, odds are you’ve seen a shortened URL or two (or twenty… they are everywhere). These services take a long link and shave it down to just a few characters paired with the shortening URL. Are shortened URLs safe or should you think before you click?

How Shortened URLs Work

Shortened URLs act as a portal of sorts, capturing the location of a link and redirecting visitors to the intended site. Much of the time a long URL isn’t a problem, but on social media sites (especially ones like Twitter that limit characters), shorter makes it easier to share. Do you want to use three lines of text sharing a long URL?

Many legitimate businesses, celebrities, and others use shortened URLs. But, you should be aware that scammers do too. They can camouflage malicious websites this way, tricking people into clicking on links they shouldn’t. Some will use this technique to direct you to sites that install malware, phish for information, and increase your ID theft risk. With a shortened URL you don’t know where you’re headed until it is too late.

What Can You Do?

While some people may choose to avoid shortened URLs altogether, this approach may keep you from a lot of great content. For example, we regularly share shortened URLs from the AllClear ID Twitter page; skip them and you might miss out on some great information about avoiding ID theft. Short URLs aren’t bad in and of themselves; you just need to use a little extra caution.

Here are some tips for keeping yourself safe when using shortened URLs:

  • Source Matters- Before you click on a shortened URL, consider the source. Is it shared by a company or person you trust? Bear in mind that scammers may create fake websites or profiles (or hack legitimate ones) to share their malicious links.  Before you click, ask yourself, “Do you trust the source?”
  • Use a URL Expander- Shortened URLs leave you in the dark about the website you’re trying to visit; a URL expander turns on the lights. and are two of several sites that show you the full URL for a shortened one. Some of these sites will even check the link for malware before you click. You may also be able to install a browser plug-in that checks short URLs without having to visit another site.

For more information and tips see this great article from the Better Business Bureau.

Tags: , , ,

Credit Card Fraud Security Bleak

Robert Siciliano, Identity Theft Expert

The U.S. is no Superpower when it comes to card payments: the card hacking headquarters of the world.

Don’t count on credit card fraud going away too soon. After all, Americans practically sleep, eat and breathe credit card use. And it’s those doggone magnetic strips on the cards that keep getting consumers, retailers, banks and the card companies in a fix. The strips make it so easy for hackers—and they know it.

It’s high time that the U.S. switch to encrypted chips in the cards—ready to be launched soon, but security experts aren’t breathing easy yet. The squabbling among banks, card companies and retailers over who’s responsible for protecting consumers isn’t helping, either.

Recently Congress demanded that the financial and retail industry leaders come up with plans for securing customer data.. And they’d better act soon or consumer trust in these cards that drive the U.S. economy will take a big dive.

“This has the potential for people to question the viability of our payment system,” points out Venky Ganesan, venture capitalist with Menlo Ventures. Cards are the bread and butter of America, responsible for about 70 billion payments last year, worth $4 trillion (Nilson Report).

Only 11 percent of merchants are sufficiently compliant with the credit card security standards, says a study from Verizon Enterprise Solutions.

The magnetic strip, as innocuous as it appears to the typical consumer, stores that consumer’s personal financial information. Most other nations ditched this “antiquated” system years ago, using instead the EMV: based on chip technology, securing payment transactions.

The payments industry, however, has named 2015 as a deadline to get the chip technology going. But all things considered, that’s still a long ways off. And retailers are whining over the many billions of dollars it will take to replace point-of-sale technology.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: ,

Big Data Joins the Tax ID Theft Fight

April 4, 2014

Jackie here. We’ve talked quite a bit about the potential privacy pitfalls of Big Data, but what about the benefits? With huge catalogs of information about the activities, actions, and whereabouts of each American, data companies have a valuable resource that can be used to fight things like tax ID theft and fraud. This year several states have decided to partner with data collectors to fight fraudulent tax returns before the money is lost forever.

Tax identity theft is a big problem, and one that isn’t likely to go away any time soon. As identity thieves ramp up their efforts, the IRS and state governments have to find new techniques to battle this pervasive issue. Turning to data companies is a unique solution with the potential for very effective results.

Since these programs are state run, the methods of implementation can vary, but all share a common goal: to catch identity thieves before a fraudulent tax return is paid. One state uses a specially created algorithm to screen for potential problem returns. If a suspect tax return is found, a letter is sent to the taxpayer asking them to visit a website to verify their identity. In the first year of use, Georgia paid about $3 million dollars for the service which saved the state $25 million.

Tax ID theft is still a problem, but hopefully ideas like this one will help state and federal governments continue in the fight against tax ID theft. For more information about this program, check out this article from KCEN TV. Learn more about tax ID theft here.

Tags: ,

Insurance Company Fined BIG for Breach

April 3, 2014

Robert Siciliano, Identity Theft Expert

Why would an insurance company be fined for a data breach?

There was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again.” However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead inthis identity theft prevention video. Disclosures.


Tags: , ,

IRS Releases 2013 Criminal Investigation Annual Business Report

April 1, 2014

Chris here, AllClear ID Investigator. The IRS recently released its Criminal Investigation Annual Report for fiscal year 2013. The Criminal Investigation team investigates a wide range of potential financial and tax related crimes. According to the Criminal Investigations Report, these types of crimes include money laundering, public corruption, terrorist financing, narcotics trafficking financial crimes, and identity theft.

Report Findings

The report tracks a total of 5,314 cases investigated by the Criminal Investigations team during the year. Of the 5,314 cases, 4,364 were recommended for prosecution. Almost 3,800 individuals were indicted, resulting in 3,311 convictions, a 93% conviction rate. These numbers are up across the board compared to previous years–the fiscal year 2012 saw the Criminal Investigations unit initiate 5,125 cases with 3,701 recommended for prosecution. These cases resulted in 3,390 individuals being indicted and 2,634 convictions. Of all the stats, however, the most important is the conviction rate, according to Richard Weber, Chief of Criminal Investigations: “The conviction rate is especially important because it reflects the quality of our casework, our teamwork with federal law enforcement and the U.S. Attorneys’ Offices, and represents an increase over 2011 and 2012.”

When it comes to identity theft Chief Weber maintains that it is “One of our top priorities.” In 2013 Criminal Investigations initiated 1,492 identity theft related investigations, resulting in 438 convictions. According to Chief Weber, Criminal Investigations, working in conjunction with civil tax partners, were able to catch 1.3 million fraudulent returnsbefore they were processed and prevented $7.1 billion in false refunds.

Identity theft and tax fraud is still a big problem in the U.S., but teams like IRS-Criminal Investigations are providing a much needed step in the right direction. And according to Chief Weber they only plan on getting better at detecting and preventing these criminal activities, “I am extraordinarily optimistic about the future of CI. Nothing great is ever achieved without dedication and enthusiasm, and our employees have plenty of both. We will remain the energetic, dynamic and adaptive organization that is simply the best at following the money. I am grateful for the service and dedication of all CI employees.”

If you want to read the full IRS-Criminal Investigation Report it can be found here.

Tags: ,

Chip and PIN or Chip and Signature?

Robert Siciliano, Identity Theft Expert

OK, there’s lots going on here. Read slowly and wrap your brain around this. So which offers more security? Chip-and-PIN or chip-and-signature for your card payments? Chip-and-PIN wins. This is due to two authentication forms: the card and the PIN, which is stored in your head (or should be, anyways, rather than on some small piece of paper crinkled inside your purse).

But chip-and-signature has its virtues for all involved. One reason is that most people don’t know their credit card PIN, something like 5-10 percent knowing it. If credit card payments were only via chip-and-PIN, consumers would memorize their PINs very quickly.

Another issue is that only one-fourth of U.S. POS terminals have a PIN pad. This means a lot of money spent by merchants to accommodate a chip-and-PIN-only environment with updated POS terminals.

On the other hand, this investment can pay off because, says a 2013 Fed Payments Study Summary, PIN debit transactions come with a much lower fraud loss rate than do signature transactions.

A PIN based transaction brings unwanted issues to some merchants, e.g., car rental companies requiring preauthorization transactions prior to the final transaction amount. Car rental and lodging companies, however, better like the signature based transaction because it has a separate authorization and settlement process.

Other merchants, too, must make some big decisions, such as the restaurant industry: To accommodate customers who want to use their mobiles for payments at their table, restaurants will have to pay a pretty penny for terminals.

The chip-and-PIN comes with a human based flaw: If a buyer forgets their PIN, the transaction will be incomplete. The signature based transaction has the signature to complete the transaction.

All of these pros and cons must be carefully considered among consumers, merchants and the card payment industry. But what bankers and merchants seem to agree on is that the magnetic strip is getting very old and needs to be replaced by a more secure technology: the chip.


Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: ,

Do You Have a Backup of Your Important Files?

March 28, 2014

Jackie here. At times it feels like my entire life is on my computer. Family pictures, important work documents, financial records, favorite games, valuable software, and more fill my hard drive. I would be tempted to pay a pretty penny to keep my computer files if they were ever held ransom by a scammer. Cyber criminals are betting that many consumers feel just like me; they are using a clever new malware scam called Cryptolocker to take computers hostage. Pay up or your files are lost forever, so they say.

Cryptolocker is spread through malicious email links and “drive-by downloads” silently infecting computers and encrypting their hard drives. Once the encryption is complete the scammers demand a payment of $300 for the encryption code. If you don’t pay you’ll never see your files again. Do pay and you’re left at the scammer’s mercy; will they really send the encryption key? There is no other solution.

You don’t want to be a victim of this scam. Protect yourself by using caution when clicking on email links and by keeping your security software up to date. Another way to stay safe is to regularly back up your computer. An external hard drive works well as long as it’s disconnected from your computer when not actively in use (otherwise Cryptolocker will attempt to encrypt your back up too).

Have you backed up your files recently? What would you do if Cryptolocker were to strike your home or work computer?

Tags: , ,

3 Things You May Not Want to Share with Your Doctor

March 27, 2014

Jackie here. While you do need to tell your doctor about relevant medical conditions and your general health, some of your financial information is best kept to yourself. Oversharing at the doctor’s office can lead to identity theft. Some of these tips came from a great article shared by ABC News; check it out here if you get a chance. Do you have other businesses asking for personal information they don’t need? Much of this advice can be applied in other situations (utility companies come to mind) too. Remember if you don’t absolutely need to share it, don’t.

When filling out forms at your doctor’s office, or chatting with the front desk, do your best to avoid sharing too much. Leave portions of the form blank if you don’t feel comfortable providing the info (this applies to financial/personal information, not health-related info). Many times the office won’t even ask for the missing information. If they do ask, calmly explain your concerns and see if a reasonable compromise can be made.

Avoid Sharing Your SSN (or the SNNs for Family Members)

Years ago health insurance companies used Social Security numbers to manage policies. This practice has largely been eliminated (except with a few select health insurance carriers) and SSNs aren’t always needed. In addition you probably don’t need to provide your SSN or the SSNs for spouses or children either. The more places you share your SSN the higher your risk of ID theft. Protecting your child’s identity is especially important.

Skip the Email Address

If you need to share sensitive information with your doctor, don’t do it over email. Instead of communicating with your doctor’s office via email, ask for phone calls instead. Secure patient portals for scheduling appointments and viewing test results are generally okay.

Don’t Store Credit Card Information

If your doctor’s office (or any other company, including utilities and online stores) asks to store your credit card information, politely decline. It might be easier to have credit card information stored (it is certainly convenient), but it is much safer to enter it in yourself each time.

When asked to provide sensitive information to a doctor or business, ask yourself, “Do they really need this?” Often you can find other options that work just as well without compromising your identity or raising your risk of medical identity theft.


Tags: ,

Health Care Information Breaches Rise

Robert Siciliano, Identity Theft Expert

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

Fraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.


Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen . See him knock’em dead in this identity theft prevention video. Disclosures.


Tags: , ,

Scam Alert: Contest Scam on Snap Chat

March 26, 2014

Jackie here. A favorite social media app of teens and young adults, Snap Chat is a great way to stay in touch. It is also a way for scammers to bait potential victims. Be aware of this scam and spread the word to friends and family that use Snap Chat so they can stay safe too.

The Scam

Snap Chat is an app where users share pictures (called snaps) that disappear once they’ve been viewed. Scammers are using the app to share photo messages. The scam messages typically congratulate the recipient for winning a contest and provide a web address to claim the prize. We all like to get something for nothing, making it very tempting to visit the site and enter personal information.

At the website the “winner” is asked to select a smartphone app for download before completing the claims process. This technique can be used to bolster an apps popularity and to spread malware and viruses to phones.

Tips for Avoiding This Scam

Avoiding this scam is simple; don’t ever download apps outside of the official app marketplaces. Also remember that you can’t win a contest you didn’t enter. If you don’t recall entering a particular contest, be very wary of a prize announcement. Scammers love using fake contest awards to fool consumers.

Another way to avoid scams on Snap Chat is to change your settings so you only receive snaps from listed friends. This will dramatically cut down on the amount of spam you receive. Changing this setting is easy; learn how to do so here.

Learn more about this scam from the Better Business Bureau.


Tags: , , ,

Protecting Your Information When Using Mobile Devices

March 25, 2014

Jackie here. Do you have a mobile device? Maybe two or three? Smartphones and tablets certainly make life more convenient, but it is important to remember that these tiny devices are actually computers; think about mobile security from the start and keep your information safe.

How do you protect your mobile devices when on the go? Here are some safety tips recently shared by the Privacy Rights Clearinghouse.

Password Protect It

We’ve talked many times about the importance of a strong password, but this advice doesn’t just apply to your online accounts (like social media, email and banking). A strong password is a must for all of your devices too. Have your device automatically lock after a period of inactivity and require a password to log back in. This makes it harder for people to access your device without permission and also provides protection should your device be lost or stolen.

You may also want to password protect (with a different password) each application on your phone that stores any of your personal data.

Use Security Software

Think your mobile devices don’t need anti-virus protection? Think again. You should protect your mobile devices just like you protect your home computer.

Be Cautious with Public Wi-Fi

Before connecting to a public Wi-Fi network, make sure you have the right one selected. It is a good idea to check with someone who knows (like an employee in a coffee shop) for the official network name before connecting. Don’t assume that a network that looks right is right.

Be especially careful about entering login information over a public connection. If you reuse usernames, passwords, etc. you may be sharing this information with anyone else on the network.

Update Often

When vulnerabilities are discovered, updates are often created to fix them. Installing updates keeps you safer. Stay on top of your updates for both your device and any apps you use.

Use Caution with Links

Before you click on that link, think! Just because you know the sender of an emailed link, doesn’t mean it is safe to click. I’ve received many links from compromised accounts that could put me in the same situation if I click. Also be careful with shortened links on social media and other sites.

For more tips, check out this article about choosing mobile apps.

Tags: ,

Data Breach Notification Bill goes to the House

Robert Siciliano, Identity Theft Expert

H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.

The bill allows for a shorter notification deadline and for card carriers to sue for recovery costs linked to the breach; and customers can sue for statutory damages.

Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.

Payment Card Breach

  • Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
  • H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
  • If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
  • Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.

Data Security and Disposal

  • The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
  • Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.


  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

Being accountable:

It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in thenbr customers security.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen . See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: , ,

Scam Alert: Don’t be Fooled by the Verizon Voucher Scam

March 24, 2014

Jackie here. Are you a Verizon customer? Be on the alert for this Verizon voucher scam. Scammers are using the promise of a voucher to fool customers into sharing their personal information. Not only will you not receive a voucher, you will increase your ID theft risk.

The Scam

This scam starts with a phone call. Scammers use Caller ID spoofing to masquerade as “Technical Support” from Verizon Wireless. They explain that they are offering bill credit vouchers to various customers. All you have to do to claim the voucher is fill out a short form on a website. The web address provided usually includes “Verizon” and possibly the amount of the promised voucher. A recent version of the scam directed victims to “”.

The website will look like an official Verizon site. It includes the company logos and color scheme. Visitors are encouraged to verify their accounts by entering their phone number, user name, password, and the last 4 digits of their SSN. Don’t do it! This is a clever phishing scam designed to trick you.

Tips for Avoiding this Scam

Phishing scams are always changing, targeting different people and different companies. The easiest way to protect yourself is to use caution before sharing personal information. If you are in doubt, contact the company in question directly and ask them. It’s important to remember that things aren’t always as they seem; just because a website looks like Verizon (or any other company for that matter) doesn’t mean it is an official company site. As a general rule, be wary of people offering you money or a refund for no apparent reason.

Learn more about this scam from the Better Business Bureau.

Tags: , ,

Favorite Articles for the Week of March 17th

March 21, 2014

Jenna here. Our favorite articles of the week are here. We have an interesting read about the rise in retail hacking, as well as information about an IRS phone scam that’s making the rounds.

Why So Many Retail Stored Get Hacked For Credit Card Data, Bloomberg Businessweek

If the IRS Calls, Hang Up, Forbes

Tags: ,

Air-Gap Malware: Using Sound to Transmit Viruses

Jackie here. There’s a new type of malware out there and it’s a scary one. This malware travels through the air, targeting computers in the area. You don’t have to be connected to the same network as the hacker or install unknown software; simply being in close proximity is enough. This malware is called air-gap malware. If you haven’t heard of it yet, keep reading for more information below.

What is Air-Gap Malware?

A common strategy for dealing with a malware infected computer on a network is to disconnect the computer in question. This gives you time to work out the issues with the problem computer without worrying about spreading the virus throughout the network. It’s a strategy known as air-gapping, creating a barrier between the infected computer and the rest.

Air-Gap malware is the hacker’s solution to the air-gap. Since the virus can’t travel through the network using traditional means, it travels through the air, infecting any computer in the area, not just those that share a network. How does it work? Basically, it uses sound waves to transmit malicious code making use of things like sound cards and microphones in place of a network connection.

The sound is high frequency and isn’t something that can be heard by the natural ear, but that doesn’t stop computers from hearing and using the transmitted code.

How Do You Protect Yourself from Air-Gap Malware?

There is no easy way to protect yourself from air-gap malware. Luckily, you probably don’t have to worry about it too much, at least right now. The technique requires a very skilled hacker and is likely to only be employed by those targeting a specific network.

Tags: ,

Credit Card Theft Increasing for Banks and Retailers

March 20, 2014

Robert Siciliano, Identity Theft Expert

2013 was the year of 740 million records involving data breaches. And that number may be erring quite on the conservative side, according to the Online Trust Alliance. The records come from a list on the Privacy Rights Clearinghouse Chronology Data Base.

The list is that of publically disclosed breaches, including the alleged 110 million that struck the big retailer December 13. Many of the listed breaches are of a non-descript number.

The more electronically connected everything becomes, the greater the potential for data breaches—it’s almost as though all this advancement in online data storage and transmission is setting us backwards.

Cybercriminals are good at keeping pace with the progression of online security tactics, matching every leap and bound. This is why organizations must put security and data protection at the top of their priorities and be ready to handle a major breach.

Unfortunately, no one-size-fits-all defense against cyber-fraudsters exists. Nevertheless, there do exist best practices that can optimize a company’s protection against cybercrime.

Let’s take a look at some highlights of the data breaches of 2013:

  • Though that conservative 740 million records was disclosed, 89 percent of the breaches and loss of data incidents could have been thwarted.
  • 76 percent of breaches were due to stolen or weak account credentials.
  • In 2013 alone, 40 percent of the top breaches were recorded.
  • Insider mistakes or threats accounted for 31 percent of insiders.
  • Social engineering was responsible for 29 percent of breaches.
  • Physical loss such as forgetting where one placed a device, flash drive, etc., was responsible for 21 percent of the data loss incidents.

The 2014 Data Protection & Breach Readiness Guide can help service providers and app developers for businesses grasp the issues, factors and solutions that will fire up data protection tactics and bring about a development of strategies for managing a data breach incident.

Smart businesses think proactively:

Smart businesses are investing in their client’s security. Consumers want to know they are being protected before, during and after a transaction.


Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock ’em dead in this identity theft prevention video. Disclosures.

Tags: , ,

Businesses Fail in Customer Privacy Ratings

March 18, 2014

Robert Siciliano, Identity Theft Expert

The U.S. Consumer Confidence Index, released by TRUSTe®, shows an alarming trend: A high percentage of U.S. people over age 18 are unnerved about their online privacy, and this trend is worsening.

This survey was conducted online among 2,019 U.S. adults and reveals that 92 percent of the participants are on edge, at least some of the time, concerning online privacy. Nearly three-quarters of Internet users in the U.S. are worried about privacy more so than a year ago. And more users worry about business data collection versus government surveillance programs.

Many businesses are not taking measures to mitigate this concern among users. This can backfire on businesses, e.g., more people not willing to download apps or click on ads. Protecting consumers is crucial to a company’s success—not just with customers but with competitors; companies should not cut corners here.

What are the top reasons for privacy concerns? The top two responses: 1) Businesses sharing personal data, and 2) Businesses tracking online behavior.

More specific findings:

  • 58 percent of respondents were worried about businesses giving out their personal information with other businesses
  • 47 percent worried about businesses tracking their online actions
  • Only 38 percent named media attention to government surveillance programs as a cause for concern.

What are consumers doing about all this?

  • 83 percent are leery of ad clicking.
  • 80 percent won’t use smartphone apps that apparently don’t protect privacy.
  • 74 percent aren’t comfortable enabling location tracking on their smartphone.

Other findings of the TRUSTe survey:

  • User concerns over online privacy are climbing: 92 percent of users worry about privacy.
  • Trust with businesses is declining, coming in at 55 percent currently.
  • 89 percent of consumers will refrain from conducting business with a company they don’t feel is protecting their online privacy.

The public wants more:

The tides of privacy are turning and the public is waking up. Businesses who fail to take action will surely be met with customer defection.


Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: ,

Scam Alert: Pinterest Scam

March 17, 2014

Jackie here. Pinterest is a place for pretty things, inspirational ideas and unfortunately identity theft and malware too. Like other social media sites, Pinterest can be used by scammers. That doesn’t mean you shouldn’t enjoy the site, but it is something to be aware of so you can avoid falling victim.

Common Pinterest Scams

Pinterest scams often involve “pins” shared from a friends account. These pins aren’t actually shared by a friend, but rather are shared by a scammer that has hacked the account. One way to spot a phony pin is to look for posts that are different from what your friend typically shares. Celebrity photos, beauty pins, before and after diet pictures, giveaway offers and infographics are common themes in these scam posts.

Don’t click on the link in the post. If you do, you may be directed to a site that will install malware on your computer. Clicking on the pin will typically direct you to a site selling counterfeit goods, promoting various other scams, etc.

Tips for Avoiding the Scam

Keep your Pinterest account safe from hackers and scammers by using strong passwords and using caution when you log in. Make sure you only log in to your account from the official Pinterest website or using their official mobile app. Log out each time you are finished using the site. You may want to use caution when linking your Pinterest account to other social media sites (like Facebook and Twitter); if scammers access one social media account they can easily share on your other ones too.

If you think your account has been compromised, change your password immediately. If you see a scam post, report it to Pinterest by clicking on the flag icon at the bottom of the picture. For more tips on avoiding Pinterest scams, check out this article from the Better Business Bureau.

Safe Pinning!

Tags: , , ,

ID Theft a Top Complaint in 2013

March 14, 2014

Jackie here. If you think identity theft is no longer a serious problem, think again. Once again it topped the list of consumer complaints made to the FTC in 2013. This is the 14th consecutive year that identity theft ranked #1. Identity theft is still a major problem; how will you protect yourself and your family?

The FTC’s recent report shows that it is still essential to watch for the signs of ID theft. Finding problems sooner often makes them easier to resolve. Some red flags to watch for include:

  • Unexplained withdrawals from your bank account
  • Charges you didn’t make on your credit card
  • Not receiving expected bills in the mail
  • Debt collection calls about debt that isn’t yours
  • Errors in your credit report
  • Medical bills (or explanation of benefits forms) from doctors you didn’t visit
  • Receiving a data breach notification

For more information about staying safe from ID theft, check out some of these great resources:

FTC ID Theft Site

Identity Theft Resource Center

Medical ID Theft site from the Office of the Inspector General

Tax ID Theft Info from the IRS

We also share ID theft tips, resources and information here on our blog, on Twitter and our Facebook page.

Keep yourself safe from identity theft this year!

Tags: ,