Consumer Protection | Business Protection

National Retail Federation Pushes for Chip and PIN

April 24, 2014

Robert Siciliano, Identity Theft Expert

The recent major retail breaches have fueled increased interest by the National Retail Federation to push for implementation of a chip and PIN payment card technology. This would make the magnetic strips on payment cards obsolete and no longer a calling card for hackers.

“We’re here today because the question of data security and cyber theft in retail has become a very important debate in Washington,” said David French, the senior vice president of government relations for the NRF.

The U.S. still relies upon the magnetic strip—buyers or employees swipe the card and sign for the transaction. The chip and PIN means a chip is embedded into the card. A “reader” reads the chip but also requires the cardholder to enter a PIN to complete the purchase: a two-ply authentication process.

Magnetic strips allow thieves to make counterfeit cards that work, but the chip technology would prevent this.

“It’s going to be a very expensive transition,” says Mallory Duncan, NRF senior VP and general counsel, referring to the switch from magnetic strip to PIN and chip. A chipped card costs 4-5x as much as a stripped card: a cost that card issuers are not crazy about investing in.

However, the retail industry isn’t off the hook. Duncan notes that “every one of the (payment) terminals has to be replaced and depending on whether you’re counting just retailers or doctors’ offices and other places that are thought of as retail, it’s going to be between nine to 15 million (pieces of point-of-sale) equipment that have to be replaced.”

That’s more than $1,000 per unit, she adds. The migration to chip technology includes software and training, and based on Great Britain’s cost to migrate, the U.S. could be looking at “$20 billion or $30 billion to swap out equipment,” says Duncan. And that’s an under-estimate.

The starting point for the swap is banks issuing the chipped cards, says Duncan. Then the retail industry will know it’s worth it to finish the job by implementing the terminals.

The banking industry isn’t taking well to the retail industry’s stand on who should make the first move. Banking leaders believe that recent big retail breaches were primarily caused by, as they responded to NRF’s media briefing, “failed computer security at major retailers.”

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

 

Tags: , ,

New ATM Scam Allows Unlimited Withdrawals

April 23, 2014

Jackie here. I take comfort in knowing that my ATM has a daily withdrawal limit. I feel secure knowing that should my account become compromised, only a few hundred could be taken (while this is still a lot of money, it is much better than the alternative of having the entire account drained). A scary new development in ATM hacking allows scammers to change limits, making unlimited withdrawals.

This scam is often used over holiday weekends when the banks place extra money in their ATMs. With no caps, scammers take nearly unlimited amounts from accounts, often withdrawing much more than the accounts actually contain. One recent attack took $40 million from just 12 accounts.

While this is scary news, you can take some comfort in the fact that the losses from the stolen money are covered by various banking laws and insurance programs. You will be reimbursed for the lost money eventually, although it may take some time. Prepaid debit cards do not have the same protections which can lead to consumer losses in cases of theft—it may be best to avoid prepaid cards for everyday use.

How Does it Work?

This scam requires several different attacks to banking systems to gain the necessary information to execute the attack. Typically scammers obtain login credentials to banking software systems using phishing or malware attacks. Once the scammers can log in to banking systems to lift limits, they use fake debit cards made using numbers they’ve obtained through other attacks. The scammers then use these fake cards to clean out ATMs, typically over weekends or holidays.

What Can You Do to Protect Yourself?

Although many losses from this scam will be eventually returned, it often isn’t worth the hassle and huge amounts of effort you may have to expend. Protect yourself from ever falling victim. If you can, skip the debit cards and use only a credit card instead. If you’re worried about the possibility of accruing debt, treat the credit card like a debit card and only purchase things you can afford and immediately pay the bill after making a purchase. More importantly, be wary of prepaid cards as these do not have the same legal protections as a traditional debit cards. This helpful guide will help you understand the differences in your protections when using credit and debit cards.

Monitoring your accounts carefully will also help you to find and report any discrepancies early.

Learn more about this scam here.

Tags: , ,

Scam Alert: FTC Email Complaints

April 22, 2014

Jackie here. There’s a new scam making its way into email inboxes across the country. If you see an email that appears to be from FTC, be cautious. The emails look very official, but are actually an attempt to install malware on your computer.

The Scam

Like many popular email scams, this one attempts to impersonate a well-known organization. The FTC reports that these scam emails use the official FTC seal and contain links that appear to be FTC links. The email text references the Consumer Credit Protection Act (CCPA) and informs the recipient that a formal complaint has been filed against them. They are encouraged to open an attachment to receive more information.

A good tip for avoiding this scam and others like it is to remember how companies and government agencies get in touch. They typically don’t send confidential information via email. If a company or the government needs to get ahold of your regarding a complaint or another serious matter, they will often use postal mail. You can always double check if an email is legitimate by contacting the organization in question yourself. Use a known number for them, not one listed in the suspicious email.

Stay alert so you don’t fall victim. What should you do if you do receive one of these emails? Forward a copy of the email to spam@uce.gov and then delete the email immediately. Get more information about this scam from the FTC.

Tags: , , ,

Healthcare Records Vulnerable to Criminals

Robert Siciliano, Identity Theft Expert

Just about every kind of healthcare related entity—hospitals, rehab centers, pharma companies, insurance carriers and more—have been and continue to be compromised by cyber criminals.

Though your doctor can boost your resistance to heart attack, the hospital he works at remains prone to hack attacks by crooks wanting access to all sorts of data and other sensitive information.

This isn’t just a leak of patients’ personal health information, but the institutions’ billing systems and intellectual property get in the hands of crooks.

Once the hackers are in, they’re in a position to launch more attacks on other networks and commit billions of dollars worth of fraudulent transactions.

  • Here are some bitter pills to swallow:
    Compromised devices include radiology imaging software, Web cameras, firewalls and mail servers.
  • Quite a few compromises occur due to simple issues like failing to change default credentials on firewalls.
  • Tens of thousands of malicious events can occur within a healthcare IT environment during the time that intelligence is gathered.
  • Not only can cyber criminals get ahold of patient addresses, SSNs and medical condition data, but they can manipulate medical equipment.
  • Healthcare providers accounted for 72 percent of malicious traffic according to the SANS-Norse Healthcare Cyberthreat Report. In addition, healthcare business associates: 9.0 percent; health plans: 6.1 percent; pharmaceutical: 2.9 percent; healthcare clearinghouses: 0.5 percent; miscellaneous healthcare related entities: 8.5 percent.

This all means that patients are getting a big burden financially in that healthcare costs rise in response. For instance, the cost that was related to compromised medical insurance records and files in 2013 was $12 billion. This gets trickled down to patients.

Many healthcare related organizations cannot adequately protect sensitive data; the cyber attacks are like a relentless virus, overtaking its host.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: , ,

More Than a Credit Report

April 21, 2014

Jackie here. We’ve talked many times about the importance of regularly reviewing your free annual credit reports, but today I’d like to share some of the other resources you can use to discover ID theft. I recently ran across an article shared by AARP that highlights a few of the lesser known reports available to consumers. I personally haven’t used any of these, but now that I know they are available, I may need to pull a few reports.

Many of the reports are free, but some may require a fee unless you have proof that you were harmed by the information in your file.

Check Writing History

If you have a history of writing bad checks, you may have trouble opening bank accounts or using checks in the future. There are several
companies that track your check writing history
. Here are a few to check out.

  • ChexSystems- Order your report online (it will come via postal mail in about a week) or call 800-428-9623.
  • TeleCheck/First Data. Mail in a written request for a report or call 800-366-2425.
  • Certegy- If you had a check declined based on information in your Certegy check writing report, you can look up the details online. Enter the purchase amount, date, and check number in their online form for more information.

Health Care Information

Errors in your medical records can cause problems with insurance companies and health care providers. If you have a major medical condition or have applied for various health and life insurance policies in the past few years you may have a record with the MIB Group. Request a free copy of your record here.

Rental History

If you’re trying to get an apartment, your rental history might hold the key. These companies are a good place to start your search for your tenant records:

The Privacy Rights Clearinghouse also maintains a comprehensive list of specialty consumer reports. Check out their listing and order copies of the reports that might apply to you.

Tags: ,

Favorite Articles for the Week of April 14th

April 18, 2014

Jenna here. This week, a security flaw known as ‘Heartbleed’ made headlines and sent shockwaves through the business community. In case you missed any key information, we wanted to share some articles we found to be especially informative from the past week.

Here’s How to Protect Yourself From the Massive Security Flaw That’s Taken Over the Internet, Business Insider
http://www.businessinsider.com/heartbleed-bug-explainer-2014-4

‘Heartbleed’ Hackers Hit Two Websites, ABC News
http://abcnews.go.com/blogs/business/2014/04/heartbleed-hackers-hit-two-websites/

Heartbleed Roundup: Hacking Made Easy, First Victims Come to Light and Heartbleed Hacker Arrested, Forbes
http://www.forbes.com/sites/jameslyne/2014/04/17/heartbleed-roundup-hacking-made-easy-first-victims-come-to-light-and-heartbleed-hacker-arrested/

For more information, you can also visit the Heartbleed website: http://heartbleed.com/

Tags: ,

Surprising Tradeoff: Free Speech and Cyber Bullying

Jackie here. The digital age is certainly changing the way we communicate. This affects everyone: employers, employees, and even students. I recently read an interesting article from The Atlantic with some thought provoking points about student privacy. Take a read and see what you think.

Article Highlights

The article discusses the blurred line between protecting students and staff from hurtful online comments and maintaining freedom of speech. Schools have a unique obligation to ensure that students feel comfortable at school while simultaneously protecting their constitutional rights. Cyber bullying is a real problem which has caused many schools to enact strong social media policies, including some that prohibit saying anything negative about a school. Many news stories have highlighted instances where students have taken online comments and bullying too far, highlighting the need for some protections from this harmful behavior. However, there are times in which students need to be able to speak out about bad conditions in their schools to enact positive change and create a better learning environment. This highlights a delicate balance for school administrators as they try to protect students and staff from hurtful comments without outlawing the ability for them to speak out against wrongdoing.

Some worry that the schools are overstepping their bounds, using social media policies to control student’s speech both in and out of school. Others argue that the policies are needed to protect both students and teachers from online bullying. As is often the case, even the best intentioned policies can be taken too far, penalizing students for saying things that are meant to call attention to serious issues.

It is important that we each take some time to think about important issues like privacy, communication, and freedom of speech in the digital age. How can we best protect our students and our families while still upholding their constitutional right to free speech? Share your thoughts and opinions with us!

Tags:

Financial Services and Retail Band Together to Fight Fraud

April 17, 2014

Robert Siciliano, Identity Theft Expert

Finally, retailers and banks have agreed to work together to fight data breach incidents, foregoing the finger-pointing of who’s responsible for prevention and recovery.

This means both entities will work to improve technology that will protect consumers. Historically, the squabbling consisted of retailers accusing banks of being lethargic at adopting updated, more secure debit card technology; and banks insisting that retailers soak up more of the costs for card replacement following breaches.

However, despite the move forward of joining forces, banks and retailers will surely continue having differences. For example, the cost of getting replacement cards is “not something that the two industries are likely to agree upon,” said Tim Pawlenty to Reuters; he’s chief executive of the Financial Services Roundtable.

So how did both parties decide to join forces? Pawlenty was contacted by Sandy Kennedy, the head of the retail leaders group.

This partnership will develop improved communication so that retailers can have a formal program regarding cyber threats. “We both viewed this as an opportunity to collaborate rather than to wage a public battle,” says Brian Dodge of the retail leaders group.

In addition to card related breaches, the partnership will focus also on smartphone security. Use of mobiles to make payments has stunted progress between retailers and banks.

In fact, MasterCard Inc. and Visa Inc. have named a 2015 deadline to implement “chip and PIN” cards to replace the magnetic stripped cards that are so vulnerable to hacking.

Unfortunately, this switch is pricey, and both retailers and banks are not willing to be the first to take that dive off the high board. Especially since more and more people are using mobiles to make payments.

However, security for mobile users could reinforce the retail-bank partnership, says David Robertson, publisher of The Nilson Report. “We need to make sure that mobile becomes a secure way of doing business,” he says.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: , ,

Top 9 Things to Avoid Online

April 15, 2014

Jackie here. Do you click on pop-ups or sign up for free trial offers online? These two behaviors, along with many others, may increase your risk of ID theft and online fraud. In a report published by AARP called Caught in the Scammers Net, several activities were shown to increase your risk of being an identity theft victim. How do your browsing habits stack up? Check out this list of the top 10 things NOT to do online. Avoiding these potentially dangerous behaviors could help keep you and your family safer.

  • Clicking on Pop Ups- You see an interesting pop up, what should you do? Don’t click on it! Clicking on pop ups is a risky online behavior. Instead, close the pop up immediately and access websites by visiting them directly. You can even install or enable a pop up blocker on your web browser to eliminate the temptation to click. Not all pop-ups are harmful, but it’s often better to be safe than sorry.
  • Selling Products on eBay- While there are a lot of great opportunities for buying and selling products on auction sites like eBay, there is also some risk. The AARP study found that selling items on auction sites increased your risk of fraud. If you do choose to sell, be careful and be on the lookout for fraud—check your credit reports and bank statements carefully.
  • Opening Emails from Unknown Senders- Do you open emails from people you don’t know? This can be a risky behavior, especially if you follow links or open attachments. When opening an unknown email can’t be avoided, use caution and never share personal information with the sender.
  • Downloading Apps- I love a good app just as much as the next person, but each time I download a new one, I carefully review it. Choose apps only from a reputable marketplace and carefully analyze user reviews before downloading. If you want a great app that will actually help you protect your identity, check out the AllClear ID app.
  • Visiting a Website that Requires You to Read a Privacy Policy or a Terms of Agreement Statement- You might not think that a privacy policy could increase your ID theft risk, but the study authors certainly do. They found that both required consent to privacy policies and terms of agreement were risk factors for being a victim of fraud. This doesn’t necessarily mean you shouldn’t visit these sites, but you should be aware that this is a potential problem behavior. To be fair, one reason for this is the fact that websites requiring privacy policies and agreements to terms of use are sites that collect personal information that can sometimes become compromised.
  • Being Impulsive- Do you click before you think? Take time to analyze before you do things online. Many scams can be avoided with a little caution.
  • Signing Up for Free Trial Offers- We all love getting things for free, but is the freebie worth sacrificing your identity for? Be cautious of limited time free trial offers.
  • Purchasing Through a Payment Transfer Website- When it comes to spending money, be very cautious online. Avoid sites that ask you to transfer money to a third party or to an unknown recipient.
  • Believing Everything You See- If you regularly read our blog, you probably know that banks won’t send emails asking for personal information. Just because you receive an email, doesn’t mean it is true. Likewise, don’t believe that a privacy policy means you’re safe from having your personal information shared with other companies.

While you can’t avoid every item on this list, reducing the number of risky behaviors you help you stay safe from online fraud. The study authors found that of 15 risky behaviors, nearly 1 in 5 American respondents had engaged in at least 7. More than half of the respondents (65%) had received at least 1 online scam offer during 2013.

Check out the full study report here.

Tags: , , ,

Data Security Legislation is Inevitable

Robert Siciliano, Identity Theft Expert

A law(s) for data breaching is around the corner. And the time is right, what with the scads of data breaches involving major retailers lately. Details of customers’ addresses, phone numbers, credit cards and other sensitive information have ended up in the hands of hackers. We’re talking many tens of millions of affected consumers.

Despite this mushrooming problem, no consensus has yet arrived regarding just what role the government should assume to protect peoples’ data. But a common thread to the many ideas is customer notification once a data breach occurs. Though 46 states do have notification laws, retailers gripe that this makes them spend precious time complying with this instead of on fighting data infiltrations and repairing the fallout.

“We’ve long said that action is needed and hopefully we can see passage of data breach notification legislation this year,” says Brian Dodge, a senior vice president at the Retail Industry Leaders Association.

Recently the Data Security Act was introduced. It would require companies and banks to have privacy protections and investigate breaches, plus alert customers about big risks of theft or fraud. Banks have complained about the costs of responding to data breaches and have insisted that retailers take more action to the fallout. The DSA could take some of this burden off banks.

“We think it’s important that essentially everybody up their game,” says Kenneth Clayton, an executive VP and chief counsel at the American Bankers Association. This needs to occur whether through law or industry action, Clayton adds.

The FTC may even get involved. But how much should the government get involved, though? “The idea that the government would do a better job than private industry is a horrible idea,” says John Kindervag, a principal analyst at Forrester Research, an advisory firm.

However, a 2014 priority for the FTC is to protect sensitive health and financial information. “The FTC has long been concerned that this type of sensitive data warrants special protections,” says Jessica Rich, head of the FTC’s consumer protection bureau. She adds that the FTC strongly supports the possibility of new laws that would protect consumers.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

 

Tags: , ,

Goodbye to 2014 Tax Season

April 14, 2014

Jackie here. Have you filed your taxes yet? As tax season comes to a close we wanted to share one last post with some tax identity theft tips. We are all at risk for this ever growing problem; being aware and remaining educated is one of the best ways to protect ourselves from tax ID theft and fraud.

Finding Out You Have a Problem

How do you know if you’ve fallen victim to tax ID theft? Most people discover the problem when they go to file their taxes. You may be unable to file since a return has already been submitted with your name and SSN. Other people receive a notice that they underreported their income after they have filed (this often happens when someone is using your SSN to work illegally).

If you do discover a problem, don’t despair; there are things you can do. In January Jenna shared her story of tax ID theft which can give you a good starting point for resolving your own problem. Here are some other tips to try:

  • File a police report- A police report is often the first step resolving ID theft. While your local police probably won’t be able to do much in fixing your problem, the police report is a valuable tool you can use to prove that you are a victim when talking to credit bureaus and other agencies.
  • Review your credit- If someone uses your SSN to file taxes, they might use it for other things too. Check your credit reports carefully and look for signs of fraud. You may want to initiate a credit freeze and put fraud alerts on your credit reports as well.

While there is extra attention focused on tax identity theft during tax season, many of the things you should do to protect yourself are ongoing practices that happen all year long. Make sure you regularly check your credit report, and keep an eye on your bank statements for anything suspicious. Remember, even small amounts can idicate trouble. In addition, be cautious when clicking on links and don’t share information that isn’t absolutely necessary.

Here’s a great article about tax ID theft from ABC News.

Tags: , ,

Medical Debt and Your Credit Score

Ben here, AllClear ID Investigator. I am going to step away from ID theft and fraud and touch on a hot issue that is relevant to many of our readers. A lot of myths about medical debt on your credit file are out there circulated by local experts who swear they heard from someone that medical debt will not hurt you.  This thought, however, is a myth and the damage from medical debt is very real. It affects the majority of our population and can often come from a clerical error that could be fixed if caught in time. It is important to know your rights with collections agencies and what bills are being passed that could change how our medical billing and collection system is run.

Any collection item including medical debt can lower the FICO score by as much as 100 points. The good news though is that the FICO credit score now ignores collection items less than $100. The hard truth here is that once a medical bill is turned over to collections there is no difference between medical and other collection accounts. FICO does not distinguish between medical and non-medical debt and sometimes a single collection on a “prime” score can drop it by 105 to 125 points resulting in an “off-prime or “subprime” score.

What to Watch For

It is important to make sure the billing and insurance for your medical claims is completed properly. Mistakes are often made when someone gets overcharged or the insurance company fails to pay for a covered expense. Also, failure to receive a bill does not prevent the debt going to collections. Bills can be sent to the wrong address, or even sent after the debt already went to collections, causing damage before you even see the bill. If you have a debt you feel is a mistake, dispute it with the medical company and your insurance provider if they were supposed to take care of it.

You do have rights when it comes to the collections process under the Fair Debt Collection Practices Act or FDCPA, enforced by the Federal Trade Commission. A debt collector may not contact you before 8 in the morning or after 9 at night unless you have previously agreed to it. If you inform a collections group over the phone or in writing that you do not wish to be contacted at work, they must adhere to your request. You can submit a letter in writing to cease communication from a collector and at that time they would only be able to communicate to inform you of an action such as if they are filing a lawsuit or informing you they will no longer attempt to communicate with you. You should note this does not mean you no longer owe the debt and the debt collector can sue you to collect.

Even if you pay a bill in full, medical or non-medical, if it is reported as a debt in error, it will remain on your credit report for seven years. During this time, even when paid, the damage is still reflected on your score. Newer systems will ignore collections accounts lower than $250, however, most mortgage lenders use an older FICO model when evaluating applications.

Tags: ,

Favorite Articles for the Week of April 7th

April 11, 2014

Jenna here. This week produced a lot of cyber security and identity theft news. Here are a few of our favorite articles (and a video) from this week.

The Truth About Using Debit vs. Credit, USA Money

If you are unable to see the video, click here to watch: http://www.usatoday.com/story/tech/columnist/komando/2014/04/11/4-places-you-should-not-swipe-your-debit-card/7436229/

Why U.S. Retailers Are Still Vulnerable to Card Fraud, Bloomberg Businessweek

http://www.businessweek.com/articles/2014-04-10/u-dot-s-dot-retailers-behind-schedule-for-card-payment-system-upgrade

Tags: ,

Don’t Open that RTF File!

April 10, 2014

Jackie here. Before you open that RTF attachment, stop and think! Microsoft recently issued a warning about RTF files, encouraging all users to avoid opening them. Apparently hackers have found a way to utilize this file type to gain control of your computer. Play it safe and avoid all RTF (Rich Text Format) files until the problem is resolved. This file extension is commonly used in Microsoft Word, but other formats like .doc or .docx are available and are still safe to use.

The Better Business Bureau shared the warning in a post on their blog. The compromised files are “booby trapped” which can mean big destruction should the file be opened. These files have the potential to gain control of your computer, leading to the potential for ID theft.

Until a security fix is available Microsoft recommends disabling the opening of all RTF files. This way you won’t forget and accidentally open a file, or compromise your computer when a user that doesn’t know about the problem opens a file. You can do so easily from Microsoft’s site using a special tool created just for the problem. Midway down the page you’ll see a button labeled “Enable this fix it”. Click and follow the on-screen instructions. You can disable the fix once the problem is resolved using the same process and the “Disable this fix it” link.

Tags: ,

Cyber Insurance vs. General Liability

Robert Siciliano, Identity Theft Expert

One of the biggest data breaches of all time involved that of Sony Corp. The hackers stole confidential information from tens of millions of Sony PlayStation Network users. Despite this humongous breach, something surprising happened: New York Supreme Court Jeffrey Oing ruled that Mitsui Sumitomo Insurance Co. and Zurich American Insurance Co. owed NO defense coverage to Sony Corp. or Sony Computer Entertainment America LLC.

And why? Oing said that the coverage can’t be triggered through a third-party action: that by the hackers.

It seems, then, in order to get coverage, Sony itself would have to do the hacking. “They’re being held liable even though the wrongdoing was done by a third party,” explains Robin Cohen to Law360. Cohen heads a law firm that handles insurance recovery.

To determine coverage obligations, Zurich filed a lawsuit against Sony, which had to shut down its PlayStation Network for a month.

Oing’s ruling will likely motivate companies to obtain policies that specifically insure against data breach claims. However, many companies believe that such specific insurance is already built into their current general liability policy.

Insurers all across the nation are wanting to put language in their policies that exclude coverage of losses stemming from data breaches, which include loss of credit card information. However, courts have the final say-so in just how far these exclusions can go.

Companies need to seriously consider cyber insurance policies that specialize in coverage of data breach losses.

K&L Gates LLP partner Roberta Anderson told Law360, “Irrespective of whether the Sony trial court’s view is widely adopted, it’s ill-advised for policyholders to rely on general liability policies for data breaches.”

It’s expected that Sony, which has strong arguments for their appeal according to policyholder attorneys, will challenge Oing’s decision.

 

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

 

Tags: , ,

Gmail’s Recent Privacy Change: How Will It Impact You?

April 9, 2014

Jackie here. Do you use Gmail? Not a day goes by that I don’t receive or send at least one email from a Gmail account. As I’m certain that the same applies to many of you, I thought I would share this interesting privacy update regarding Gmail accounts. Recent changes to the way Gmail opens email messages may mean you’re sharing extra information with some senders.

Until recently, Gmail didn’t automatically open image files. Now many embedded images are allowed to automatically display. While the change is more convenient for many email users, it provides an opportunity for senders to gather information about those receiving the email. Certain embedded images may contain HTML markup language, which requires contact with the sender’s servers for the email to display. When the email is opened, this contact may provide information about which emails you open and when.

Capturing information about opened embedded images is a complex process, so the change won’t likely impact the emails you receive from friends and family, but large companies that send out regular email blasts may employ the process to gather information about consumers and further monitor their marketing efforts. According to an article on Wired, MailChimp, a company that specializes in bulk emailing, plans to use the change to better track email campaigns and to more accurately determine the number of emails that are opened.

What do you think of this recent privacy change?

Tags: , ,

Is it Safe to Visit Shortened URLs?

April 8, 2014

Jackie here. If you’re on social media, odds are you’ve seen a shortened URL or two (or twenty… they are everywhere). These services take a long link and shave it down to just a few characters paired with the shortening URL. Are shortened URLs safe or should you think before you click?

How Shortened URLs Work

Shortened URLs act as a portal of sorts, capturing the location of a link and redirecting visitors to the intended site. Much of the time a long URL isn’t a problem, but on social media sites (especially ones like Twitter that limit characters), shorter makes it easier to share. Do you want to use three lines of text sharing a long URL?

Many legitimate businesses, celebrities, and others use shortened URLs. But, you should be aware that scammers do too. They can camouflage malicious websites this way, tricking people into clicking on links they shouldn’t. Some will use this technique to direct you to sites that install malware, phish for information, and increase your ID theft risk. With a shortened URL you don’t know where you’re headed until it is too late.

What Can You Do?

While some people may choose to avoid shortened URLs altogether, this approach may keep you from a lot of great content. For example, we regularly share shortened URLs from the AllClear ID Twitter page; skip them and you might miss out on some great information about avoiding ID theft. Short URLs aren’t bad in and of themselves; you just need to use a little extra caution.

Here are some tips for keeping yourself safe when using shortened URLs:

  • Source Matters- Before you click on a shortened URL, consider the source. Is it shared by a company or person you trust? Bear in mind that scammers may create fake websites or profiles (or hack legitimate ones) to share their malicious links.  Before you click, ask yourself, “Do you trust the source?”
  • Use a URL Expander- Shortened URLs leave you in the dark about the website you’re trying to visit; a URL expander turns on the lights. CheckShortURL.com and LongURL.org are two of several sites that show you the full URL for a shortened one. Some of these sites will even check the link for malware before you click. You may also be able to install a browser plug-in that checks short URLs without having to visit another site.

For more information and tips see this great article from the Better Business Bureau.

Tags: , , ,

Credit Card Fraud Security Bleak

Robert Siciliano, Identity Theft Expert

The U.S. is no Superpower when it comes to card payments: the card hacking headquarters of the world.

Don’t count on credit card fraud going away too soon. After all, Americans practically sleep, eat and breathe credit card use. And it’s those doggone magnetic strips on the cards that keep getting consumers, retailers, banks and the card companies in a fix. The strips make it so easy for hackers—and they know it.

It’s high time that the U.S. switch to encrypted chips in the cards—ready to be launched soon, but security experts aren’t breathing easy yet. The squabbling among banks, card companies and retailers over who’s responsible for protecting consumers isn’t helping, either.

Recently Congress demanded that the financial and retail industry leaders come up with plans for securing customer data.. And they’d better act soon or consumer trust in these cards that drive the U.S. economy will take a big dive.

“This has the potential for people to question the viability of our payment system,” points out Venky Ganesan, venture capitalist with Menlo Ventures. Cards are the bread and butter of America, responsible for about 70 billion payments last year, worth $4 trillion (Nilson Report).

Only 11 percent of merchants are sufficiently compliant with the credit card security standards, says a study from Verizon Enterprise Solutions.

The magnetic strip, as innocuous as it appears to the typical consumer, stores that consumer’s personal financial information. Most other nations ditched this “antiquated” system years ago, using instead the EMV: based on chip technology, securing payment transactions.

The payments industry, however, has named 2015 as a deadline to get the chip technology going. But all things considered, that’s still a long ways off. And retailers are whining over the many billions of dollars it will take to replace point-of-sale technology.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: ,

Big Data Joins the Tax ID Theft Fight

April 4, 2014

Jackie here. We’ve talked quite a bit about the potential privacy pitfalls of Big Data, but what about the benefits? With huge catalogs of information about the activities, actions, and whereabouts of each American, data companies have a valuable resource that can be used to fight things like tax ID theft and fraud. This year several states have decided to partner with data collectors to fight fraudulent tax returns before the money is lost forever.

Tax identity theft is a big problem, and one that isn’t likely to go away any time soon. As identity thieves ramp up their efforts, the IRS and state governments have to find new techniques to battle this pervasive issue. Turning to data companies is a unique solution with the potential for very effective results.

Since these programs are state run, the methods of implementation can vary, but all share a common goal: to catch identity thieves before a fraudulent tax return is paid. One state uses a specially created algorithm to screen for potential problem returns. If a suspect tax return is found, a letter is sent to the taxpayer asking them to visit a website to verify their identity. In the first year of use, Georgia paid about $3 million dollars for the service which saved the state $25 million.

Tax ID theft is still a problem, but hopefully ideas like this one will help state and federal governments continue in the fight against tax ID theft. For more information about this program, check out this article from KCEN TV. Learn more about tax ID theft here.

Tags: ,

Insurance Company Fined BIG for Breach

April 3, 2014

Robert Siciliano, Identity Theft Expert

Why would an insurance company be fined for a data breach?

There was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again.” However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead inthis identity theft prevention video. Disclosures.

 

Tags: , ,

IRS Releases 2013 Criminal Investigation Annual Business Report

April 1, 2014

Chris here, AllClear ID Investigator. The IRS recently released its Criminal Investigation Annual Report for fiscal year 2013. The Criminal Investigation team investigates a wide range of potential financial and tax related crimes. According to the Criminal Investigations Report, these types of crimes include money laundering, public corruption, terrorist financing, narcotics trafficking financial crimes, and identity theft.

Report Findings

The report tracks a total of 5,314 cases investigated by the Criminal Investigations team during the year. Of the 5,314 cases, 4,364 were recommended for prosecution. Almost 3,800 individuals were indicted, resulting in 3,311 convictions, a 93% conviction rate. These numbers are up across the board compared to previous years–the fiscal year 2012 saw the Criminal Investigations unit initiate 5,125 cases with 3,701 recommended for prosecution. These cases resulted in 3,390 individuals being indicted and 2,634 convictions. Of all the stats, however, the most important is the conviction rate, according to Richard Weber, Chief of Criminal Investigations: “The conviction rate is especially important because it reflects the quality of our casework, our teamwork with federal law enforcement and the U.S. Attorneys’ Offices, and represents an increase over 2011 and 2012.”

When it comes to identity theft Chief Weber maintains that it is “One of our top priorities.” In 2013 Criminal Investigations initiated 1,492 identity theft related investigations, resulting in 438 convictions. According to Chief Weber, Criminal Investigations, working in conjunction with civil tax partners, were able to catch 1.3 million fraudulent returnsbefore they were processed and prevented $7.1 billion in false refunds.

Identity theft and tax fraud is still a big problem in the U.S., but teams like IRS-Criminal Investigations are providing a much needed step in the right direction. And according to Chief Weber they only plan on getting better at detecting and preventing these criminal activities, “I am extraordinarily optimistic about the future of CI. Nothing great is ever achieved without dedication and enthusiasm, and our employees have plenty of both. We will remain the energetic, dynamic and adaptive organization that is simply the best at following the money. I am grateful for the service and dedication of all CI employees.”

If you want to read the full IRS-Criminal Investigation Report it can be found here.

Tags: ,

Chip and PIN or Chip and Signature?

Robert Siciliano, Identity Theft Expert

OK, there’s lots going on here. Read slowly and wrap your brain around this. So which offers more security? Chip-and-PIN or chip-and-signature for your card payments? Chip-and-PIN wins. This is due to two authentication forms: the card and the PIN, which is stored in your head (or should be, anyways, rather than on some small piece of paper crinkled inside your purse).

But chip-and-signature has its virtues for all involved. One reason is that most people don’t know their credit card PIN, something like 5-10 percent knowing it. If credit card payments were only via chip-and-PIN, consumers would memorize their PINs very quickly.

Another issue is that only one-fourth of U.S. POS terminals have a PIN pad. This means a lot of money spent by merchants to accommodate a chip-and-PIN-only environment with updated POS terminals.

On the other hand, this investment can pay off because, says a 2013 Fed Payments Study Summary, PIN debit transactions come with a much lower fraud loss rate than do signature transactions.

A PIN based transaction brings unwanted issues to some merchants, e.g., car rental companies requiring preauthorization transactions prior to the final transaction amount. Car rental and lodging companies, however, better like the signature based transaction because it has a separate authorization and settlement process.

Other merchants, too, must make some big decisions, such as the restaurant industry: To accommodate customers who want to use their mobiles for payments at their table, restaurants will have to pay a pretty penny for terminals.

The chip-and-PIN comes with a human based flaw: If a buyer forgets their PIN, the transaction will be incomplete. The signature based transaction has the signature to complete the transaction.

All of these pros and cons must be carefully considered among consumers, merchants and the card payment industry. But what bankers and merchants seem to agree on is that the magnetic strip is getting very old and needs to be replaced by a more secure technology: the chip.

 

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: ,

Do You Have a Backup of Your Important Files?

March 28, 2014

Jackie here. At times it feels like my entire life is on my computer. Family pictures, important work documents, financial records, favorite games, valuable software, and more fill my hard drive. I would be tempted to pay a pretty penny to keep my computer files if they were ever held ransom by a scammer. Cyber criminals are betting that many consumers feel just like me; they are using a clever new malware scam called Cryptolocker to take computers hostage. Pay up or your files are lost forever, so they say.

Cryptolocker is spread through malicious email links and “drive-by downloads” silently infecting computers and encrypting their hard drives. Once the encryption is complete the scammers demand a payment of $300 for the encryption code. If you don’t pay you’ll never see your files again. Do pay and you’re left at the scammer’s mercy; will they really send the encryption key? There is no other solution.

You don’t want to be a victim of this scam. Protect yourself by using caution when clicking on email links and by keeping your security software up to date. Another way to stay safe is to regularly back up your computer. An external hard drive works well as long as it’s disconnected from your computer when not actively in use (otherwise Cryptolocker will attempt to encrypt your back up too).

Have you backed up your files recently? What would you do if Cryptolocker were to strike your home or work computer?

Tags: , ,

3 Things You May Not Want to Share with Your Doctor

March 27, 2014

Jackie here. While you do need to tell your doctor about relevant medical conditions and your general health, some of your financial information is best kept to yourself. Oversharing at the doctor’s office can lead to identity theft. Some of these tips came from a great article shared by ABC News; check it out here if you get a chance. Do you have other businesses asking for personal information they don’t need? Much of this advice can be applied in other situations (utility companies come to mind) too. Remember if you don’t absolutely need to share it, don’t.

When filling out forms at your doctor’s office, or chatting with the front desk, do your best to avoid sharing too much. Leave portions of the form blank if you don’t feel comfortable providing the info (this applies to financial/personal information, not health-related info). Many times the office won’t even ask for the missing information. If they do ask, calmly explain your concerns and see if a reasonable compromise can be made.

Avoid Sharing Your SSN (or the SNNs for Family Members)

Years ago health insurance companies used Social Security numbers to manage policies. This practice has largely been eliminated (except with a few select health insurance carriers) and SSNs aren’t always needed. In addition you probably don’t need to provide your SSN or the SSNs for spouses or children either. The more places you share your SSN the higher your risk of ID theft. Protecting your child’s identity is especially important.

Skip the Email Address

If you need to share sensitive information with your doctor, don’t do it over email. Instead of communicating with your doctor’s office via email, ask for phone calls instead. Secure patient portals for scheduling appointments and viewing test results are generally okay.

Don’t Store Credit Card Information

If your doctor’s office (or any other company, including utilities and online stores) asks to store your credit card information, politely decline. It might be easier to have credit card information stored (it is certainly convenient), but it is much safer to enter it in yourself each time.

When asked to provide sensitive information to a doctor or business, ask yourself, “Do they really need this?” Often you can find other options that work just as well without compromising your identity or raising your risk of medical identity theft.

 

Tags: ,

Health Care Information Breaches Rise

Robert Siciliano, Identity Theft Expert

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

Fraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.

 

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen . See him knock’em dead in this identity theft prevention video. Disclosures.

 

Tags: , ,

Scam Alert: Contest Scam on Snap Chat

March 26, 2014

Jackie here. A favorite social media app of teens and young adults, Snap Chat is a great way to stay in touch. It is also a way for scammers to bait potential victims. Be aware of this scam and spread the word to friends and family that use Snap Chat so they can stay safe too.

The Scam

Snap Chat is an app where users share pictures (called snaps) that disappear once they’ve been viewed. Scammers are using the app to share photo messages. The scam messages typically congratulate the recipient for winning a contest and provide a web address to claim the prize. We all like to get something for nothing, making it very tempting to visit the site and enter personal information.

At the website the “winner” is asked to select a smartphone app for download before completing the claims process. This technique can be used to bolster an apps popularity and to spread malware and viruses to phones.

Tips for Avoiding This Scam

Avoiding this scam is simple; don’t ever download apps outside of the official app marketplaces. Also remember that you can’t win a contest you didn’t enter. If you don’t recall entering a particular contest, be very wary of a prize announcement. Scammers love using fake contest awards to fool consumers.

Another way to avoid scams on Snap Chat is to change your settings so you only receive snaps from listed friends. This will dramatically cut down on the amount of spam you receive. Changing this setting is easy; learn how to do so here.

Learn more about this scam from the Better Business Bureau.

 

Tags: , , ,

Protecting Your Information When Using Mobile Devices

March 25, 2014

Jackie here. Do you have a mobile device? Maybe two or three? Smartphones and tablets certainly make life more convenient, but it is important to remember that these tiny devices are actually computers; think about mobile security from the start and keep your information safe.

How do you protect your mobile devices when on the go? Here are some safety tips recently shared by the Privacy Rights Clearinghouse.

Password Protect It

We’ve talked many times about the importance of a strong password, but this advice doesn’t just apply to your online accounts (like social media, email and banking). A strong password is a must for all of your devices too. Have your device automatically lock after a period of inactivity and require a password to log back in. This makes it harder for people to access your device without permission and also provides protection should your device be lost or stolen.

You may also want to password protect (with a different password) each application on your phone that stores any of your personal data.

Use Security Software

Think your mobile devices don’t need anti-virus protection? Think again. You should protect your mobile devices just like you protect your home computer.

Be Cautious with Public Wi-Fi

Before connecting to a public Wi-Fi network, make sure you have the right one selected. It is a good idea to check with someone who knows (like an employee in a coffee shop) for the official network name before connecting. Don’t assume that a network that looks right is right.

Be especially careful about entering login information over a public connection. If you reuse usernames, passwords, etc. you may be sharing this information with anyone else on the network.

Update Often

When vulnerabilities are discovered, updates are often created to fix them. Installing updates keeps you safer. Stay on top of your updates for both your device and any apps you use.

Use Caution with Links

Before you click on that link, think! Just because you know the sender of an emailed link, doesn’t mean it is safe to click. I’ve received many links from compromised accounts that could put me in the same situation if I click. Also be careful with shortened links on social media and other sites.

For more tips, check out this article about choosing mobile apps.

Tags: ,

Data Breach Notification Bill goes to the House

Robert Siciliano, Identity Theft Expert

H.B. 224, a newly introduced data breach notification bill for New Mexico, would mandate that organizations notify breached individuals within 10 days of breach discovery (unencrypted credit card data); and within 10 business days notifying the state attorney general if more than 50 NM residents are affected.

The bill allows for a shorter notification deadline and for card carriers to sue for recovery costs linked to the breach; and customers can sue for statutory damages.

Companies operating in NM will also have additional data security and data disposal requirements, due to the bill. Enacting H.B. 224 would make New Mexico join 46 states who have data breach alert laws.

Payment Card Breach

  • Within two business days: Time allowed for card issuers facing a breach to notify all the merchants “to which the credit card number or debit card number was transmitted,” according to H.B. 224.
  • H.B. 224 would also set a risk of harm threshold regarding when an alert is required for card breaches.
  • If the magnetic strip data or other information is revealed, yielding harm or risk of harm to the cardholder and compromise of access device data, the bill would require notification. The card issuer would not need to give approval or direction.
  • Card issuers can sue for recovery of administrative costs if a card reader is breached or if there’s a problem with strip data.

Data Security and Disposal

  • The bill would make companies “implement and maintain reasonable” security measures to ensure protection of personal identifying information from illegitimate access or other fraudulent action.
  • Businesses would also have to include these data security standards in contracts involving “non-affiliated third parties” that they share personal information with.
  • Personal data, however which way it’s contained, be disposed of such that personal identifying information would be impossible to read or decipher.

Enforcement

  • The bill would authorize the state attorney general to seek injunctive relief and recovery of damages via court.
  • Failure of a company to notify of the breach could result in harsh fines, if the bill is enacted.
  • Customers could sue for damages of $100 to $300, depending on circumstances.

Being accountable:

It may be just a matter of time before the Federal government steps in and decides PCI Standards might not fix client data protection problems. Businesses who see the writing on the wall are being proactive and making smarter investments in thenbr customers security.
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen . See him knock’em dead in this identity theft prevention video. Disclosures.

Tags: , ,

Scam Alert: Don’t be Fooled by the Verizon Voucher Scam

March 24, 2014

Jackie here. Are you a Verizon customer? Be on the alert for this Verizon voucher scam. Scammers are using the promise of a voucher to fool customers into sharing their personal information. Not only will you not receive a voucher, you will increase your ID theft risk.

The Scam

This scam starts with a phone call. Scammers use Caller ID spoofing to masquerade as “Technical Support” from Verizon Wireless. They explain that they are offering bill credit vouchers to various customers. All you have to do to claim the voucher is fill out a short form on a website. The web address provided usually includes “Verizon” and possibly the amount of the promised voucher. A recent version of the scam directed victims to “verizon54.com”.

The website will look like an official Verizon site. It includes the company logos and color scheme. Visitors are encouraged to verify their accounts by entering their phone number, user name, password, and the last 4 digits of their SSN. Don’t do it! This is a clever phishing scam designed to trick you.

Tips for Avoiding this Scam

Phishing scams are always changing, targeting different people and different companies. The easiest way to protect yourself is to use caution before sharing personal information. If you are in doubt, contact the company in question directly and ask them. It’s important to remember that things aren’t always as they seem; just because a website looks like Verizon (or any other company for that matter) doesn’t mean it is an official company site. As a general rule, be wary of people offering you money or a refund for no apparent reason.

Learn more about this scam from the Better Business Bureau.

Tags: , ,

Favorite Articles for the Week of March 17th

March 21, 2014

Jenna here. Our favorite articles of the week are here. We have an interesting read about the rise in retail hacking, as well as information about an IRS phone scam that’s making the rounds.

Why So Many Retail Stored Get Hacked For Credit Card Data, Bloomberg Businessweek
http://www.businessweek.com/articles/2014-03-20/credit-card-data-security-standards-dont-guarantee-security#r=nav-fs

If the IRS Calls, Hang Up, Forbes
http://www.forbes.com/sites/ashleaebeling/2014/03/21/if-the-irs-calls-hang-up/

Tags: ,