July 22nd, 2014
Robert Siciliano, Identity Theft Expert
Law enforcement agencies detect data breaches before businesses do because the former seeks evidence of the cyber crime, reports a networkworld.com article.
Unlike law enforcement agencies, businesses don’t go undercover in hacker forums. Nor do they get court permission to bust into enclaves of cyber thieves. Businesses don’t have moles. It continues: Law enforcement agencies interview imprisoned cyber crooks. The FBI does a lot of undercover work.
Law enforcement may then approach a company and say, “You’re being victimized; we have the evidence.” But often, the company may be skeptical of such a claim. Admittance means facing government response and upset customers
The law is always buffing up on its skills at fighting cybercrime to keep up with its evolution, such as a drastic decrease in solitary criminals and an increase in complex crime rings. These rings have all sorts of technical tricks up their sleeves, including hosting their own servers and changing up their communication methods to vex law enforcement. It doesn’t help that some foreign countries don’t place an emphasis on fighting cybercrime.
The evidence that the law presents to the business when that time comes is rock solid, though again, the company may lack aggression in its immediate response. The company’s legal counsel is commonly the first person to get the forensics report. Upper management usually gets involved before the IT department does. This is all part of keeping legal control over potentially harmful situation.
Robert Siciliano is an Identity Theft Expert to AllClear ID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video. Disclosures.
October 28th, 2013
Allison here. Cybersecurity Awareness Month is almost over, but knowing about cyber security and how it affects is relevant year-round. The security of websites, Internet connections, and the businesses you frequent all affect how secure your personal information and identity are. Here are nine cybersecurity facts that you need to be aware of:
- The federal government has suffered a nearly 680 percent increase in cyber security breaches in the past six years. (Face the Facts USA)
- Sean Henry, an assistant director of the FBI, says that so far this year, cyber criminals have stolen over $100 million from US banks. (The Congressional Cybersecurity Caucus)
- The financial industry successfully withstood three waves of distributed denial of service attacks beginning in September 2012. (Banking.com)
- Nation-states, not hackers, are most likely to launch successful cyber terrorist attacks against classified networks and critical infrastructure. They have the necessary discipline, resources, and commitment. (CIO.com)
- About 10% of all social media users have received a cyber-threat. More than 600,000 accounts are compromised every day on Facebook alone. (Floridatechonline.com)
- A whopping 59% of employees steal proprietary corporate data when they quit or are fired. (Ponemon Institute)
- The National Nuclear Security Administration, an arm of the Energy Department, records 10 million attempted hacks a day. (Defense News)
- 53% of U.S companies expressed little to no confidence to stopping security breaches in the next 12 months. (Rolandtech.com)
- The estimated annual cost of global cybercrime over $100 billion. (Go-gulf.com)
October 3rd, 2013
Jackie here. Do you buy or sell on eBay? If so, watch out for this scam. The Better Business Bureau is warning eBay sellers about new tactic scammers are using to get valuable goods without spending a dime. This scam could prove devastating if you sell high dollar items; be careful and protect yourself by knowing what to watch out for.
An item listed on eBay is sold. As usual, the seller receives an official notification from eBay about the sale, but they also receive an email from the buyer. The buyer indicates that they need the item ASAP (a child’s upcoming birthday or a military deployment could be the reason). The seller offers to ship the item as soon as payment is received. The buyer may ask the seller to send to an unconfirmed address not listed on their eBay profile.
The seller then will receive an email from PayPal (the most common payment method on eBay) indicating that payment has in fact been made. The seller ships the item. Later, they log in to eBay or their PayPal account and find out the money hasn’t actually been sent. The confirmation of payment email from PayPal is a fake.
How to Protect Yourself
Just like any site where you buy and sell online, scams on eBay can be very common. Protect yourself by always confirming payments through PayPal before you ship an item. If you have any questions or concerns, contact PayPal directly. A little extra caution can’t hurt if you’re worried.
There are also helpful tools provided by eBay to help protect buyers and sellers. Feedback can alert you to some potential problems. This method isn’t foolproof though; some scammers will hack eBay profiles to use with their scams. If you use eBay, familiarize yourself with their buying and selling protections so you’ll know when you are and when you aren’t protected.
Receiving a confirmation of a payment from PayPal doesn’t mean the money is actually there. Log in to your PayPal account and make sure for yourself before you ship items so you don’t fall victim to this scam.
April 19th, 2013
Tamara here, AllClear ID Investigations. The internet is a wonderful thing, and many people perform financial transactions and other tasks requiring personal information, passwords, and user names online daily. However, there are the cyber criminals who are looking to capture that information for illegal use, making the internet a tool we should use with some caution. One of the many tricks criminals and id thieves try to use to capture our information is called a keylogger.
Keyloggers can be installed manually by the criminal or inadvertently by the user from a malicious website or email. Once installed, the program will record each keystroke made, giving the id thief access to user names, passwords, and any other information that is typed into the computer.
One way to combat this is to use an anti-virus or anti-malware software that will scan for harmful programs such as keyloggers, and hopefully catch them before any data is transmitted. Another approach would be to use keystroke encryption. With keystroke encryption, it would not matter whether or not a keylogger is installed on the device, your data would be protected from unwanted access.
What is Keystroke Encryption?
Keystroke encryption happens between the hardware and the operating system of the computer. When you type the keystrokes, they are encrypted before being sent to the application you are using, and will appear as gibberish to anyone who is monitoring your computer. There are a number of different companies offering keystroke encryption technology to install on your computer, and most of the options are fairly inexpensive. Keystroke encryption can be a useful tool in the fight against id theft, and is something we think warrants some thought.
April 4th, 2013
Jackie here. If you follow AllClear ID on Facebook you may have seen this article we posted last week about the “biggest cyber-attack in history“. The attack slowed internet speeds around the world and nearly shut down the web operations of a compnay called Spamhaus. Now that the dust has settled, and a bit more is known about the attack, we thought you might like to know some of the details behind this historic cyber attack.
The Back Story
In late March, a company called Spamhaus was a victim of a large cyber-attack known as a DDoS attack (or distributed denial of service attack). This type of attack basically floods a network with bogus communication requests, keeping it so busy that it doesn’t have time to handle the legitimate requests. This can effectively knock a network offline and make it inaccessbile to its intended users. Spamhaus is a nonprofit organization that specializes in helping to filter spam email messages. Their work has made them unpopular with spammers, id thieves, etc. and may serve as a possible motivation for the original attack.
Spamhaus decided to contact a company called CloudFlare for help fighting the attack. Cloudflare quickly handled the attack, shutting off the methods the attackers were using. They believed the problem was under control, and even posted about the attack on their blog, but things were about to get much worse.
The Biggest Attack in History
Once their original tactics were thwarted, the attackers decided to use their methods not against Spamhaus or CloudFlare, but rather against the companies that CloudFlare uses for internet bandwidth. By attacking upstream from CloudFlare, they were able to cause problems not just for CloudFlare, but also for the other companies that rely on this provider for bandwidth.
The attacks caused internet troubles for hundreds of millions of internet users, mostly located in Europe, but in the U.S. as well. It didn’t matter if these users were trying to access the Spamhaus site, the CloudFlare site, or some other site entirely, they still experienced a slower internet connection. Although the attack was first targeted at these two companies, the tactic used affected many other sites and led to a sluggish internet for many users.
This attack was a big one, possibly one of the largest ever seen in the history of the internet. Luckily, the parties involved have been able to learn some valuable lessons that may keep the internet more secure and less vulnerable to attacks in the future. For more information about some of the steps that can help make the internet more secure, check out this great article from the New York Times . You can also read more about the attack here and here .
We’ve come to rely on the internet for many aspects of our daily lives, from learning about id theft protection, to communicating with friends and business partners. Attacks like this one are an important reminder that the internet, which we often take for granted, can be vulnerable to attacks as well.
March 26th, 2013
Allison here. During the most recent State of the Union address, President Barack Obama said that he had signed an executive order on cybersecurity in response to Congress’ failure to pass a comprehensive bill themselves. This executive order is designed to address the country’s most pressing cybersecurity needs that relate to American infrastructure. Let’s take a look at some of the features of this bill.
About the Bill
The eight-page order has two main components, according to Security, Privacy and the Law: First, the Attorney General, the Secretary of Homeland Security, and the Director of National Intelligence must ensure timely production of unclassified reports of cyber threats and must rapidly disseminate the reports to the targeted entities. Second, the National Institute of Standards and Technology must develop a Cybersecurity Framework. The Cybersecurity Framework will be a set of standards, methodologies, and procedures to help owners and operators of critical infrastructure (think operators of power and water plants) to reduce cyber risks. These requirements, although they won’t be ready for about a year, are meant to serve as the first steps toward protecting our nation’s infrastructure, and boosting cyber security across the U.S.
The order also allows companies deemed critical infrastructure operators to share information with government entities regarding cyber-attacks and defenses, and in return, the government will provide them with “sanitized” information regarding any potential cybersecurity threats.
Although the order isn’t directly related to consumer and customer records, experts consider this order an improvement from previous bills because it directs the government to work with the private sector to help predict and thwart any cybersecurity threats.
For now, this Executive Order is fairly general. It does not specify what has to be in the Cybersecurity framework, nor are there any deadlines to ensure “rapid dissemination” of the information once it’s gathered. Furthermore, there are no guidelines about the information companies will share with the government, or whether it will be consumer-related data. However, this approach to handling cybersecurity matters is more flexible than legislation, which is crucial since cyber threats and security are constantly changing. We will keep you updated with more information regarding this new Executive Order as it comes out.
January 9th, 2013
Allison here, with AllClear ID. We talked about a lot of different cyber threats and identity theft issues this past year, some of them brand new and some of them new twists on old threats. We’d like to continue to keep you informed and protected in 2013, so we want to share a list of a few big cyber threats to watch for in the coming year. Here are four threats poised to increase or to appear on the scene in 2013:
- Monetization of Social Networks – Just over a month ago, Facebook added the “Sponsored Posts” feature to their site, adding to virtual gifts, and the many social media games that already required people to purchase goods or credits with their own money. All of these avenues through which users input sensitive personal and financial information could open up social media as an avenue for cyber criminals to steal that information or to con people into paying for something the user does not want or need. Granted, cyber criminals are already on social media, but the increasing monetization of social networks will only offer more chances for criminals to use fake gift notifications, fake email messages, and malware attacks to steal users’ personal information in 2013.
- Madware and Ransomware Will Continue – We covered both madware and ransomware before, and they aren’t expected to go away in 2013. According to Symantec, madware use has increased over 200% just in this year, and is expected to be most prevalent in Android apps. Ransomware is the newest form of malware that tricks victims into handing money over to the criminals in order to unfreeze their laptops or to clean up a virus. Expect us to cover the latest trends and twists on these topics next year as well.
- Moving to the Cloud – Cybercriminals are going to go where the action is, and action is increasingly moving and taking place on the cloud. Cloud apps like Dropbox and Evernote are already popular, and make prime targets for infecting a huge system or a lot of people at once. An example of this threat is a cloud-based botnet, where criminals build a virtual attack system using cloud computing resources.
- More Mobile Vulnerabilities – No, mobile cyber threats aren’t new, but there are new advancements in mobile technology that could open up doors for criminals. In particular, mobile browsers and mobile wallets, which are expected to increase in use for the next few years, can give thieves access to consumer’s money with the click of a button.
Here is a longer list of threat predictions from BusinessTech. As always, we will keep you updated as new threats arise, so check back in the coming weeks.
November 12th, 2012
Jamie here with AllClear ID. We aim to keep you informed on the latest identity theft scams, but with thousands of scams and misleading websites out there (and new ones created daily) we simply can’t post about each and every one. A key to protecting your identity is learning to identify scam websites so that you can protect yourself when online.
Let’s take a little test and see how you do. Head on over to this website and see what you think. Is it a scam or not?
Websites that look a lot like this one have been known to steal money from consumers while providing nothing in return, and they solicit personal information that can be used to commit identity theft. If you haven’t figured it out by now, this website is a teaching tool created by the state of Massachusetts to educate consumers about the dangers of scam websites.
Clicking on any of the links on this teaching site will lead you to a scam alert page that offering tips to prevent identity fraud and theft. Here are a few signs that a website might not be what it seems:
- Contains Exaggerated Claims- If a website tells you that you can make thousands of dollars in just a few hours a week or that offers a guaranteed way to get rich quickly, it is probably too good to be true.
- Asks for Money Upfront- If a website asks for money to learn more it may be a scam. Beware of sites that ask for money upfront or encourage you to purchase a “risk-free starter kit” or something similar.
- Asks for Too Much Personal Information- Be careful where you share your personal information online. If an unknown website wants bank account or sensitive information (like your Social Security number) to get started, they may be looking to steal your identity or run some sort of other scam. Check companies through the Better Business Bureau before providing sensitive information online.
Read the full list of identity theft protection tips offered by the Massachusetts Office of Consumer Affairs and Business Regulation, and remember that if it seems too good to be true, it probably is.
August 31st, 2012
Jackie here, with AllClear ID. Cyber-scams are always changing and evolving. This makes it very important to stay vigilant and keep your eyes open for potential problems, even if the scam isn’t one listed here. The IC3 (Internet Crime Complaint Center) recently published a list of currently popular scams. Let’s take a look!
Fake Political Surveys
A fake political survey is on the loose and might soon be calling up your phone. The survey asks respondents to answer a few simple questions and then informs them that they have won a prize (a free cruise to the Bahamas). “Winners” receive a web address and are asked to provide their email address and credit card numbers for port fees. This is a scam. Do not provide your credit card number or other personal information.
The IC3 has been receiving complaints about an online phonebook website. This site allows users to post personal information about others including names, unlisted cell phone numbers, email addresses and other information. The website also allows users to make private phone calls to anyone listed on the site and to track others using GPS. Be careful who you share personal information with. You have no control of what others do with your info once they receive it.
Free Credit Services (That Later Charge)
Citadel malware’s new ransomware has been claiming victims across the web. Victims contract the ransomware at a drive-by download site where the program is installed on a user’s computer. Once it is installed the computer freezes and a screen is displayed which indicates that the user has violated federal law. Often, allegations of child pornography are included. The ransomware instructs victims to pay $100 to have their computer unlocked. Even after paying the malware is still operating on victim’s computers stealing banking and other information that can be used to commit id theft.
If you have been a victim of this scheme, report the problem to the IC3 and do not make a payment. We have more information about this scam on our blog. Check out the article here.
Scams are everywhere, but the IC3 has noticed these scams are especially popular right now. Keep your eyes open and don’t become a victim! Learn more about these trending scams from the IC3 here.
August 29th, 2012
Jackie here, with AllClear ID. Citadel Malware has been making headlines recently. Until recently, this malware platform was available on the open market for anyone to purchase. This malware platform has been the delivery method for a variety of different viruses and ransomware schemes. The most recent is a type of ransomware known as Reveton.
The Citadel Malware Reveton Ransomware gets victims to head to a drive-by download site where the ransomware is installed on the victim’s computer. Once it is installed, it takes over the computer causing it to freeze and lock up. It displays a warning message that appears to be from the U.S. Justice Department or the FBI. A warning screen indicates that Federal Law has been violated and that the user must pay a fine to the Justice Department to unlock the computer. Once the “fine” has been paid the computer’s actions are tracked which can further lead to id theft, banking fraud and credit card fraud.
What Do You Do If This Happens to You?
If a warning screen appears on your computer, don’t make a payment. Know that your computer is affected and that you should take immediate action. Take your computer to a local computer expert for help removing the virus. Don’t visit banking sites, enter your passwords or make online purchases until the issue is resolved.
Even if you are able to unlock your computer on your own it is recommended that you take your computer to an expert after an attack. Keystroke logging software may be installed to capture user names, passwords and other confidential information.
You should also report the problem to the IC3. This allows law enforcement to obtain the information they need to investigate and prosecute offenders. You can file an online complaint at the IC3.gov. You will need to enter your name, mailing address and telephone number. They will also ask for information on how you believe you contracted the malware if you know.
Learn more about this malware from the IC3 here.
August 28th, 2012
Jackie here, with AllClear ID. We often talk about the importance of choosing strong passwords and keeping your passwords safe once you have chosen them, but no password is entirely secure. Passwords are compromised every day through various means like hacking, social engineering or the simple guess until it cracks method. Besides using your best judgment and common password safety tips, there isn’t much else you can do to keep your password safe– but this may someday change.
The Defense Advanced Research Projects Agency (part of the US Defense Department) hopes to someday eliminate passwords and instead identify computer users by their typing style. Everyone types differently from the amount of time in between keystrokes to the length of time a particular key remains depressed; this could someday lead to a unique way to identify yourself that can’t be compromised as easily as a password. According to a New York Times article, DARPA is planning to provide research money to make this a reality. Several universities are researching this technology including Carnegie Mellon, Pace University and Columbia.
Although everyone has a unique typing style, it can vary from day-to-day. How will computers know it is actually you, and not someone else? In the New York Times article, one researcher makes an analogy to music that really hits this idea home. He compares your core typing style to the core rhythm of a song. You can usually easily identify a popular song even if it is played poorly by an amateur group. This technology will seek to find your typing rhythm which can’t be easily copied.
The USNews reports on this technology in action. This technology verifies users at log in based on their typing style when entering a username and password. This could potentially make stolen passwords useless, since only half of the needed equation would be obtained. The technology isn’t yet perfected; longer passwords can make reproducing typing style difficult, even for the same user. Read more here.
August 22nd, 2012
Jackie here, with AllClear ID. Identity theft can easily cost its victims thousands of dollars, not to mention countless hours spent resolving the damage. You might be surprised to learn however that victims aren’t the only ones paying for id theft. Every American taxpayer is on the hook for the billions of dollars stolen from the IRS in tax related id theft. A recent USNews article indicates that the IRS may have issued more than $5 billion in fraudulent tax return checks in 2011. Over the next five years another $21 billion could make its way out of the treasury and into the pockets of identity thieves. At a time of huge budget deficits and a struggling economy, this trend is extremely troubling.
The IRS has stepped up their fraud detection efforts and did find – and stop – many fraudulent returns from being processed this year, but many others slipped through the cracks. It is estimated that 1.5 million fraudulent returns were filed and not detected.
Hopefully improved IRS security will curb the number of fraudulent returns filed in the coming years and will keep that $21 billion loss from becoming a reality. New measures are planned including id theft screening filters, holds on refunds until questionable identities are verified and a system that flags Social Security numbers for deceased taxpayers.
August 7th, 2012
Allison here, with AllClear ID. It’s old news that hackers are creating phishing sites that are mimicking brands and other trustworthy websites in order to lull people into a sense of security and legitimacy. But, the new twist is that gaming sites like “Star Wars: The Old Republic” and “World of Warcraft” have been targeted as avenues to spread malicious links and to gather personal information for identity theft.
With World of Warcraft, phishers sent emails through the in-game mailboxes asking users to beta test the game’s newest expansion, “Mist of Pandaria.” Users who clicked the link were taken to a website where they would have to register and provide the credentials to their account. The Star Wars phishing scam was much worse, where users were subject to account verification checks. Not only did these checks ask for emails, but it also asked for answers to several security questions. It’s theorized that this was done to find those who use these emails and security answers for other accounts – such as banking and social media – so that hackers can get inside those other accounts as well.
These scams were caught in July, but this development coincides with a report from the Anti-Phishing Working Group that says the number of phishing sites is at an all-time high. More than 38 percent of the fake websites were related to financial services, according to the APWG’s report. The second most spoofed market vertical was payment services, followed by retail and other service sites. The sites spoofed 392 brands – also a new record – also coinciding with the trend that hackers and spammers are mimicking legitimate sites and brands as a way to get more victims and to steal more identities.
No one has been caught for starting these scams, but the gaming sites have boosted security and notified users of the problem. Even niche sites like an online gaming community aren’t safe from phishing scams and other cyberthreats, perhaps even more so since gamers interact with other people from all over the world without possibly ever meeting them. Overall, protection is simply a matter of being cautious when revealing personal information and credentials to accounts.
August 4th, 2012
Allison here, with AllClear ID. School is back in session in a few weeks, and whether you are freshman just starting your college career, or a senior ready to finish up and graduate, computer and online safety is something that effects all college students. It could be tough to think about among the classes, the tests, and the social gatherings, but all it takes is one virus or hacker to steal your identity and give you one more thing to worry about. Here are four computer and online safety tips for college students:
- Be Protective of Your Personal Belongings – Laptops get stolen. Roommates aren’t always the nicest or most trustworthy of those closest to you. Don’t leave belongings that have personal and valuable information lying around, even if it seems okay or that no one is around. Purchasing a computer lock and creating a strong password for a login will make is harder for someone to steal your things or to have a little fun with your Facebook status updates when you’re not looking.
- Share Selectively – College is a hive of social activity where you are meeting tons of new people daily and trying out tons of new things. It could be tempting to post a lot of information online, or to talk about things over the Internet with your new friends. However, exercise some caution when creating your social media profiles and chatting online. These are places where unauthorized eyes could see this information, and easily pick up something that could be used to harm you. Avoid giving away your address, revealing the make/model of your car, or discussing your exact location on campus.
- Check Your Wireless Connections – Although the connection on campus could be secure, that might not be the case if you decide to study at a coffee shop off-campus or at your friend’s apartment. If you’re using the Internet in locations where the wireless connection may not be secure, then it’s not a good time to purchase your textbooks or to have your parents wire you money. An unsecure network connection makes it easy for an identity thief to get your financial information. Save those activities for the dorm room.
- Install Online Security Solutions on Your Devices – Don’t wait until your hard drive crashes or until you do have a virus before doing something about it. It could be easy to forget purchasing an online security solution when you need textbooks and word processing software. However, by having these programs on your computer, tablet, and smartphone from the get-go, you’ll be better protected against cyber threats. Make sure to update these programs regularly so you are protected against the latest malware and viruses.
College is an exciting time, but college students aren’t any less vulnerable than anyone else out there. Safety in college is much more than walking with a partner at night and locking your doors. Nowadays, it involves computer and online safety as well.
August 3rd, 2012
Jackie here, with AllClear ID. We often talk about phishing and email scams here on the blog, but phishing isn’t just something to be on the lookout for when you check your email. Id thieves use phishing tactics to solicit personal information in other places across the web as well. Always be cautious when sharing personal information and pay special attention when visiting banking and financial institution websites.
Check out this warning we found on Chase’s website about viruses and malware that can solicit your personal information. Basically, your computer is infected by a virus when you visit an infected website or open an infected email. This virus doesn’t do anything right away; it lays dormant on your computer waiting for you to visit a targeted site, such as Chase. It then creates a pop-up window asking for personal information like your account number or Social Security number. This pop-up isn’t generated by the site you are visiting. Instead, it is a tactic used by identity thieves to get your personal information.
If you see a pop-up like this, don’t fill it out. Report the problem to your bank and get your computer checked out. You may need to update your anti-virus software or you may have contracted a virus that your software doesn’t recognize.
Banks don’t typically ask for personal information like Social Security numbers or account numbers when you are logged into your accounts. On their website Chase says, “We don’t ask you for personal information such as PINs or complete account numbers when you are logged in or through e-mail. We may ask for a mother’s maiden name or a Social Security number on an application that you initiated, but it is not our practice to ask you for personal information in this way or through an e-mail.”
If you are in doubt about whether or not your bank is requesting personal information, give them a call and ask. Use a known phone number to contact them. It is always better to be a little too cautious than to inadvertently share your personal information with an identity thief. If you have shared personal information or filled out a form like this, contact your bank immediately.
Keeping up to date on your antivirus software and using caution whenever you share personal information online will help protect you from id theft. To learn more about id theft and the banking industry, head on over to the FDIC’s identity theft information site.
July 31st, 2012
Allison here, with AllClear ID. The London Olympics are underway! You might not be anywhere close to winning a gold medal on the balance beam, but you can avoid falling into a world of hurt by staying on your toes when it comes to the cybercrime and spam emails looking to use the 2012 games as a way to lure people into giving up their personal info.
With everyone watching the events and rooting on their native countries, there’s been a huge spike in all sorts of spam and cybercrime, ranging from fake sites selling tickets to the events to emails trying to sell 2012 London Olympics souvenirs and memorabilia. Officials are doing all that they can to keep these things in check and to encourage people to visit legitimate sites for video, tickets, and memorabilia– but they can only do so much. Cybercriminals are banking on the traffic and the attention to get people to let their guard down and to steal identities when folks are preoccupied with the fanfare of winning a medal.
The number one thing people can do is to not let their guard down. Be wary of anything Olympics-related that comes through email, social media, text, even mobile apps and videos. It’s one thing if you’re looking at something on NBC or the BBC, but be suspicious of a link sent through text and even that video your friend posted on Facebook. Websites like NBC, the BBC, and the Official London Olympics websites are all okay, and provide legitimate videos, apps, and information regarding anything and everything Olympics. Anything that isn’t coming from a legitimate site could put yourself and others at risk for malware, viruses, and identity theft.
Estimates reveal that nearly a billion people will follow these games, so this problem will affect more than those who are in London. Staying safe from cybercrime is something everyone will have to mindful of, even those who are simply checking scores and watching highlights online (actually, those may be the most at risk despite being some of the more passive followers). There may not be a medal for keeping your identity in safe hands, but there are certainly consequences for not being practicing online and computer safety this summer.
July 28th, 2012
Allison here, with AllClear ID. We’ve previously discussed the dangers of rogue apps, but even legitimate apps are risky when it comes to protecting our data. A month-long study from antivirus software firm BitDefender found that only 57% of iPhone apps encrypt the data they collect, meaning the other 42% put their customers in danger of data breaches and identity theft.
“Consumers need to be aware because the data could be stolen,” said Liviu Arsene, security researcher with BitDefender and writer of the report on this study. “This could mean identity theft, and people pretending to be a specific person.”
The study looked at 65,000 iPhone apps and found that 41% these apps track location, 18% have access to address books (including phone numbers and addresses) and 16% have access to Facebook accounts. By default, apps only ask the user for permission to track location, and not for any of the other data. On top of that, most of these apps don’t notify consumers that they collect this data at all, let alone ask for it in the first place. There also isn’t any law that says app developers must ask permission, disclose their collection, or encrypt the data they collect.
“[This data] can be used for any purpose,” Arsene said. “It can be anywhere. It can be redistributed or sold. Developers can do what they want with this data.”
Although developers may not have malicious intent for the data they collect, the collection puts consumers at an unnecessary risk, especially since so many may not realize the data is being collected. There’s also question of why certain types of data are being collected. Nearly 1/5 of the apps studied have access to the address book, but the only legitimate reason an app would need access would be to transfer contacts or merge social media contact details with your on-device phone numbers.
One thing that Arsene suggested that consumers do about this is to contact app developers directly and to hold their feet to the fire. Ask them if they are collecting data, what they do with it, and how they protect it from hackers and identity thieves. Consumers can also demand that they stop being tracked, or ask the developer how they can stop the app from tracking them. However, it’s highly unlikely that a user can get their specific data back, especially if that data has already been distributed or sold to third parties.
“There’s no reason for non-encryption,” Arsene said. “Users should be notified and must be aware of what’s happening.”
July 26th, 2012
Jackie here, with AllClear ID. Things are changing for the credit bureaus due to new supervision requirements made the Consumer Financial Protection Bureau. This bureau will now be responsible for creating rules to govern the credit reporting industry and to monitor its actions. This will be in addition to the consumer protections already provided by the Fair Credit Reporting Act.
What Does This Mean For You?
The full impact of these changes won’t be known until they are fully implemented, but this change should help consumers and others to learn more about this often-misunderstood industry. The director of the Consumer Financial Protection Bureau, Richard Cordray, explained in a New York Times article that little is known about the credit reporting industry because they haven’t been subject to federal supervision before. Previously, the industry was monitored through Congressional oversight, but this change assigns a single federal overseer.
Another potential benefit relates to fixing incorrect information on credit reports. It is notoriously difficult to fix errors when you find them, due both to id theft and simple reporting mistakes. Hopefully these new changes will resolve some of the issues. The difficulty in resolving inaccuracies on credit reports is one of the primary concerns of the new oversight bureau in addition to the information sent to bureaus and how the credit reporting companies store the information they receive.
Here at AllClear ID, we know that identity theft can demolish an otherwise clean credit report. It’s our top priority to absolutely resolving and cleaning up those errors for you. We look forward to seeing how this change will impact the credit reporting industry and make it easier for identity theft victims to clean up their credit reports, and get their lives back.
Read more about the change in this article by the New York Times.
July 17th, 2012
Allison here, with AllClear ID. We’ve previously discussed how virtual private networks can help you to surf the web anonymously and to help protect you against identity theft, but there are many more methods that can do both of those things for you. So much of your online information and activity is tracked while you surf the web. In order to prevent unwanted peering eyes in your internet cache, there are many things that you can do to prevent third parties from keeping track of you without your permission.
Online Proxy Servers
Something that works similarly to a VPN is an online proxy server, which points a url to a proxy server instead of your IP address. That way, a website’s tracking cookies can’t watch your actions or figure out your geographic location as you surf their site. Another free software program that works similarly is called Tor, which utilizes a layered approach to encrypting your online activities. Traffic is routed through their network of servers, which work together to conceal your location and identity.
Plug in Privacy
If you happen to use a communal computer, or share it with family, then a good solution that works for shared computers is a USB stick called SurfEasy. When plugged into the computer, it starts its own password-protected browser. However, if you don’t want to pay $60 for this special USB stick, you can download a free alternative, called Tails, on your own USB stick or DVD. Either of these is a solution in case you don’t want to go through proxies or network settings.
Of course, you can always make changes to the Internet browser itself to make it easier for you to surf the web anonymously. The easiest thing to do is to see if the browser itself has a setting for you to surf anonymously- and most do. By ‘surfing incognito’, your browser won’t save any history, search queries, passwords, or cookies. It’s a good choice if you only want to be anonymous online from time to time, such as searching for medical information or for doing your online banking.
In the end, pick the solution(s) that are right for you. We aren’t necessarily recommending one in particular or are suggesting that all of them need to be done to remain anonymous online. Implementing one or more of these solutions will help you maintain control over your personal information and data.
July 10th, 2012
Allison here, with AllClear ID. We’ve discussed spam and phishing trends, and with organizations like us at AllClear ID working to protect people and to build awareness for these cyber threats, identity thieves and spammers are always looking for new ways to get around the security measures to make money. This infographic below from Silicon Republic illustrates some of the latest trends in email spam and phishing.
Here are the biggest trends:
- The most popular email spam categories are adult/dating, pharmaceutical, watches/jewelry, and weight loss (in that order).
- In January 2012, PayPal, Facebook, and TAM Filedale were the top three brands representing in phishing emails. Other companies in the top 10 include Mastercard, AOL Time Warner, and JPMorganChase.
- The volume of email spam and phishing has decreased since February 2011. Although that is good news, it should not be interpreted to mean that spam and phishing are going away. It could mean that these cybercriminals are looking for other ways to send their spam, like through social media.
- Over two thirds of email messages in February 2012 were spam.
- China receives the most spam, followed by Netherlands and the United States.
July 7th, 2012
Allison here, with AllClear ID. A two-year undercover operation came to an end a few weeks ago when authorities in 13 countries arrested 24 people who have been accused of cybercrime. Operation Card Shop, as it was called, involved a site called Carder Profit that seemed like a place for hackers and identity thieves to get credit card numbers and software to spy on computers. However, that website was actually a fake set up by the FBI.
The idea for the website came from other forums that were used – and have been caught – as hubs for hackers and identities thieves to purchase personal information, financial data, and software to commit these crimes. These people use these websites to offer specialized services and to help each other, which would make it easier for organizations like the FBI to catch a whole group of hackers instead of just one or two people.
“These guys represent the complete ecosystem of Internet fraud,” said one senior law enforcement official to the New York Times, who requested anonymity because of the confidentiality of the investigation. “We drew them out of the shadows with the Web site as bait.” In this case, the ecosystem existed all over the world, in countries such as Germany, Norway, the United States, Bulgaria, and Bosnia.
The insight and dialogue that took place on the FBI website, Carder Profit, helped authorities to crack down on these criminal organizations, which have become increasingly important as instances of credit card fraud and other computer crimes have exploded within the past few years.
Officials said that this operation prevented over $200 million in losses, as well as the possibility of 400,000 people becoming victims of credit card fraud. Long-term efforts like this operation are what it takes to find these hackers and identity thieves and bring them to justice. It’s unlikely they will stop on their own, and they will always be looking for new ways to get around the laws and to hide their own identity.
July 6th, 2012
Allison here, with AllClear ID. If you haven’t done so already, please do a quick check for malware today! According to the Federal Bureau of Investigation, about 277,000 people worldwide could lose their ability to go online on Monday, July 9 because of malware contracted through an online advertising scam.
Although the number of those affected are well below the initial 570,000 when the malware was initially discovered, there are those who still have the malware, and will have to call their service provider in order to delete the malware and restore their Internet connection. The reason for the loss of connection is that the FBI set up a safety-net upon discovering this malware. It was then realized that turning off the malicious servers on which this malware was hosted would result in the loss of Internet service. The safety-net servers will be shut off on Monday.
The malware, called DNS Changer, was found on November 8 in an international capture of several cybercriminals. Also known as TDSS, Alureon, TidServe, and TDL4 – the malware works by essentially providing infected users with an altered version of the Internet. It has the infected computers point to malicious servers and data centers, where it alters user searches and promotes fake and dangerous products.
About 64,000 of those people who are still infected live in the United States. Some Internet providers have already issued notices to customers or have set up a solution to keep these people online. However, since many of the 64,000 don’t know they’ve even been affected, they might not realize there is a problem until it’s too late. Other symptoms of this malware include slower Internet speeds and a disabled antivirus program, so it’s possible these people could have other problems with their computer as well.
If you already have an anti-malware program in place, such as Malwarebytes Anti-Malware, it would be best to do a quick scan, even if you haven’t encountered any problems. Running any antivirus program will work as well. If you don’t have anything in place, this specific anti-malware program has a free version that you can download to do a scan. The FBI has also set up a website that you can use to check to see if your computer is infected.
If it turns out that you are infected, you will need to get your computer fixed by a professional. Using a program like those mentioned above will not be enough. First, make sure to backup all your important files, as part of the repair process could involve wiping the hard drive clean. Second, make sure to change the passwords on any and all online accounts, as it’s possible this malware could have captured keystrokes and acted as a proxy for traffic to sensitive sites. Third, check bank statements and credit reports for anything suspicious, and take appropriate action if there is something unfamiliar.
June 27th, 2012
Jackie here, with AllClear ID. We’ve talked about clickjacking and likejacking here on the AllClear ID blog, but these aren’t the only potential dangers when using social media. Watch out for malicious code- which if pasted into your browser’s address bar can result in spam to your Facebook account and phony status updates.
Malicious code takes advantage of a browser’s security weaknesses. It starts out with spammers asking you to copy and paste a link or segment of text into your address bar. This then causes the browser to take action, resulting in fake status updates and spam.
What Can You Do?
As with most spam schemes, thinking before you click or paste can go a long way to keep you protected. Don’t paste suspicious-looking links or text into your address bar. Unknown web addresses or text could lead you to spam sites or could lead to your social media accounts being compromised.
Facebook is also working hard to protect you from this problem. Here is what they say about malicious code on their page Keeping You Safe from Scams and Spam, “We have been working hard to improve our systems that detect and block these types of attacks, as well as to educate people on what is causing their accounts to send spam. Now, when our systems detect that someone has pasted malicious code into the address bar, we will show a challenge to confirm that the person meant to do this as well as provide information on why it’s a bad idea. We are also working with the major browser companies to fix the underlying issue that allows spammers to do this. Internet Explorer 9 has already put some protections in place, and we are talking with others about providing similar protections.” Read more on Facebook here.
Another key way to protect your accounts: Keeping your browser up to date and installing the latest version when it becomes available.
When using social media you need to always be on the lookout. Be careful where you click, who you befriend and what you trust. Spammers, scammers and id thieves are ready to compromise your accounts and your identity.
June 25th, 2012
Jackie here, with AllClear ID. June is National Internet Safety Month. As this month wraps up, take the opportunity to evaluate your computer practices for safety and to help others learn to safeguard themselves. In a digitally connected world, we are all responsible for protecting each other. A safer internet benefits everyone.
The National Cyber Security Alliance (NCSA) has a few tips that will help keep you and your family safe online during National Internet Safety Month and beyond. They encourage all internet users to follow these three simple steps when using the internet:
“STOP: Before using the Internet, take time to understand the risks and learn how to spot potential problems.
THINK: Take a moment to be certain the path ahead is clear. Watch for warning signs and consider how your actions online could impact your safety, your kids’ safety or that of your family.
CONNECT: Enjoy the Internet with greater confidence, knowing you’ve taken the right steps to safeguard yourself, your family and your computer.”
What are you waiting for? Ninety percent of Americans say they want to learn more about staying safe online. This month is a great time to make the commitment and better protect yourself and your family online. Once you learn more, share what you know and help others. Head over to StopThinkConnect.org today and spread the word that June is National Internet Safety Month.
June 16th, 2012
Jackie here, with AllClear ID. As you head out and see the world this summer, be careful not to bring home any unwanted travel guests. I’m not talking about bed bugs (although hopefully you don’t find any of those either), this unwanted travel guest is malware and traps might be lurking on your hotel’s internet connection.
Malware (or malicious software) is software that hackers and id thieves use gather personal information or access your computer without your permission. Computer viruses are a type of malware. Malware can disrupt your computer system, take your personal information and make you a victim of identity theft.
This press release on the IC3 website warns travelers about potential malware traps when using hotel internet connections. Here’s how this happens: when travelers connect with the hotel internet connection, a pop-up window would come up asking the user to update their software. If the traveler accepted and allowed the installation, malware was then installed on their computer.
Here are some tips for you before you hop on the plane. To keep your computer and your identity safe when using hotel internet connections both in the U.S. and abroad:
- Update before you leave- Update all of your software programs before you leave. If it’s a short hotel stay, you probably won’t need to update again until you get back. Also make sure that your anti-virus protection is up to date.
- Check the digital certificate of prompted updates- Before allowing a prompted update, check the author or digital certificate. If the certificate doesn’t match the vendor, it might be a malware scam.
- Install updates directly from vendor websites- Getting your updates directly from the vendor sites is a good idea when traveling. Refuse the pop-up asking for the update and then head to the vendor’s site and install the update yourself.
June 6th, 2012
Jackie here, with AllClear ID. Malware isn’t just a pesky computer problem; it can put you at risk for id theft. A recent wave of malware attacks have affected more than 4 million computers in 100 countries across the world according to the Department of Homeland Security. In the U.S. alone, approximately 100,000 computers are currently vulnerable to this attack known as the DNS name changer.
What is the DNS Name Changer?
When you connect to the internet, you use domain names to navigate to various websites. The domain name is converted into a series of numbers that basically serve as the address your computer will use to find your selected website. If you are affected with the DNS name changer malware, your computer will generate incorrect numbers and send your computer to fraudulent websites. Visiting these fraudulent websites puts your computer at a greater risk for other attacks and viruses and increases your chances of identity theft.
How Can You Protect Yourself from the DNS Name Changer Attack?
Every computer is at risk for the DNS Name Changer attack, but that doesn’t mean you and your identity are defenseless. You can check your computer quickly and easily for free to find out if you have been affected. If you are infected you can fix the problem and get your computer back into proper working order. Head on over to the FBI’s information page on this attack to learn more. Check your computer to see if you are affected using this simple form. You have until July 9th to utilize the free tools for getting your computer fixed, so check your computer now before it’s too late. More information is also available through the DNS Name Changer Working Group’s site.
Protect yourself from identity theft by making sure that your computer isn’t infected with the DNS Name Changer. It only takes a couple of minutes to know if you have a problem. If you are one of the millions infected, you can start taking the right steps to correct the problem now.
May 31st, 2012
Allison here, with AllClear ID. The most common scam or online fraud type of 2011 is the FBI scam, where people impersonate the FBI or FBI agents via email in order to get money or personal information. It’s now one of the worst online threats out there, but you can easily stop yourself from becoming a victim by paying attention to what scammers do, and what the FBI doesn’t.
First: government agencies do not send unsolicited emails. Period. So, if you get something from the FBI or any other government body that you didn’t ask for, it’s likely to be a scam.
Second: many of these unsolicited emails say that you need to claim some sort of inheritance or lottery winnings, and need to do so by contacting a different government agency. When contacting that other agency, they ask you pay a few fees to stake your claim, only for you to never hear from them again.
This is where your “common spam sense” kicks in. For starters, the FBI certainly doesn’t have the manpower to deal with matters of unclaimed money. Even if it were part of the agency’s purpose to handle these issues, would they really charge you to obtain something that’s rightfully yours, like an inheritance or a lottery winning? Probably not. There’s no iota of truth or legitimacy to what these emails say that should be confused with something possible or real. Government agencies don’t do this sort of thing on a day to day basis.
The FBI isn’t worrying about such matters, and these scammers are only using the names of government agencies to add legitimacy (much like how they add the names of politicians in emails to get that same sense of legitimacy). All in all, the FBI–or any other government agency–isn’t going to be sending you unsolicited emails. The FBI won’t do to you what these scammers do, so it will be clear when the time comes to know what’s legitimate and what’s not.
May 22nd, 2012
Allison here, with AllClear ID. There has been much discussion lately about online privacy, data tracking, and companies using your personal information for marketing purposes. We may be aware that our data is being used in this manner, but it’s been hard to decipher who’s tracking our information. Until now.
Mozilla just released a new Firefox plugin called Collusion which follows the trackers themselves. It’s still in development, and only for the Firefox browser, but as you browse the web you can find out which websites are tracking you using third-party cookies. Over the course of your browsing session, a map is created, showing the pages you visited and the sites that are now tracking you in some shape or form as a result. Gary Kovacs, the CEO of Mozilla Corporation, demonstrates the plugin’s results in a quick presentation at a TED conference.
I’ve utilized the plugin myself over the course of a few days, and the results are astonishing. I have visited over 26 websites in one typical workday (the exact number is hard to determine, as the map gets that big and convoluted), and ended up having over 100 websites tracking my movements. Most of those websites I’ve never heard of.
To make things even more interesting, I cleared the map and started fresh the next day, and went to just one site from my iGoogle homepage: a CNN article about Google’s search revamp. That one click created a map connecting 31 websites, including the CNN article and the homepage. That’s 29 websites that are all now aware that I read one article on CNN!
Unfortunately, there’s not much one can do after-the-fact. You can clear the cookies and implement more privacy settings to prevent future data tracking, but there are easily hundreds of websites that have information about you, and there’s little a consumer can do to make those websites delete that information. Unless laws change or consumers come together to put pressure on these websites, we are left to fend for ourselves.
Even though this type of tracking does have its benefits and has been used positively, many simply don’t like to be tracked. But here’s the cool part: we can finally at least learn who’s doing the tracking.
May 16th, 2012
Allison here, with AllClear ID. We’ve all seen those work-at-home scams that promise get-rich-quick schemes by working for just a few hours a day in the comfort of our pajamas. All these ads and stories are always too good to be true, and make it seem like it’s impossible to work from home. Sure, these scams exist, but it is possible to work from home, make money, and have it not be a sham. Here’s what separates the good from the too-good-to-be-true:
- Working from Home is Hard Work – If your work-at-home gig or job is the real deal, then you should be working hard and putting in a full eight-hour day. These scams will say that you only need a few hours per week, or that you’ll make several thousands of dollars a day. Working from home may seem like the best deal, since you could then sleep in or watch TV whenever you want. But, those who really do work from home know that those luxuries simply don’t exist.
- It’s Much More than Menial Labor – Most of these work-at-home scams involve doing work like data entry, medical billing, craft assembly, and envelope stuffing. Most people who legitimately work from home don’t do such menial labor. They are writers, graphic designers, lawyers, CPAs, or small business owners starting their company from scratch.
- Working from Home is Something You Should Do on Your Own – One of the key elements of these work-from-home scams is that you have to pay them to receive the training, supplies, software etc. needed to do the job. When you are working from home legitimately, those things would be covered by your current employer, or you may just be able to get by without them until you make enough money to cover the expense.
- Working from Home Doesn’t Equal an Overnight Success – That’s the myth with these scams and many online businesses. It seems that if you just come up with the right idea, you’ll make tons of money right away. And, with an online business, I can do it all from my basement. That may be true, but many of those websites or online businesses that seem to make money quickly had their years of hard work put in. Take Pinterest, for an example. It seems like the social network came out of nowhere, but it actually launched in 2010. It took some time before it actually became that “overnight success.”
Working from home is a legitimate and viable way to make a living. You’re just not going to find that way of living through some pop up ad or banner ad on a website. You’re also not going to find it at a website that allows access to legitimate work-from-home opportunities for a small fee. Most of the time, working from home may sound too good to be real. But, if you know what it takes to make working-from-home good, then it can be true.
May 7th, 2012
Allison here, with AllClear ID. All of those Facebook games and apps may be a great way to procrastinate, but they are also a great way to unleash your personal info to private companies. A Wall Street Journal examination of 100 of the most popular Facebook apps– including Words with Friends, Skype, Twitter, and schoolFeed– found that some seek the email addresses, current location, sexual preference, etc., not only of app users but also of their Facebook friends.
Facebook has always had privacy issues to deal with, especially since users provide their personal information so readily. In regards to the apps, Facebook does require apps to ask for a user’s permission to access personal details. However, apps do not have to ask or notify users to access the personal data of friends. Dozens of apps also allow advertisers that haven’t been approved by Facebook within their apps, which enable these advertisers to track users of the apps.
All 100 apps tested asked for eight “basic” permissions, which include name, gender, locale, and age range. Only 15 apps kept to the basic permissions, although half of them can later ask for more personal information. The full results of the Journal’s examination are available online.
The toughest part about all of this is finding out what users can do about it. Future access to personal data can be prevented by declining invitations to apps. But, if you are already using apps and have already granted them access to your information, there’s really not much else you can do about it. Sure, you can stop using the app, but the app developer already has your personal information. The same goes with changing the privacy settings with these apps. Even removing the information from your Facebook page itself doesn’t retroactively remove the information from the developers or advertisers.
Right now, the best people can hope for is that app developers and Facebook will be responsible and transparent regarding this data. Some are being very conscious of what they ask for, realizing that asking for too much could violate the trust of users. People can prevent apps from access in the future, but for the apps we’ve already granted access, it’s just a matter of crossing your fingers.