Protecting our kids, as parents, is second nature. Whether it is instinctual or a recessed gene that suddenly becomes active once a child is introduced, we strive to keep our children out of harm’s way. Upgrading booster seats, keeping inoculations up-to-date, and checking on the children now and again as they play outside are just a few ways we watch over our kids and make sure they are healthy, happy, and safe.

In the headlines and in the blogosphere, even as recent as last week, an intangible threat has been reappearing. It is the hardest danger to fight for our kids because it is nearly impossible to detect. It’s not a disease, and it’s not a predator, but it is very real, even though you don’t see it.

Carnegie Mellon University’s CyLab cybersecurity research center released in 2011 their findings on a study of Child Identity Theft. From a group of 40,000 children, over 10 percent were found to have compromised social security numbers. These compromised numbers led to incredible cases of ruined credit histories belonging to kids who hadn’t even applied for their own debit cards. Some of these cases of stolen identities and credentials include:

• An Arizona teenager found herself $725,000 in debt, with 42 open accounts including mortgages, car loans and credit cards.
• A Kentucky teen was found to have a credit report that went back 10 years and included a foreclosed mortgage.
• Social Security numbers taken off kids as young as five years old, were used to purchase handguns. More than three hundred  victims were under five years in age, the youngest victim being five months old.

The lure of a child’s personably identifiable information (PII), in particular their Social Security number, is easy to understand. A child’s credit report is clean slate, theoretically having no prior applications for credit cards, major purchases, or investments. What makes this crime all the more abhorrent is the lasting damage it can have on a child. Student loans, future job opportunities, and even home loans are at risk due to a bad credit history falsely created and marginalized by a fraudster.

The more pressing question in the issue of child identity theft is how identity thieves are getting possession of this data. While the report itself does not offer solid leads as to how criminals are getting their hands on the PII of minors, trends are pointing toward children’s access to technology and the use of a child’s Social Security number as a unique identifier.

Concerning modern conveniences, children are being labeled as digital natives, those born around the time of digital technology’s integration (c. 1970), and possessing a greater understanding of digital concepts. As Biz Report states in their own study, the digital natives are out there as “while over two-thirds (69%) of 2-5 year olds can operate a computer mouse, just 17% can tie their own shoelaces.” Kids are expected to understand the latest technological advances; but with parents trying to catch up to what these advancements can do, kids are lacking the “respect” of it and fail to grasp what they are exposing in the way of sensitive data through apps, social networks, and online activity.

Away from your computer, the potential threat resides in where and with whom parents entrust their child’s PII, specifically their child’s Social Security number. Christopher Burgess, online safety advocate and co-author of Secrets Stolen, Fortunes Lost: Preventing Intellectual Property Theft and Economic Espionage in the 21st Century, recommends that parents be selfish with their  their child’s Social Security number.    “How many different forms does a parent fill out for their child, any number of which could be compromised by an attack on the host? Take for example the number of data breaches which occur at educational institutes. This data may be warehoused and bartered by the criminal elements for future aggregation,” he states.

Illegal immigration, organized crime, and family and friends who have ruined their own credit are the most common perpetrators of  children’s social security numbers. . This last revelation of the Carnegie-Mellon study is disturbing on many fronts, and  cannot be ignored.

Parents can do something to help minimize the risks associated with child identity theft and sythentic identity theft (where thieves piece-meal together a new identity from one victim’s SSN, another’s address, and another’s birthdate, and so-on):

• Don’t share your child’s Personally Identifiable Information (PII) unless it is absolutely necessary (IRS Tax Returns, Insurance issuers). 
• Always ask these three questions when asked for PII:  Who needs it?  Why to they need it?  Is there another source of PII they can use (and yes there is 9 out of 10 times).  How will they secure the information?
• Watch the mail for solicitations directed towards your kids. If you receive any offers from credit card companies offering pre-approved, low interest rates on credit cards or loans, there may be a problem. You can contact the Federal Trade Commission at 1-877-ID-THEFT for help.
• Keep your antivirus software up-to-date in order to keep your guard up against keylogging and other forms of malware that might find its way on your computer.
• Monitor your child’s online activity (credit and public records). You can also limit your child’s online presence by implementing a browser’s security add-on’s and barring access to certain websites.
• Install a firewall for your home network, make your network secure not open, or implement both options. Security options are easy to install and activate. What is usually needed is time. Time to understand them and time to put into practice the changes.

Child Identity Theft continues to rise at an alarming rate, but the best defense against such a crime is to remain involved in where your child is online and where your child’s PII is shared. Simply keeping your child’s private records is not enough. You need to remain cognizant of the technologies they are familiar with as well as their digital habits, both online and off. By remaining in the know, you can take steps as a parent to protect one of your child’s most important possessions: Their identity.

This morning, my first work day of 2012 started off with a phishing email.

As phishing scams go, this one was hardly what I would describe as “impressive” or “inspiring” as it lacked a lot of the polish and panache of detailed, deceptive phishing emails; and perhaps the tech-minded savvy would easily spot this as a false email from Adobe Systems promising the latest Acrobat upgrade.

Still, phishing remains a popular method in obtaining personally identifiable information (PII) and delivering malware because phishing works. Phishing is easy to prevent though, provided you know where to look when you receive what appears to be a suspicious email.

So let’s break this one down and find the tell-tale signs of a phishing scam:

1. Return email. It’s name is “Adobe Acrobat Reader” but the sender is using the domain newsletter.northerntool.com. If you are getting an email from a software vendor, bank, or other trusted source, the email should be originating from the trusted source itself (Wells Fargo, PayPal, Adobe, etc.), not Yahoo, Hotmail, or some unknown vendor.
2. Lazy composition. One of the most common tells from phishing emails is poor grammar but in some cases (like this one) it can be sloppiness in composition. This email, for example, reads “Since the holidays are in full swing and the New Year is approaching…” and yet the email was sent on January 2, the day after New Year’s Day. Verbiage like this is a sure sign of bogus email.
3. A link that does not return to vendor or goes to a non-secure website. It would make sense that if you wanted to download an upgrade for an Adobe product, you would go to a location on the Adobe website. If there is a financial transaction (or any transaction that deals specifically with PII) involved, you would also expect that the website in question was secure. Secure websites begin with the https:// protocol (as opposed to http://) and offer an extra layer of security for transactions like these. Again, this URL rings false.
4. False information. The Corporate Headquarters for Adobe Systems Incorporated is in San Jose, California. The address listed here is for Adobe Systems Canada. (There is a difference, noted here.)

Two more tells to consider:

• Note the arrival time of  this email — 3:58 a.m. It was immediately followed by an exact duplicate at 6:22 a.m. Usually, phishing email occur at odd hours and (as seen here) are sent repeatedly.
• Adobe updates their software through their own built-in updaters. Why then are they sending an email? (It’s because they do no such thing.)

So while this phishing scam is easy to spot (and there are other tells in this phishing email that wave a caution flag), keep in mind that others may be flying on auto-pilot when this and other email’s like it arrive in their Inbox. Take a moment and look for some of these details. A few seconds of vigilance may make a huge difference in how secure your data remains.

A tradition at the beginning of the year is to look ahead and plan. You look at the year behind you, consider the lessons learned, and then you make bold predictions for yourself. In the security world, we hold true to these traditions, predicting what’s in store for us next year from hackers, scammers, and all the other things that go bump on the net.

As a regular voice on IDGuardian, I have always endeavored to bring you the latest news and trends in security. To kick off 2012, I thought I would take a look back and then look forward with my own top “Dirty Dozen” predications for what lies ahead:

1. An increase in friends and family fraud. As continued economic hard times force otherwise honest individuals to make poor decisions, expect to see an increase in the misuse of identities by family members and friends who are tempted to turn to identity theft in order to pay bills.
2. An increase in existing account fraud.  As financial institutions get better at preventing the opening of new accounts by thieves, many of these thieves will look at other options, in particular stealing existing account and card information and exploiting it with new charges.
3. An increase in child and elder identity theft. The recent media focus on child identity theft has not only helped parents become more aware of the vulnerabilities their kids face, it is likely to attract more attention from thieves who realize child identity theft is just as easy to hide as it is to get away with.  And on the other end of the spectrum, as social services for the elderly are cut back we expect to also see a spike in identity theft against vulnerable elderly victims, especially from family and caregivers.
4. An increase in skimming. With an expected acceleration to the move to more secure chip-and-PIN cards, thieves are likely to increase their focus on skimming attacks, especially in stores, at ATMs, and in gas stations, before the clock runs out.
5. A shift from street-level drug dealing to identity theft. This is a worrying trend because it could fuel the growth in identity theft for another decade. A perfect example of this trend is the recent  Operation Rainmaker in Florida, where local drug dealers joined forces to learn about identity theft and defraud the IRS out of more than $130 million using stolen identities.
6. A growth in identity theft super thieves. Super thieves are typically lower-level crooks, like those involved in mail theft or check washing, who are never arrested or investigated, stay off law enforcement’s radar, and only become better, more sophisticated, and able to steal larger amounts without being caught. They take advantage of the fact that law enforcement remains ill equipped in combating identity theft and so have plenty of time and opportunity to go from amateurs to professional without the interruption of jail time.
7. An increase in attacks against small businesses. We’ve been watching this trend for some time, as professional gangs realize that it’s easier and safer to attack the low-hanging fruit, like small businesses, which offer plenty of customer and employee information with little protection.
8. An increase in tax-related identity theft. With the IRS appearing to be moving too slowly to catch smaller identity thefts and frauds, and still insisting on using postal mail to send and receive sensitive data, crooks are expected to increase their focus on this kind of weakness.
9. An increase in identity theft malware. Data stealing malware, especially banking Trojans and keyloggers, has become much more sophisticated than we could have imagined.  With consumer security awareness still lagging, we expect organized criminal enterprises to expand their use of this kind of malware to target personal bank accounts.
10. A battle over privacy legislation. This is likely to focus on consumer privacy (in light of the recent Facebook settlement and admissions with the FTC) and an endless litany of data breaches, with one side demanding even greater security and accountability while the other side argues businesses are already unfairly burdened with too many conflicting and overlapping data protection regulations.
11. Big headline attacks. In 2012, there will be lots of opportunities for hackers to take advantage of big events catering to a variety of interests. Some that are stand out’s include the 2012 Olympic Games in London, the epic conclusion of Christopher Nolan’s the Dark Knight trilogy, and of course the United States Presidential election. These and other events will provide hackers and scammers with endless opportunities to trick unwary users into falling for some scam or another, particularly through social networks like Twitter and Facebook.
12. More data breaches. Data breaches usually go up in numbers because of two reasons – more organizations sharing more information, and insufficient security. In order to become more competitive, businesses have to capitalize on all the customer information they manage, and the more data is moved and shared, the more vulnerable it becomes. Most organizations still have limited security budgets, and many are new to security and will make predictable mistakes that will lead to more breaches. There is also an acceleration in the healthcare industry towards healthcare data warehousing, also likely to lead to a spike in breaches.

In this final installment of Parenting for the Digital Native, we conclude this series by looking at the other popular platform on the market for mobile devices — Android.

While Apple has caught a fair amount of criticism over the controls and demands put upon developers, the Android operating system offers an alternative for app designers and developers. With fewer restrictions and encouragement to develop for an open platform, it has been embraced by wireless carriers, Google, and now Amazon with the release of the Kindle Fire.

The Fire has been just that —on fire — since its release, selling units at a blistering rate of one million a week, for three straight weeks, according to USA Today, easily making it one of the top gifts on wish lists for all ages.  These are impressive numbers, particularly in light of criticisms in the device’s functionality and its security issues.

The Fire is just another device akin to the Droid smartphones that store and house sensitive data. Stories such as this one from December 12 should not only capture the attention of Fire owners, but smartphone, and tablet owners as well. How secure is your data on the Android operating system, and what can you do to prevent malware or virus infestation?

The risks in using Android devices, however, are acceptable in the opinions of many tech critics and commentators. JR Raphael wrote in PC World “The answer isn’t locking down the world; it’s taking basic precautions.” This is something that both Apple and Android do have in common: Security begins with the user. If your child or teen has received a new Android-powered mobile device, take the initiative and consider the following options:

• Install mobile anti-malware software on your mobile device. Treat your tablet and your smartphone just as you would your home computer and download anti-virus software. Some apps like AVG Mobilation, Lookout Mobile Security, and Webroot SecureAnywhere are free. Make sure, before downloading, that you read reviews from reputable sources (Droid blogs, CNet, PC Magazine, etc.) to be sure the developers are legitimate and have a solid reputation.
• Set up your device with both a Screen Lock and a SIM Card Lock. Found under Apps > Settings > Security, you have the ability to set up your Screen Lock and SIM Card Lock. Both directly impact access to your phone as the first allows people to turn on the phone and gain access to your apps while the second forces users to type in a PIN in order to use the phone. By creating passcodes (in the form of either four-digit PINS, or patterns you create with a simple three-by-three grid), you can essentially lock down all access to the phone itself.
• Set a unique password for Credential Storage. In cases where you are accessing wifi networks or any online accounts, you can have your Droid device remember passwords for you. These are what the Droid refers to as Credential Storage. Here in the device’s Security Settings, you can also set for this storage a separate password (and it should be a unique password, unlike “password,” “pa55worD,” or the same PIN as used to access your phone), establishing yet another barrier of protection.
• Disable Location Services. There are advantages and disavantages to this (which we will address later in this column), but if you would prefer not to have your location volunteered to another party, you can go in your phone to Apps > Settings > Location and disable all the options listed here. This will essentially disable all ability for your phone to be tracked via GPS and WiFi networks. Keep in mind, this will also disable maps providing you tailored directions from where you are, and also render apps such as OpenTable and AroundMe useless.

With just these basic tips, your phone can effectively be protected by any unwanted party, either through malware or by gaining access to your phone without your knowledge.

Now that we have our Digital Native’s data secure, how do we keep track of our device if lost, or, in that worst-case scenario, stolen? There are Android solutions available, much like FindMyiPhone, that can assist in keeping track of your phone and locking it down in case of theft.

Where’s My Droid will allow you to locate your missing phone by having it play your ringtone (even overriding its “silent” setting). This app also enables Passcode Protection remotely, and alerts you if your phone’s SIM card is swapped out.  The basic “Where’s My Droid” app is free. (A “Pro” version of the app is available for $3.99.) Other options include AVG Mobilation, Lookout Mobile Security, and Webroot SecureAnywhere.

No, you are not seeing a typo — these earlier mentioned anti-virus packages also come with the following options:

• Phone Location
• Remote Lockdown
• Remote Datawipe

Essentially with one download, your Droid-powered device is protected both from viruses and physical theft.

As we mentioned with the Apple devices, you will need to have Location Services enabled. These phone locator apps are reliant on WiFi and mobile data networks to help pinpoint your device’s location, so keep all this in mind when you are securing your Digital Native’s Droid-driven device.

Regardless if these tips are applied to your Digital Native or to yourself, your data and your child’s personally identifiable information (PII) are worth these extra steps. The less room you have for human error, the safer your sensitive data will be. Parenting for kids (be they toddlers or teenagers) does not have to be that challenging when it comes to new technology, regardless of the operating system. It will come to a decision on the parent’s part to invest time in understanding what the technology does and the most efficient way to lock it down and control its content. As stated earlier, security with technology begins with the user.

Take control.

This holiday, the video game market is hoping for gamers of all ages to be asking for epic adventures and action under the tree, releasing a barrage of high-adrenaline, visually stunning games just in time for Christmas. One such offering from Electronic Arts (EA) is the first-person-shooter (FPS) combat simulator Battlefield 3. Battlefield 3 sold more than 5 million copies in the first week it was available, and 12 million copies in the first month. Equally impressive were its online reviews, one gaming critic praising it as an “an unforgettable, world-class multiplayer suite.” Such hype and attention has made this game not only a hit but a “must have” for the gaming connoisseur.

However, particularly when it comes to the multiplayer aspect of the game, Battlefield 3 does tend to trip up a bit on the laces of its combat boots. In order to take advantage of the multiplayer features (in other words, play the game in real time, online), you are required to install and accept the terms of service (TOS) of the Origin service. In August 2011 there was a huge backlash against EA and the Origin End User Licensee Agreement, which gave EA the right to snoop the information running and stored on your computer for all kinds of information and sell it to third parties. The original Origin TOS stated that EA could use Origin to access other EA products without notifying the user, plus the right for EA and unnamed “partners” to “gather, use, store and transmit technical and related information” on “IP addresses, usage data, software, equipment, software usage and existing hardware peripherals” according to the terms of use and for “marketing purposes”.

In response to the criticism, EA issued this statement:

“EA would never sell your personally identifiable information to anyone, nor would it ever use spyware or install spyware on users’ machines. We and agents acting on our behalf do not share information that personally identifies you without your consent, except in rare instances where disclosure is required by law or to enforce EA’s legal rights.”

While EA will continue to collect data about your PC system and its usage, they removed the clause in the TOS that gave them the right to use the data for marketing purposes.

While this has appeased most American gamers to the point where only the fringe Battlefield 3 online players are still complaining about it, German gamers are in an uproar because they claim that they will not allow EA to collect information deemed private in Germany – even if such collection is included in the TOS.  There have been more articles showing up online about removing Origin (there’s a crack available from the hacker group Razor1911), but it’s nothing like the volume of returns and full refunds given to German Battlefield 3 gamers.  Big German games retailers Media Markt and Saturn went so far as to refund used editions of Battlefield 3 even after the PC keys had been redeemed.

EA responded in late October and said they were never collecting that information but just to be thorough they changed their TOS. “We have updated the End User License Agreement of Origin, in the interests of our players to create more clarity,” EA Germany announced in a statement:

“Origin is not spyware. Neither do we use nor install spyware on the PCs of users…

We do not have access to information such as pictures, documents or personal data, which have nothing to do with the execution of the Origin program on the system of the player, neither will they be collected by us.

EA takes the privacy of its users very seriously. We have taken every precaution to protect the personal and anonymous user data collected.”

Origin’s license agreement matches “industry-standard privacy policies”, EA stressed.  But “where necessary, we will of course work together with the relevant Government agencies to ensure that our policies are and remain legally compliant.”

However, in mid-November the plot thickened.  Battlefield 3 has anti-cheat software built into it called PunkBuster, made by EvenBalance, Inc.  I’ve written about PunkBuster before as a potential piece of spyware.  The TOS to PunkBuster includes:

“Licensee understands and agrees that the information that may be inspected and reported by PunkBuster software includes, but is not limited to, Licensee’s Internet Protocol Address, devices and any files residing on the hard-drive and in the memory of the computer on which PunkBuster software is installed. Licensee acknowledges and agrees that if Licensee does not want Licensor to collect and process such information, Licensee should not use the PunkBuster software.

Further, Licensee consents to allow PunkBuster software to transfer actual screenshots taken of Licensee’s computer during the operation of PunkBuster software for possible publication.”

It would make sense for anti-cheat software to be able to monitor processes, but this goes way beyond what might make sense.

It’s up to you to decide which is more important to you: Your privacy or Battlefield 3.  From everything I’ve read it is a great game, but is it worth potentially exposing critical private information to prying eyes, even if those prying eyes assure you they aren’t looking?

In Part One of our Parenting for a Digital Native series, we took a moment to lock down our Apple device of choice —iPad, iPhone, or iPod Touch — so that younger Digital Native would not have access to content far from being child-friendly, as well as preventing certain sensitive data to be shared without your consent. In this second part of the series, we take a closer look at how to  track your Apple device in the event  the device is misplaced or perhaps if the device has been stolen.

While we would prefer the latter never happening, the appeal of a new iPhone or iPad is apparently worth the risk. In September of this year, NYPD dealt with a 16.6 percent rise in “gadget theft” on subways. Raymond Diaz, chief of the New York City Police Department’s transit bureau, reported to The Wall Street Journal, this increase “… is largely driven by the increasing theft of smartphones, especially Apple’s iPhone 4.” This kind of gadget theft can happen anywhere, even at your local coffee shop, as reported by Venice 311, where robbers walked in to wifi-enabled coffee shops, demanded all laptops and cell phones, and then jumped into an awaiting getaway car.

Losing track of your Apple device can be unnerving, especially if you are managing bank accounts or paying bills through your device. In their research on how consumers are paying their bills, the financial and technology solutions company Fiserv found that in 2011 six million Americans used smartphones to make bill payments.  These bill pay apps usually ask to store data and, according to Consumer Reports, it is this convenience that consumers crave as these apps offer “anytime-anywhere account access [making] seat-of-the-pants money management possible.”

This is data you want to keep to yourself. How do you do that if your device is misplaced by your child; or worse, what if the device is stolen from them? (Considering the amount of moms and dads I personally have seen loaning their children their iPhones, it is a very real possibility.)

Situations like these pose a good argument for leaving Location Services enabled. Why? When your device is connected to a network and Location Services is active, you can easily find or track your missing iPad or iPhone using Find My iPhone, a free app available from the Apple’s App Store. Setup is quick and easy.  You “pair” a device with this app, and then from your computer or another mobile device Find My iPhone will “ping” your device. Bear in mind that FindMyiPhone is not sophisticated enough to tell you which room in your house you left your device. The app will, however, show you a general map of where it is located. You can have the missing device display a message, play a sound (overriding its “silent” mode if the phone or iPad is set on it), or both. You will also receive an email confirmation that your device has been pinged by FindMyiPhone.

This is all well and good when your device has been misplaced, but what if your mobile device has been stolen? Does this mean all that sensitive data is now open for exploitation? Even if you have not protected your device with a passcode, FindMyiPhone offers two additional options to handle unwanted accessing of data:

Remote Lock: By enabling this function from FindMyiPhone, you lockdown your device as if it were passcode protected. If you are already using a passcode Remote Lock will use that code. If there is no passcode, you will be asked to create one (and please be smart about it).

Remote Wipe: This is your fail-safe in the situation where you know the mobile device will not be returned. Remote Wipe will erase all unique data on the mobile device, resetting your device to the settings it had when coming off the assembly line.

FindMyiPhone is an economic and effective way of protecting your technology. Just ask Hugo Scheckter who led Washington D.C. police straight to his iPad…

George Washington University Student Tracks Down Stolen iPad: MyFoxDC.com

Keep in mind that this Find My iPhone will only work if your mobile device is connected to a network. So if you have an iPad, for example, that is Wi-Fi and not connected to an open or secure network, the device cannot be located by the app. Something to keep in mind.

Our Apple devices are now trackable devices, easily found if lost and secured if stolen. This is all well and good for the Apple users, but what about the other popular platform in demand — Android? Since reaching the market in 2007, Android-driven devices have won over even the most passionate of Mac Faithful. The platform can be found not only in smartphones but tablets and versatile eReaders like the Nook Tablet and Kindle Fire.

Android devices also come with Security settings worth looking into and knowing what they do; but as we will discuss in Part 3 of our Parenting for the Digital Native series, Android devices handle security far differently than its Apple counterparts.

This blog post is submitted by Tim Rohrbaugh, Vice President of Information Security, Intersections Inc., following a panel discussion for the Practical Privacy Series hosted by the International Association of Privacy Professionals.

What do you get when you cross a Privacy Professional, Security Professional, and a Government official?  Anonymity in your own house after a year of hard fought policy effort.

Okay, for some reason my comedic career never really took off, but I’ve been known to collect attorney jokes and pull them out at the most inopportune time. Please, send me your favorite attorney joke in the Comments section of IDGuardian…and you’ve been a lovely audience…

But seriously…

Just last week, I was asked to speak on a panel that occurred this week at the International Association of Privacy Professionals (IAPP).  I looked forward to being the only private sector member.  Not that I like to debate for debate sake but I am known to appreciate a lively discussion with active minds.

As I looked out across the members in attendance and listened to some of the questions, I was struck by the fact that, by and large, most US citizens don’t realize that there are many professionals who spend their days thinking about how to keep personal data secure because they care about the subject.  Some people make it their professional career because of a personal experience while others have found an area that they are passionate about for business reasons. Regardless of why, when I try to summarize the intersection between what the people in the room care about and what the general informed netizen cares about, it’s “Anonymity”.  We all want to reduce fraud and create an agreed upon trust model with technology and policy. Businesses trust you most of the time, and you as a consumer trust businesses all of the time.

Before we reach that utopian happy place, we the general Internet users just want to search for information online without feeling like we are going to get spammed with targeted emails based on those searches.  Is that too much to ask?

How about phrasing it another way: We want “selective anonymity”.

I admit, that is my own, original term so allow me to define it: an Internet user using a browser either through a smartphone, tablet, or PC should have the right for privacy when they gather information but  give up that right when they want to transact business. For example, if you are researching the history of running, you should not expect to suddenly find your mailbox full of unsolicited emails from “The Finish Line” or some other runner’s online boutique. However, if you go to The Finish Line’s website and purchase a pair of running shoes, it should come as no surprise that advertisements will follow you unless you’ve opted out from receiving them.

That does not mean that one business can misuse information provided to it for a trusted transaction, but the trusted business may use the information (any and all) in the course of business (anti-fraud, deliver goods, deliver services, provide access to bank records and transactions…). Simple ,right? We all wish it was so.

Unfortunately there is a grey area in-between “gather information” and “transact business”.  That grey area is best defined as using “services that are free”, better known as “freemium” services.  Remember that old adage nothing is free in life?  Services are rendered at no cost to you other than the collection and reselling of information. Your information.

What can we learn from this?  It is better to pay for services and demand protections.  Would you like to know how much work it is today to really limit the amount of information about you that is being collected and contextualized?

Stay tuned and IDGuardian will have that answer.

If you’re still looking for a reason to get more serious about protecting against identity theft, then do it for your country. In a series of recent hacks on customers of AT&T, attackers were apparently able to steal more than $2 million by making fake calls using premium call services.

It now appears that the money made from the attack was funneled to a Saudi-based militant group that is also believed to have helped fund the deadly 2008 terror attacks in Mumbai, India where the coordinated series of attacks claimed more than 160 lives.

Identity theft for terrorism is nothing new. According to a report by MSNBC, going as far back as 2004 the 911 Commission raised the troubling reality that stolen identities are aiding terrorists. The Millennium Plot, which consisted of a number of planned attacks around the world back in 2000, was organized by a terror cell that used credit card fraud to fund its activities, and there are even claims the terrorists planned to invest in a gas station to make it easier to steal multiple identities.

The MSNBC report also claimed that Ali Saleh Kahlah al-Marri, suspected of being connected to the 9/11 attacks, had a laptop in his possession that contained 1,000 stolen credit cards when he was arrested.

And an expert on identity theft at the University of Michigan claims that al Qaida manuals she has seen include instructions on how to commit fraud and steal identities, live off of stolen identities when in hiding, and even requires students to leave their training camps with at least five fake identities.

Yet another reason to take identity more seriously. It’s about much more than zero liability, and the impact the crime can have on you personally. If you’re careless with your identity and it makes it into the wrong hands, who knows what horrors could be committed in your good name.

RELATED STORY: Manila says arrested hackers funded by Saudi group

http://www.reuters.com/article/2011/11/27/philippines-usa-idUSN1E7AP0BC20111127

My child, the Digital Native.

Her grandfather (my dad) is constantly amazed at what she can accomplish on the iPad. He claims it’s because the apple (pardon the pun) isn’t falling far from the tree. “I can’t do what you do,” my Dad tells me often. “You just sit behind a computer and just figure it out.” He’s right in one respect — it is what I do. I get my hands on a new tech device and just figure out how it works. So does my daughter.

The problem is she’s doing it much faster.

When I decided to purchase an iPad for my child, mistakenly, I did not consider what she would have access to — or more to the point, what she would access — until one day when I found her hopping around YouTube. There is a running joke that YouTube is nothing more than a haven for funny home movies involving one’s pets.

Well, no. There’s a lot of stuff on YouTube and not all of it is child-friendly.

In fact, there are many things about the iPad (and its cousins the iPhone and iPod Touch) that are not child-friendly. Even the devices alone, in your child’s possession, could make her a mark for a crime. Setting those fears aside, these Apple devices and apps installed might ask your child for information (current location, iTunes password, etc.) best kept private. In a survey sponsored by the mobile security firm Adaptive Mobile, 75 percent of smartphone users are giving away their physical location when downloading apps. In polling over a thousand of their customers, 69 percent found this unacceptable, but three-quarters of these customers had not bothered to read the apps’ Terms and Conditions. Furthermore, a Wall Street Journal investigation found that of 101 popular apps for both Apple and Android operating systems, 56 of these downloads shared private data (name, email, current location) without the users’ awareness or consent.

The good news is that there are parental controls for these devices.  These options allow you to keep some data private and assure limitations on what your child can access online. If the child is good this year and will be getting a device, or if you’re loaning them your own iPhone or iPad for a few rounds of Angry Birds or Crimson Steam Pirates, there are options in your Apple devices that grant parents full control over their child’s experience.

First, on the matter of YouTube and other default apps like Safari, iTunes, Video, and Mail. You might notice that when you tap-and-hold down your fingertip on one of the default applications, the option to remove it is not offered. In fact, you cannot remove, disable, or delete any of the default apps this way. So you’re stuck with them, right?

Not exactly.

1. Find and tap the application marked “Settings.” The Settings app is where you set preferences for your iPad, iPhone, or Touch; and where you can set preferences for individual apps, as well. There appear to be a great deal of options to choose from; but for this particular exercise, we will simply focus on disabling YouTube.
2. Tap on the “General” option, then tap on “Restrictions.”
3. Tap the “Enable Restrictions” option. Before locking down the device, you create a 4-digit passcode. This passcode should be different from your devices main passcode. (Your device does have a main passcode, right? We will discuss that later.)
4. Turn Applications ON or OFF. This interface is asking “Do you want this app on or off?” Work down the list and decide what apps you want running and which ones you do not.
5. Tap “Location” to override Location Services. If you are not keen at all on you or your child being tracked via Location Services (offered in many apps), you can easily disable this feature by turning the Location Services option to off. WARNING: By doing this, you disable one of the features of FindMyiPhone. (More on this app in Part 2.) Much like with apps you wish to remove, you can also choose individual apps to keep running Location Services and which ones to disable.
6. Set your preferences for “Allowed Content.” In this section, you are able to set up specific preferences to content you are allowing. You can also disable solicitations from apps, as well.

While it may seem frighteningly easy to simply go in and disable these settings, the truth is that, yes, your Digital Native can easily release these restrictions, provided they know the four-digit passcode you set up. This is why it is important to not only password-protect your iPad, but also create a unique passcode for restrictions so that your Digital Native doesn’t figure it out.

At this point we have effectively secured our Apple device. So long as your Digital Native doesn’t crack your passcode (so avoid 1-1-1-1, 4-3-2-1, and the like…) you can police what they can and cannot access. Now that we have gotten our Apple device revealing exactly what we want when we use it, in Part 2 we will address how we protect our most sensitive data on the device with one free application and its settings.

Black Friday has come and gone, leaving in its wake record numbers, a hint of optimism on the stock market, and at least one story concerning overenthusiastic shoppers. Just because Black Friday 2011 is done, though, does not mean that holiday shopping has concluded. With a mere eighteen days remaining (and while that sounds like a lot of time, those eighteen days will fly by), consumers are still shopping for that perfect holiday present. According to the National Retail Federation’s 2011 Holiday Consumer Intentions and Actions Survey, conducted by BIGresearch, holiday shoppers say they plan to spend an average of $704.18 on holiday gifts and seasonal merchandise. Additionally, nearly six in 10 holiday shoppers (59.9 percent) say they plan to take advantage of retailers’ sales and discounts to make additional non-gift purchases for themselves and their families during the holiday season.

Once your purchases are made, though, there are still concerns to keep in mind. As reported by Bloomberg Businessweek, MSNBC, and this blog, many cases of identity theft happen after purchases are made, originating from within the business or service where a transaction has occurred. Just last month, New York authorities shut down an identity theft ring where waiters were skimming credit cards of their patrons in order to make counterfeit cards for themselves.

One way of preventing identity theft and credit fraud is awareness. You as a consumer should not only remain aware of what you are spending but where you are spending your hard-earned money and what is happening in your bank account after a transaction has happened. Whether purchasing merchandise online or at the mall, IDGuardian offers a few tips that can help you stay within their budget and help protect you and your accounts from potential fraud.

1. Double check your email inbox.  It is often reported that email scams from retailers will appear to be legitimate when sent to the consumer; however, savvy fraudsters have designed these “fake” emails to steal the consumer’s personal information by having them click on a fraudulent link.  When in doubt, do not respond.  The safer option instead of clicking on the link, is to enter the address directly into the address bar.  Most retailers will not ask for personal information via email.
2. Beware of Public Wi-Fi.  With the increase in popularity of mobile gadgets, they have made shopping at your fingertips more convenient.  But keep in mind that your local coffee shop or hotel lobby may not be secure. Know your device settings, and double check that your network is secure before you type in your credit card information.
3. Create a secure environment. Before shopping online, make sure your computer is up-to-date with the latest anti-virus software, updated regularly. Make sure the anti-virus package you install prevents viruses, malware, and keylogging to keep the fraudsters from capturing your most private information like passwords and user IDs.
4. Keep a close eye on your accounts for suspicious activity.  As you do your holiday shopping, you need to constantly monitor bank statements and accounts to detect any fraudulent or suspicious activity. Save your receipts to help compare your purchases against your bank and credit card statements.  Fraud does happen and can happen to anyone.  If you suspect fraudulent activity, immediately contact your bank or credit card company.
5. Be careful about where you shop online.  As more and more people turn to the Internet for their holiday shopping, it’s important to make sure the websites they are using are secure and legitimate.  Check to see if there is an “s” in the website address (https:// instead of http://).  Look into anti-virus software packages that can also verify IP addresses you are logging into to make sure it’s legitimate.

Particularly around the holidays and the closing of a year, it is sometimes difficult to remember to take a breath; but when it comes to your identity, it only takes a moment to protect yourself. And with that moment taken, you can now have peace of mind as you wish “Peace of Earth” to friends and family this holiday season.

Over the last few weeks there’s been a noticeable uptick in the number of news outlets covering the growing concerns over how your cellphone can be used to spy on you, track you, and invade your privacy. Even taking a photo with your smartphone can carry consequences.

While the above news story may seem grim, there is a silver lining of sorts. Having worked with law enforcement on cases where police were able to completely map a suspect’s movements over a period of time simply by the location of their cellphone, I can see the enormous value in using cell tracking and monitoring as a policing tool. There’s even this story of a retrieved iPad using the same technology.

So geolocation services can’t be all bad. Can they?

An entire industry has sprung up offering a wide range of very powerful tools that could be tracking you through your cell phone – even if you’re not using it. In a recent article on CNN entitled “How GPS tracking threatens our privacy” civil liberties attorney Catherine Crump righty pointed out that “It doesn’t matter whether your phone is a smartphone or whether you use it to make calls; as long as your phone is turned on, it registers its location with cell phone networks several times a minute, and all U.S. cell phone companies hold on to that data, some of them for years.

She added “Cell phone tracking can reveal our private associations and relationships with one another. The government could make note of whenever people being tracked crossed path or spent time together, showing who our friends, associates and lovers are.”

Law enforcement have become very adept at figuring out how to use cellphone towers to track the movements of suspects, and even get dumps of cellphone data from cellphone companies. And many of the companies that provide the tools of the trade also provide free training to law enforcement in this growing area of digital investigations and forensics.

Speaking in an article in the Wall Street Journal, a magistrate in Texas estimated that anywhere between 20,000 and 30,000 court orders to track cell phones are issues every year. And as the article pointed out, it’s a very grey area because the target of the order, the suspect, is rarely served with the warrant to track his cell phone use. That warrant goes straight to the cell phone company.

So how can you protect yourself? Apart from the fact that you should never commit a crime and even think of getting away with, the only way to prevent your movements being tracked is to keep your cell phone switched off until you need it. But of course that doesn’t stop law enforcement learning things about you and your friends if they’re tracking your friends’ phones.

RELATED STORY: Judges Weigh Phone Tracking

http://online.wsj.com/article/SB10001424052970203733504577024092345458210.html?mod=WSJ_hp_LEFTTopStories

There’s one thing worse than being talked about…and it’s falling for a phishing scam on Twitter.

By nature, when people tell you that there’s a rumor spreading about you or that someone is trashing your name, you will want to know details. It’s simple, human behavior: if people are trash-talking your name and your reputation, you want to know what is being said.

This could be the reason why phishers are trying this approach on Twitter:

You’ll note this tweet arrived in my personal Direct Message (DM) stream last night. I got an identical one this morning. Also identical to the tweet I received last week. Clicking on this link will take you to a verification site similar to Twitter’s login page. This will be your only warning to stop what you’re doing and get off that page as quickly as you can.

The reason so many of these phishing scams appear on Twitter and Facebook (Don’t worry, Google+, you’re probably next on the list…) is that they work. Back in 2009, ZDNet reported that phishing links receive a response rate of 45 percent. This was in 2009, and think for a moment of how many bogus links you’ve received in the past two years.

We keep getting these phishing links because they are effective and efficient in obtaining login information. Cybercrooks eager to get their hands on these credentials seem to be getting smarter in their tactics, playing on your psyche.

But here are a few tells to look for in malicious tweets:

• Watch for spelling and grammar errors in tweets. Even the ones that say “LOL. Is dis U in dis vid?” Does the person tweeting send out tweets like that? Phishers are paying more attention to detail, but consider the voice of the message.
• Does the sender of the tweet chat with you often? Many times, these phishing links come from complete strangers that rarely engage with me on Twitter. If they suddenly reach out to you, there’s nothing wrong with asking why.
• Check the sender’s Twitter feed. If you see little to no engagement, a long gap between the tweets’ timestamps, or nothing in the feed other than links and retweets, it stands to reason the Twitter user is not paying attention to their feed, and have no idea that their account has been compromised.

If you do find yourself falling victim to a phishing scam, here are a few tips and resources to recover your security:

• Publically notify the sender that they have been compromised. Do not send them a direct message, but send them a Mention (the @ symbol followed by their username) that should grab their attention. Don’t block them for spam or call them out as spammers, but politely send them a tweet they need to take a closer look at their Twitter activity.
• Change your password immediately. Something complex, and not a password you share across multiple or data-sensitive accounts (like banking, shopping, etc.). Another good recommendation is to change your password frequently.
• Notify your network. Tweet about it. Post it on Facebook. And, much like us here at IDGuardian, blog about it.
• Check Twitter’s Help Center, @Spam, and @Safety for assistance, help, and latest news on any threats currently in the system.

The best tips we can give to you, though, concerning any URL’s received privately is:

• Confirm a DM, if it seems suspicious, was sent. Send a quick tweet to that person and ask “Did you just DM me?” If they don’t know what you are talking about, then let them know (by a DM, if you have a dialogue with them now) that they should look to their Twitter account.
• Don’t click the URL. Whether it is a wacky “vid” or a bad blog talking smack about you, it is best to walk away from the opportunity, notify that Twitter user there may be a problem, and then delete the offending DM’s from your feed.

The reflex is to click; and on feeling that reflex, that is to time to stop and consider what the intent of the tweet is and what could be waiting for you on the other end of that URL.

Take care, and remain vigilant.

Public outcry over a recent decision by OnStar, the service that helps report accidents and track stolen GM cars, to amend their privacy policy has caused the company to think again.

“We listened,” said OnStar’s president, Linda Marshall. “We hope to maintain the trust of our more than six million customers.”

OnStar announced changes to its privacy policy in September, informing customers that it reserved the right to provide its traffic data to law enforcement, credit card processors and marketers.  To make matters worse, it also said that unless people specifically asked, OnStar would continue tracking people’s cars even if they canceled the service. 

What is this information OnStar is sharing so freely?  This data includes, among many other things, the anonymous aspects of your location, speed, safety belt usage and your credit card information. Customers were told that if they accepted the new statement, then third-party marketers, “with whom OnStar contracts with to conduct joint marketing initiatives,” would also get to access a pool of data from OnStar users.

Although OnStar said it wasn’t actually selling or sharing its data and had no plans to so, the privacy community responded with a huge “No!”  Senators Charles E. Schumer of New York, Chris Coons of Delaware and Al Franken of Minnesota spoke out against the proposed policy changes, and many bloggers and journalists rallied readers to complain to OnStar about the changes.

OnStar did retract one change and announced that it will not track vehicles of drivers who cancel the service.  However, it will continue to track those who are using the service.  It is unclear whether OnStar retains the right to sell anonymized data about existing customers.  I can understand why they need to collect the data, but should they really have the right to sell it?  If an OnStar customer pays for the service, then is it a fair business practice for OnStar to sell information about that customer?

My point is twofold: first there is the security and privacy consideration about a driver’s location and second there is the business consideration that our personal data is worth something.  Plainly, it’s my location and if anyone is going to benefit financially from it then it should be me.  If I want to share the benefits with someone then I should opt-in, not that my location, even anonymized, should be sold unless I opt out.

OnStar put out a fire by deciding not to track vehicles after the service is terminated, but the data they collect and what they do with it is now squarely in the focus of customers and privacy advocates.  Hopefully they’ll make the right decision in order to preserve customer trust.

This morning, the United States woke to news of escalating situations in Libya. From CNN, the report of Moammar Gadhafi’s death (along with a graphic image of the deposed leader) was finally confirmed at 10:36 ET. Earlier on Facebook and Twitter, while facts and images trickled out of Libya, IDGuardian posted the following:

With the news of bit.ly/pfHiUn (CNN) be wary of death video URLs floating around social networks. They may be openings for malware.

As our resident cybersecurity expect and ITC-founder Neal O’ Farrell has reported on our site before, events like this and the recent death of Osama bin Laden usually prelude a spike in cyberattacks that will try to exploit on the breaking news. The fall of prominent political figures are not the only catalyst for these events of social engineering. It can be natural disasters such as Hurricane Irene or the earthquakes in New Zealand and Japan. Even con artists posing as known charities “collecting for the holidays” will attempt to tap into social networks with fraudulent URLs; and while many “social media authorities” claim that these scam links are easily spotted, people continue to fall for them.

IDGuardian returns in light of the breaking headlines today to once again to remind you to set your vigilance high, whether you are on Facebook, Twitter, Google+, or any social network. Keep an eye out for the following scams that may try to exploit media headlines or prey on curiosities, morbid or otherwise:

• Explicit videos promising a glimpse of the dead Gadhafi supposedly filmed during or after the attack. On Google+, we have been told of at least one person who shared a malicious link. (And this is how it starts.) We have not seen any yet crop up on Facebook, but as with Google+ it only takes that one person to spread the virus. Get your news and images from trusted media outlets. Otherwise, instead of viewing a macabre piece of history, you’ll be inviting malware onto your computer.
• Web pages with tempting headlines. These link farms are popping up all over the web, using infected search queries to lure users to what appear to be legitimate news sites. Instead these sites are infected with malware that may warn you that your computer is already infected with malware, and demand payment for fake anti-virus software.
• A spike in spam. Security firm Symantec told SC magazine that they expect a spike of up to 100 million spam emails within 24 hours of the news breaking, and that upward trend could continue with the extensive post-attack analysis.
• “Gadhafi” and “Liberate Libya” Facebook pages. After Osama bin Laden’s death, “fan pages” celebrating his downfall went live, many filed with malicious links. As seen with the death of Apple pioneer Steve Jobs (and the bogus pages established in his honor), these tactics are still popular amongst cybercrooks.

It is easy to get swept up in the fact-checking and breaking headlines, but a few seconds of caution is all that is needed:

• If the link sounds too good to be true (example — “GADHAFI DEATH VIDEO! CLICK HERE”), it is. Don’t click it.
• Rely on established news resources for your facts, your images, and your video links.
• If your computer suddenly informs you that you have a virus, do not panic and click on links that offer you antivirus software. Instead, either run your current anti-virus package or purchase software that comes from a trusted vendor of anti-virus protection.
• If you suddenly hear from someone on your Facebook Chat or Wall, and the conversation starts with a link, be wary. Ask the friend in Chat or in a Message (or you could pick up the phone and call them, in some cases) if they meant to sent that. Don’t click the link right away until you get verification. Even then, be wary.

My mom often looks at my struggles as a 21^st century mom, shakes her head, and says, “You have a lot more to deal with than I did when I was raising you.”

I was a child of the 1970s. We didn’t wear seatbelts. We played on rickety swing sets that were plopped right down on the dirt. We left pieces of leg skin on the searing, metal slide at the park. We rode our bikes without helmets. We got sunburned at the beach. We didn’t have cell phones or dvrs or the internet.  Bullies hung out on the corner, not on Facebook.  The most inappropriate thing to be found on television was Three’s Company.

“I’m not sure I could be a mom now,” my mom says. “There is just too much stuff to worry about.”

She’s right. There is a lot to worry about it, and, as a mother, I worry about it all. I often feel like I don’t have the room in my brain to worry about anything else.

Maybe that’s why I haven’t been paying attention to the issue of child identity theft.

Child identity what? I know. You’re like me, aren’t you? You check the ratings on video games and movies. You limit your children’s screen time. You monitor their online activity. You make sure they have booster seats.  You slather them with sunscreen. You do everything you can to keep your kids safe from all this stuff and still more stuff comes.

Child identity theft? Is this something else I’m supposed to know about?

Yes, I’m afraid it is.

Child identity theft is a growing problem, so much so that the Federal Trade Association recently held a forum in Washington DC to discuss the issue.  In article for ABCnews.com, Adam Levin of Credit.com puts the numbers of children affected by child identity theft between 140,000 to 400,000 a year. Identity thieves nab the Social Security numbers of children and use them to open fraudulent credit card accounts, get jobs, qualify for loans, buy cars, receive medical care, get a tax refund or avoid police.

This can happen with an adult’s Social Security number, as well, but it happens more often to children.  A study by Carnegie Melon Cylab found that while .2% of adults have had someone else use their Social Security number, the percentage is much higher for kids. 10.2% of children have had someone else use their Social Security number. Children’s Social Security numbers are much more attractive to thieves because they have clean records, and they aren’t closely monitored. Parents don’t usually check their children’s credit reports because kids can’t get credit. Have you ever thought to check your child’s credit report? I know I haven’t.

This is exactly what makes a child’s Social Security number attractive to identity thieves. No one notices the theft because no one is looking. In fact, experts agree that the misuse of a child’s Social Security number may go undetected for years, and that’s a lot of time to do some damage.

How worried should you be as parent? Well, while the theft of your child’s Social Security number and identity may not hurt your child now, what about when they are older and apply for a car loan or a credit card or a student loan, only to discover that their credit rating is trashed? Then it becomes a very large problem indeed. Even in my state as a perpetually overwhelmed 21^st century mother, I can see that problem.

So why aren’t parents like me paying closer attention to this issue? Maybe it is because, while the consequences can be significant when a young adult discovers their identity has been stolen, young adulthood seems like a long way off for many parents. When you are focused on all the immediate issues like diapers and preschool and teaching your kids not to touch burners or eat staples, the thought of a possibly bad credit rating fifteen years down the line for the child who just fell of her tricycle and needs a band-aid on her knee  . . . what could seem more remote?

But it’s not far away. It’s actually right around the corner, and the experts agree that by being aware of the problem now, you can save you and your child some significant headaches when that remote time known as young adulthood finally arrives.

• First, protect your child’s Social Security number. Don’t give it out on doctor’s forms or school forms. If someone other than the IRS asks for it, ask why they need it.
• Secondly, according to a report on Reuters Money, if you receive credit card offers in your child’s name or collection calls for your child, don’t laugh them off as silly mistakes. These are warning signs that your child’s identity has been compromised.
• Finally, periodically check your child’s credit report. Michelle Dennedy, founder of the website, The Identity Project, a website that provides resources regarding identity theft, says that being alert and monitoring your child’s identity is an important step to “devalue your kid’s identity to the bad guys.” She points out, “A watched identity is much less valuable because it can’t be sold and resold.”

Even perpetually overwhelmed 21^st century parents like myself need to keep watch for trouble. Jamiee Napp, a Visiting Fellow at the Office for Victims of Crime, U.S. Justice Department writes, “the most important step we can take is to help build awareness of the issue, to learn more and talk to our friends and family about child identity theft.

We need to take the necessary steps to keep our children’s identities safe. If we don’t, our kids might have trouble getting those school loans, buying those cars, and landing those dream jobs that mean they can finally move out. Now there’s something to worry about!

Whether it is this week or next, a new school year is about to begin. Your child, regardless of the grade, now faces a who new year of challenges, both academic and emotional. While parents tend to focus more on the obstacles at hand — time for homework, time for extra-cxurricular activities, what your child needs to succeed — it is tough for parents to also keep in mind some of the social aspect of schools.

Who are my kids keeping company with?

Is my child experiencing her first crush?

How does my child see themselves when compared to other kids?

Perhaps the details of school life may appear trivial, but to the child they are not. Social acceptance still matters to our kids, and with identity theft against children an issue in all our lives, we should consider — as well as impart on our children — the importance of identity and reputation, and what happens when it falls into the wrong hands. Just this summer, a 12-year-old and her 11-year-old accomplice engaged in both identity theft and cyberbullying through Facebook. Their motive: a “Falling out” with their victim. Technology has made bullying easier, more anonymous, and accessible to a global audience; and in the wake of Tyler Clementi in New Jersey,  Asher Brown in Texas, and Phoebe Prince in Massachusetts, stories of cyberbullying continue to appear online and in the headlines, both in the United States and around the world.

State and Federal governments are now considering laws that will directly address cyberbullying with harder penalties. The true tragedy of cyberbullying is, though, that it has been in our online communities for years, appearing in a variety of forms: harassment, physical threats, intimidation, and unwarranted confrontation all carried out through email, websites, and social media. Perhaps a reason cyberbullying has not been seriously scrutinized until recently is the cyber aspect of the crime. As it is happening online, it’s not “really” happening. At least, not in the real world. It’s limited to the Internet. You don’t like what someone is posting? Just turn them off. You can do that on the Internet.

Smartphones, WiFi, and the ability to share media quickly and easily online, however, have made it harder for people to just “turn off” online aggression. Communications now come to you on your computer, your phone, and even your gaming system; and these messages can be easily distributed to others and even go viral.

Perhaps the most infamous of cyberbullying cases comes from 2003 when Star Wars fan Ghyslian Raza appeared on YouTube wielding a golf ball retriever as the two-edged lightsaber seen in Episode I: The Phantom Menace. As of 2010, this video (uploaded by students that regarded their cyberbullying as a harmless prank) has been viewed over 18 million times, just on YouTube. Another resource claims that from the spinoffs and other online video sharing servers, Raza’s video has been seen a total of 900 million times.

Raza was dubbed “The Star Wars Kid” and proceeded to appear in numerous parodies of the original video, ranging from outright spoofs on shows like South Park, Arrested Development, and The Colbert Report, to the jumbotron programming at the San Francisco Giants ballpark. This endless ridicule (that, I admit, I chuckled at, in the beginning…) drove Raza to drop out of high school and seek psychiatric counseling.

Cyberbullying, along with various technological avenues, also utilizes identity theft as one of its tools. As reported on this blog, truly brazen, uninhibited individuals will go on to online forums under their mark’s credentials, and leave abusive or lewd comments, turning its contributors against him or her. In more lascivious settings, the cyberbully will leave a phone number or address with an inflammatory post, essentially driving unwanted traffic off the Internet and right to their victim’s doorstep. This kind of online impersonation can lead to cases of stalking, assault, harassment, or far worse.

I try to steel myself for that time when my child might have to confront such people, be they online or in the real world. However, I realize that I am no superhero and cannot be in several places at the same time. There will be times when I won’t be there for my daughter, and yes, that terrifies me.

I do realize, though, there are steps we can take and strategies that we can implement to make sure that both of us are ready for bullying (of any sort).

Keep your child’s computer in a visible, open space in your home. This may seem to be an invasion of their privacy, but this is no different from asking your child “who’s house are you going to, have I met this boy’s/girl’s parents…” or asking your teen “who are you going out with tonight, where you are going, what time are you coming home…” Monitoring what websites your child visits, and applying security settings on browsers and operating systems is basic parenting.

Keep communication lines open with your children. I know in many cases this is far easier said than done; but by making sure your kids know they can come to you when harassment occurs, you will be kept in the loop on exactly what is happening in your kids’ lives. Remind your child of what makes them unique and that cyberbullies, in many cases, are usually working through their own insecurities. (This was a tough truth to come to grips with when I was bullied, but in retrospect it makes a lot of sense to me now.) While that may smack of Pollyannaism, the truth is that we all have something about us that is unique, and a reminder of that quality—especially from a parent—does abate a bully’s sting.

Find strength in numbers. From my own personal experiences with cyberbullying, I found strength in the circle of friends I kept. It can be your best friend or a group of friends, but find solace in their companionship. For me, that was always a great help.

Have Your Kids Consider Consequences, Even in Private. Quite often, especially in social media, photos and videos are taken in moments that, maybe, shouldn’t be shared with the public. Do your kids appreciate that? As it is with what is said in Facebook updates and tweets, kids should consider carefully what they say or do on public, and regard their behavior as if it public and being recorded for posterity or shared with the world. “Being online” is not the same as “being in the privacy of your own home.”

Impress upon your child the importance of identity protection. Online impersonation can be easily avoided if your children learn to respect their identity’s worth. Teach your children not use the same passwords from account to account as that opens them up for additional problems if a cyberbully gets hold of that “All Access” pass. Discourage nonchalantly loaning out passwords to friends who might need to log on to a favorite network or forum “just take care of something.” User Identification (UID) is another form of PII, and should be regarded with the same care and importance.

Keep a print record of harassments. Many websites will recommend to block or delete harassing messages, which is easier to do; but if the bullying continues or escalates to physical threats, a physical paper trail of harassing emails, Facebook messages, and now (with many smartphones) SMS messages provides hard evidence. If messages appear to be coming from an anonymous source, contact your Internet Service Provider for assistance in tracking the email’s IP address and exposing the cyberbully to their parents or to law enforcement.

Have your kids take a “Zero Tolerance” stance against Cyberbullying. This is, perhaps, the toughest thing to ask of your kids as the desire to “fit in” and peer pressure hasn’t changed all that much from the time I, or my parents, went to school. The intent you should be pushing on your child is that cyberbullying is wrong, that “just because it happens online doesn’t mean it’s no big deal.” Impress upon them that on the other end of the computer is a person, and that insults can hurt online just as much as in the real world. Not only should your child not bully online, neither should his/her friends. If they do, then suggest your child put some distance between those friends; or, to really get the message across, befriend and defend the person being bullied. If we want to stop bullying of any kind, taking away the power from those who bully is priority Number One. If the bully loses interest in the mark, then they lose their power.

This will be the hardest act for your child to carry out. It will also be the bravest.

Be careful whom you pick on. I have a few stories I could tell, ranging from my own to friends of mine that rose above the bullying; but when it comes to stepping up to the cyberbullies and coming into his own, look no further than the Star Wars Kid himself, Ghyslain Raza, as the blog Geekosystem reports:

“After eight years of laughs at his expense – and a few campaigns in his defense – Ghyslain is back. Now in his early 20s, he’s reemerged as the president of the Patrimoine Trois-Rivières, a conservation society that aims to preserve the cultural heritage of his hometown of Trois-Rivières.

Revenge of the Sith this isn’t, but he’s putting his litigious experience to some use, getting his law degree at McGill University in Montreal.”

Not bad for someone who faced cyberbullying on an epic scale.

When kids resort to cyberbullying, they become more than kids. Kids become predators. They prey on another’s resolve and exterior, and continue to push until something gives. Cyberbullying is in not “kids being kids online.” It is harassment fueled by ignorance, hate, insecurity, and malicious intent; and enabled by technology. Responsibility to stop this crime falls on us, the parents, to bestow upon our children an understanding of the power of words, of technology, and of respect. Perhaps there are some lessons and situations that our kids will work through on their own; but it never hurts to take on the role of a nosey parent and stop behavior that could lead to something darker.

Sure. I know not everyone will like my kid. But if I pass along to my child one lesson, it is that there isn’t anyone in the world like her and that is something she should cherish. And she should also cherish that in the people she meets.

This is where bullying stops. With us.

As identity theft against children continues to appear as a growing issue online and in mainstream media outlets, IDGuardian is reposting some of our previous articles concerning minors and keeping their personal data safe. The importance of safeguarding one’s personally identifying information (PII) came to the forefront of society’s attention during the massive Sony data breach of 2011. Millions of the PlayStation Network users found themselves vulnerable to identity theft as names, addresses (both email and postal), birth dates, usernames, passwords, logins, and security questions had all been obtained by an unknown and unauthorized party. (Many security experts and hactivists suspect Anonymous was behind the initial assault while LulzSec did make claims to later breaches.) In this repost from security expert, journalist, and gaming enthusiast Matt Sarrel, we consider strategies in keeping you safe when your game is on like Donkey Kong.

It’s that time of year again when thoughts turn to the less-than-exciting and impending return to the grind of school and homework.  While our bodies have been fully engaged in sunshine and playing outside, we’ll soon be engulfed in the busy worlds of academics, sports, and social life.

And video games.

Whether you turn to Wii, PS3, Xbox 360, your PC or Mac, or even your PSP, DS, Android or iPhone, try not to allow the transition into the make-believe game world suspend your otherwise attentive and security oriented mind.   Yes, we’ve reached the point where games are no longer innocuous entertainment and in some cases have become the gateway to fraud.

You may be reading this thinking “Is this for real?” The short answer — “Heck yeah…” The long answer — “…and it is getting worse”.

I used to read about some sort of game related scam once in a blue moon, but now it seems like there’s something in the news at least once a week.  Usually these revolve around another player in World of Warcraft offering to sell someone something that they need in-game.  So someone walks up to you and says, “Do you want the all powerful dragon sword?”  Of course you do, but don’t follow him offline and email him your credit card number to buy it.

Along with the epic-scale Sony Breach of April 2011, gaming scams involve a variety of security risks we’ve covered before on IDGuardian: phishing, malware, social engineering.  Last year in early August, the most anticipated game launch was for Starcraft 2.  And scammers were right on it. As described here, phishing emails were sent out in an attempt to steal user accounts.  Emails were crafted to look like they were from Blizzard and contained a CD key.  Users were directed to a fake web site.  If they entered their account info in the form on that fake site, their accounts were stolen.

So how can gamers repel boarders and still stay safe, when hackers and scammers are proving more tenacious than The Horde on discovering there’s no more coffee in the supplies?

The first step in staying safe is to follow the usual best practices when creating accounts.  Use strong passwords (or passphrases to add an extra hurdle for would-be hackers) to protect your gaming account.  Never use the same password in more than one place or you’ll risk losing the keys to the kingdom beyond your virtual one.  Don’t use easily guessable passwords either like your dog’s name followed by 1234, i.e. toto1234.  The least sense a password makes the better.

Don’t get attached to a password or passphrase. Change your password often. For maximum security, monthly. At the very least, every three months. Once your password has been active for six months, you’re running a risk.

The next step is to suspend whatever level of trust has been established in your online community.  There’s really no guarantee that anyone is who they say they are.  After all, you’re probably not interacting with “John Smith” and instead you’re interacting with “Klosko the War Ogre”.  Don’t loan anything of value to anyone else in game, and make sure to be suspicious of other players who want to trade equipment with you directly.

If anyone offers to complete a transaction outside of the game world then run away as fast as you can.  Typically, a fraudster will try to get you to leave whatever protection there may be within the game world and go somewhere else to engage in a transaction.  This should send up red flags as it is the online equivalent of asking you to step into an alley to buy a shiny new watch.

No one should ever ask you for your credit card number and/or other PII when online.  Social engineering is rampant and is especially effective against children. If you’re a parent, make sure your children understand not to give out this information.  In fact, don’t even let them access this information – hide it if possible.  Explain that while it is valuable for their character to explore and meet new people, it may not be safe for players to meet new people. When in-game, stay in-game. Never introduce real assets to potential fraud in the game world.The only time you should be introducing PII is if you instigate contact with the Billing or Technical Support team, not through a surprise email appearing in your mailbox.

There’s also the more drastic option of setting parental controls in Windows,  Mac, Wii, PS3, and Xbox 360.  These can prevent different online activities or even prevent a child from going online at all.  This may be a good option for parents who can’t supervise the majority of play time, and as a parent you should be forewarned that today’s games are designed with dozens of hours of gameplay in mind.  Setting rules that your kid can only play with you there isn’t feasible.

Plus, it’s hard to remain vigilant after watching 40 hours of Mass Effect. Make sure to pace your online game time. Otherwise, it is very easy to be lured into a conversation that can put your personal data at risk.

With these tips in mind, your kingdom calls or your fleet is awaiting telemetry. Level up, and game on!

With two weeks of summer remaining, our attentions begin to turn to what is coming after the extended Labor Day weekend. There is the weather turning to cooler (and after our summer here, welcomed) temperatures. For sports fans it’s The World Series in baseball, while football fans (thankfully) look forward to the beginning of the 2011 NFL season. This is also the time when parents begin to seriously look at the new, upcoming academic year.

Yes, our kids are heading back to school.

Each year, both kids and parents face new challenges; but this year, identity theft against children is an issue that may be a new concern for both parties. Our kids may learn this year that identity theft continues to be one of the fastest growing crimes in the country, the Federal Trade Commission reporting that younger aged children are often targeted by identity thieves as the crime can go undetected for longer periods of time.

For most parents, the start of the school year brings excitement and apprehension.  It also means having to fill out or update a number of forms required by the school, some of which ask for your child’s date of birth, home address, phone number, and even your child’s Social Security number. IDGuardian, keeping this in mind, is reposting some of our previous articles concerning minors and keeping their personal data safe. It may seem that assuring your child’s personally identifying information (PII) is easy to keep secure, but it can be pretty hard as the Better Business Bureau and throughout the blogosphere, experts are noting a shift from adults to children as targets has occurred, ultimately placing on parents the responsibility to question how their children’s personal identifiable information (PII) is being used, why it is necessary, and if it is being secured against identity thieves.How can parents and students keep their PII safe?

ID Guardian has compiled the following list of tips to help parents protect their school-aged children from becoming victims of identity theft:

1. Remind your children not to share any personal information like their home address, phone number, or Social Security numbers with anyone. Typically the first day of school is filled with lots of questions from school staff and children need to know to ask their parents first before sharing any of that information.
2. If you are a new parent with a child entering kindergarten, most schools will require a copy of that child’s birth certificate. Do not leave a copy behind. If they are collecting information for later review, ask them where this information will be stored and who will have access to it.
3. Most schools still ask for the child’s Social Security number; however, it is more of a “like to have” rather than a “must have.” This information is not always handled properly and puts your child further at risk for having their identity compromised should the information be accidentally leaked or stolen from insiders. Ask to speak to the principal if you are uncomfortable with providing the information.
4. Children are always excited to show off their brand new backpacks and supplies on the first day of school.  And most backpacks nowadays include identification tags that hang on the outside that include the owner’s name and home address. Instead of making your child’s personal information easily accessible, writing their name in permanent ink somewhere on the inside of the bag is a better idea.
5. With more and more schools providing students access to computers for everyday use, it is important to teach your children how to be safe online while at school and to familiarize yourself with the school’s Acceptable Use Policy for Internet Use.
6.  Stay involved with your child’s online activities. Based on a study by Grunwald Associates, an estimated 27 percent of 9-17 year olds maintained weekly blogs, web pages or other online spaces in 2008. One in five U.S. children say they do things online their parents would not approve of, according to a recent Norton Online Living Report.  Make sure you monitor what your children are doing online. Review and explain the privacy policies with your child so they understand how their information can be exposed if proper security preferences are not put in place.
7. Consider using parental control software or services to help monitor what your children are doing online.  Some parental control software can cost around $40 while many websites like AOL, MSN and Yahoo, offer some form of free parental controls included with their services.
8. Keep an eye out for any mail, particularly credit applications addressed to your child, or telemarketing calls asking for your child by name—this could indicate that someone has used your child’s personal information to commit identity theft.

With identity theft against children a growing issue online and in mainstream media outlets, IDGuardian is reposting some of our previous articles concerning minors and keeping their personal data safe. It may seem that assuring your child’s personally identifying information (PII) is easy to keep secure, but it can be pretty hard to do as kids can be, at the drop of a hat, so darn cute. This cuteness can be completely out of control when a camera — be it video or still — comes into play. Whether it is in their infancy when you catch a magic moment, or a few years later when they ham it up for the photo, kids and cameras can sometimes be the best of buddies.

Technology has made photographing your child easy. Frighteningly easy. Not just for you but for others. Digital cameras, once costing in the hundreds, can be found online for under ten dollars. Smartphones can capture images that are print-worthy, and now double as video cameras (as seen below). And many applications and utilities available for digital photographers offer direct access to social networks like Flickr, YouTube, Facebook, and Twitter. Privacy, according to The New York Times, is nearly non-existent online; and yet friends and relatives rely on Internet venues to keep in touch and catch a glimpse of your kids hard at work or play.

The good news is that there is a comfort zone between never taking pictures or shooting video of your child and sharing every moment with the world on Facebook. With only a few tips kept in mind, you can keep loved ones and close friends in the know and still play safe:

• Explore Privacy Settings for Your Online Networks.Some social network venues tend to be cavalier when it comes privacy, but there are other outlets that provide various methods of protection. Here is just a quick glance at some of those options:
  • WordPress (blogging software): Individual blogposts can be Password Protected or made Private, granting you full control over this individual post and what you want subscribers to receive.
  • Flickr (photo sharing): When accepting Contacts, you can designate them as Contacts, Friends, or Friends & Family. You can then make individual photos or entire albums Public, Private to Friends, or Private to Friends & Family.
  • YouTube (video sharing): You have the option to designate a video clip as either “Public” (anyone can search and view), “Unlisted” (only those with the link can see it), or “Private” (only people you choose can view).  There are additional Privacy settings found by clicking on your member name in the top right corner of your YouTube window. From there, select Settings > Privacy.
  • Facebook (social networking): Under the Photos section of your Profile, you will see near the top of the window a link for “Album Privacy.” From here, you can designate how public or private you want your images to be.

  Staying safe in social networking takes only a few minutes. Understand how filters work and being smart in how you set them.

• Avoid using you child’s name online.  We gave this advice back in March 2010, but it bears repeating as people still reveal their children’s names in open, online conversations. Code names allow you to talk about day-to-day and special events with little to no risk, but in the end it is your comfort level that makes the final call. Don’t panic on the occasional slip, but do ask that close friends adhere to these code names when online.
• Have a Child Identification card made for your child. For Example, the Prince William County Sheriff’s Office in Virginia sponsors Ident-A-Child, where minors are given free of charge a photo identification card that features vital statistics such as height, weight, eye color, and so on. Check with your local law enforcement and inquire if they have an identification program for children.
• Continue to take pictures and video of your child. Why is that part of our advice? Swiftness in locating missing or abducted children can come down to a recent photograph or video clip.  Technology has made snapping off photos and shooting video commonplace, and having recent media of your child on hand are always good, not only for sharing with friends but also in keeping your child’s identification current. Never be afraid to capture time with your child.

Policing pictures and video of our kids can be a truly daunting task, especially in a world with so many different cameras accessible. You should not feel obligated, even with the trend of social networking, to reveal every waking moment with your child. You should, however, be smart before you start posting. Find out what privacy filters exist, understand how they work and how much control you have over the information shared, and take a moment to ask yourself if you want to share this particular moment online. It’s okay to ham it up with your child, and it’s even better to let your kids be kids; so long as you are safe and smart about it. Privacy matters. Even to those who don’t understand what it is.

Tampa Bay Online recently ran a story on what could be a growing problem of identity confusion, a case where a victim is treated like a criminal because the real criminal happens to have the same name, date of birth, and even Social Security number. While there are not too many documented cases, it could be a growing problem simply because of the number of errors contained in public databases that result in inaccurate information.

In this case, a resident of Florida named Fabian Lopez has spent years trying to convince anyone who would listen that he’s not the Fabian Lopez, of New Jersey with the same date of birth. According to court records, New Jersey Fabian has an extensive criminal history, including charges of lewdness, criminal sexual contact, burglary, failure to comply with conditions of bail, and failure to appear in court.

It’s that record that seems to have hijacked the life of the victim, including a very public arrest by law enforcement. “This is worse than identity theft,” Lopez said in an interview with Tampa Bay Online. “It’s not that they stole my identity – they’re giving me an identity that’s not mineBecause of the confusion, the victim in Florida has been unable to obtain a driver’s license, especially tough when he drives a cab for a living.

This is not a case of identity theft, so the victim can’t benefit from all the laws and services that are in place to protect victims of identity theft. If there are errors in a database that incorrectly match a date of birth, Social Security number, or address, these can be fixed, but it’s rarely easy.  The victims are left with a lifetime of groundhog days, constantly going through the same routine to explain they’re not who people think they are, even if they’re trying to explain it from a jail cell.

 

RELATED STORY: Identity Theft in Reverse

http://www2.tbo.com/news/news/2011/aug/02/identity-theft-in-reverse-ar-247749/

With a new school year about to start and identity theft against children on the rise, we have brought out from our archives a few choice articles concerning minors and keeping their personal data safe. It may seem that assuring your child’s personally identifying information (PII) is easy to keep secure. Perhaps you have their Social Security numbers safely filed away, and perhaps your extra careful where sensitive details are shared, but these precautions are only cornerstones in a secure foundation you should be raising your child with.

From TheFutureBuzz blog, these 2009 statistics just touch on the reach of blogs:

• 133,000,000 blogs were indexed by Technorati (a search engine specific to searching blogs) since 2002
• 346,000,000 people globally read blogs (from comScore March 2008)
• An average of 900,000 blog posts went live in a 24-hour period
• 77% of active Internet users read blogs
• 81 languages are represented in the blogosphere.
• 59% of bloggers have been blogging for at least 2 years

That’s a lot of data to keep track of.

What is alarming, though, are the instances when kids and parents reveal too much information about their lifestyles.  The Washington Post reported that 8% of Twitter users were teens, while comScore reported that the average user on Twitter is between the ages of 45-54. This insinuates that while the younger generation isn’t actively tweeting, updating their Facebook statuses, or blogging about their week, their parents may very well be, and in the process revealing the name of their school, their current whereabouts (soccer game, basketball game, etc.), or even more alarming, their names and names of friends. What may appear as innocuous details on the surface is a treasure trove of information that, at the very least, identity thieves can get a hold of and exploit. Perhaps we wouldn’t want to consider the worst case scenarios, but these scenarios are undeniable and slightly frightening truths that should not be dismissed.

By no means, though, are we endorsing or suggesting that mommy or daddy bloggers stop posting, that parental podcasters shut down their productions and delete their various accounts across social networks, or that children be quarantined from technology. What we do suggest are a few things to make your online communities and communications safer and stronger:

• Avoid using you child’s name online.   When you are in a discussion online or putting together a commentary on a current issue, try to refer to your child by a code name. (Superhero names are particularly fun.) Do not punish yourself or others for the occasional slip, but do ask that close friends adhere to these code names when online.
• Disable GPS Location services when attending school or family events. It’s been a hot topic across the Internet. From the New York Times to CBS to this very blog, the debate over how much information is too much information continues. When sharing your status with social networks, keep places and events broad and generic. You can still share a picture of your son or daughter attending the event, but avoid posting coordinates or checking in with location-based vendors. Instead, post a photo and say “At my daughter’s concert. I’m so very proud of her.” That will convey the same message and carry the same sentiment without sharing your exact whereabouts.
• Keep your child’s computer in a high traffic location of the house. We have to take precautions with tools like computers, and accept that while kids know how they work, they may not grasp how vulnerable they can make themselves when going online. By placing a computer or laptop in an open area of your house, you can monitor your child’s online whereabouts. This includes:
  • Chat rooms
  • Forums
  • Online shopping

  While some (including “tweens” and teens 13-15 years old) may look at this as “spying” keep these statistics in mind:

  • One in five U.S. teenagers who regularly log on to the Internet say they have received an unwanted sexual solicitation via the Web. Solicitations were defined as requests to engage in sexual activities or sexual talk, or to give personal sexual information. (Crimes Against Children Research Center)
  • 75% of children are willing to share personal information online about themselves and their family in exchange for goods and services. (eMarketer)
  • 77% of the targets for online predators were age 14 or older.  Another 22% were users ages 10 to 13. (Crimes Against Children Research Center)

  And to keep in mind at all times…

  • Only 1/3 of households with Internet access are actively protecting their children with filtering or blocking software. (Center for Missing and Exploited Children)

  You aren’t spying. You’re being a responsible parent.

• Understand How the “Wonder Widget” Works. Part of being a responsible parent also means getting a grasp at what “cool tech” is out there and how it works. This is probably the most difficult aspect of parenting as kids’ interests change almost as quickly as technology itself. (And usually, something is considered “uncool” when Mom and Dad figure it out.) However, it is a good idea if you know your child is getting into MySpace, asking for a smartphone for their birthday, or joining an MMO game (and if you don’t know what MMO stands for, this is part of understanding the trends in tech), you should have a basic idea of what the widget is, how it works, and more importantly  how vulnerable it could make your child.  No, you don’t have to be a Social Media expert, or a Level 41 Wizard in World of Warcraft; but a grasp of the basics can take you far.

It is very easy to regard identity protection as something exclusive for grown-up’s, but our children’s identity is equally as important.  By not considering where key points of  personal identifiable information (PII) are revealed and shared within  online communities and in everyday exchanges in the real world, we could be inadvertently placing our kids within harm’s way. From fraudulent credit card accounts to character-damaging actions online to the worst case scenario — personal danger — all are possible if parents do not stop and think before they blog, tweet, or post a Facebook update status.   Predators and identity thieves do not discriminate by age.  We are all susceptible and as adults, and parents, it is our responsibility to protect our children.

As vacationers across the country hit the roads for end-of-the-summer getaways, scammers as usual, are not very far behind. Scams and identity theft in the hotel and hospitality industry are nothing new, in part because scammers love to target places where there are plenty of people who may be too busy, too distracted, or moving too fast to realize they’re being scammed. Until it’s too late.

Researchers have spotted a recent spike in spam email trying to trick users into opening an infected file by advising the recipient of a mistake with a recent transaction at the hotel. Emails that use things like transaction notices and receipts are nothing new, usually popular around the Christmas holidays when people are more likely to be buying stuff and also more likely to click on such an email.

Recipients of the email are warned that there was an error with a payment or transaction at a hotel, with subject lines like “Hotel [Major Chain] Las Vegas made wrong transaction,” and “Wrong transaction from your credit card in [Major Hotel Chain] Atlanta.”

The scammers’ expectation is that recipients will either be on vacation or have recently returned, and may genuinely believe that there was a mistake with their payment or their credit card was compromised while on vacation and is now being used by the thieves.

The email usually contains an attachment that purports to be a receipt or explanation but instead hides a nasty piece of malware. In some cases the malware is promoting fake anti-virus software.

Lessons learned?

• Avoid advertising your whereabouts on social networking sites, and avoid geo-tracking. This gives thieves the information they need to target you. particularly if you are sharing your whereabouts.
• Guard your computer from key loggers, hackers, spammers, and botnets by installing up-to-date anti-virus and anti-spyware software on your laptop computer.
• Limit the number of credit cards you bring with you. Carry just one and keep a backup in the hotel safe. Keep a copy of the emergency contact numbers for your credit cards and bank accounts handy in case they’re lost or stolen. If you are using debit cards while on vacation, be cautious and protective of PINs, especially when withdrawing money. If you’re driving on vacation, only use credit cards to pay for gas, and be vigilant for gas pumps that appear to have been tampered with.
• And of course, never click on an attachment in any email you’re not expecting. If you get an email from a hotel disputing a charge or payment, go directly to the hotel web site and call the customer service number.

RELATED STORY: Fake ‘wrong transaction’ hotel spam hits email

http://www.msnbc.msn.com/id/43948767/ns/technology_and_science-security/

UPDATE: On August 10 2011, the police in London finally took action. Dick Fedorcio, the longtime director of public affairs at Scotland Yard, has been placed on extended leave until the criminal inquiries are concluded. Mr. Fedorcio, an 11 year veteran of “the yard”, has been widely criticized for hiring Neil Wallis, a former deputy editor at The News of The World, as a public relations consultant for the police in 2009. As it turns out, Mr. Wallis was actively working for both the police and The News of The World and was arrested on July 14, 2011 on “suspicion of phone hacking and bribing police officers.” Mr. Wallis has refused to discuss the matter publicly.

In addition, Greg Miskiw (a wonderful name for someone involved in this “Mis-cue”), a former editor of The News of The World, was arrested on August 10, 2011. He was arrested because a former reporter came forward and said that Mr. Miskiw had helped him find a source he was seeking by using a mobile phone number. Mr. Miskiw had paid $500 as a bribe to officers at Scotland Yard to have them ping them phone in order to locate the operator.

I am fascinated by this quote in Thursday’s New York Times: “It looks very bad for [the metropolitan London police], but I am not that surprised, actually the connections between all these people were so deep that I would have been more surprised if they had not tried to use them,” sad a 30-year veteran of Scotland Yard.

Over the past few weeks, the Internet has been buzzing with yet another violation of privacy with grave implications for keeping our identities safe.  British journalists working for Rupert Murdoch’s now defunct News of the World are accused of hiring private detectives to illegally break into the voicemails of thousands of people, ranging from top politicians and celebrities, to murder victims, to the families of fallen soldiers. To make matters worse, there is also an allegation that journalists bribed the police to obtain private details about people, including members of the royal family.

This privacy fiasco is suspected to reach as high as the prime minister’s office.

According to CNN, the depravity of these News of the World hackers came to light in July when the family of a murdered teenage girl Milly Dowler announced that Milly’s phone had been hacked in 2002.  The hacker allegedly deleted some voicemail messages, so the Dowler family continued to hope their daughter was still alive.

In July 2011, the 168-year-old paper, News of the World, the best-selling English language paper in the world, shut down the presses.  Rupert Murdoch’s news empire took the hit, as did the 300 or so employees who were dismissed without warning, some of whom were left stranded in foreign countries where they had been on assignment.

What does this mean for you? One thing is clear: your voicemail password should be something unique and difficult to guess. The way these hackers were able to break into voicemail systems was insultingly simple. (I don’t even truly consider this hacking.) Somebody would call you to tie up your phone line while another dialed into your voicemail and tried various password combinations to unlock it. This is considered a brute force attack because there is nothing elegant about it. If he had to, the hacker would have entered every combination from 0000 to 9999. As it turns out, the majority of victims had voicemail passwords of 0000, 1111, 1234, or the last four digits of their phone number, a factory default used by most mobile carriers and a vulnerability reported on this blog back in December by both Gawker and Neal O’Farrell.

In addition, you should change your voicemail password on a regular basis, for instance, every three to six months. This way, if it is hacked, you can contain some of the damage. Records show that some of the affected voicemail accounts were hacked over and over again. So if you suspect that something fishy is going on with your own phone, change your password more frequently.

Also, configure your voicemail to always require your password, even if dialed from your own phone.  This will prevent someone from using your phone surreptitiously or spoofing your number and getting into your voicemail. People tend to think that if they are in physical possession of their phone they are safe from this sort of attack, but that just might not be true anymore.

Perhaps most importantly, though, is what this incident means for all of us. One of the most far-reaching news empires in the world has its hands very, very dirty in privacy abuses. Rupert Murdoch and those under his command should be discouraged in putting their own freedom before another. Our personal privacy, our identities, are far more important than “freedom of the press”, especially when that “freedom of the press” is breaking any number of national and international laws.

If you’re suspected of being the official spokesperson of two of the world’s most notorious hacking groups, a good place to hide would be the remote Shetland Islands off the coast of Britain. No one would think of looking there, right?

Wrong.

Turns out the remote Shetland Islands weren’t remote enough to avoid the long arm of the law. At the close of July, that arm reached out and plucked up an 18-year-old who goes by the name “Topiary” and is believed to be the spokesperson for both Anonymous and its offshoot Lulz.

Jake Davis was charged with a variety of hacking offenses and then promptly released on bail. Reuters suggested that in spite of a string of arrests of people believed to be involved with these groups, the arrest of Davis might be the most significant. Police also charged Davis with hacking the web site of the Sun newspaper, and redirecting visitors to another web site with a fake news story that the newspaper’s owner, Rupert Murdoch, had died.

According to prosecutors, when he was arrested, Davis had one laptop in his home that had been rigged to operate as more than a dozen separate virtual computers. Davis was also using one-time email addresses that are often favored by hackers to hide their identities and tracks. He is also believed to have had the passwords of more than 750,000 individuals on his computer, as well as information on the highly publicized attack against Sony.

While Davis’ lawyer is already suggesting that his client was a sympathizer rather than activist, it might be hard to explain away that hoard of data.

RELATED STORY: British Police Arrest Top Anonymous/LulzSec Leader

http://www.theatlanticwire.com/technology/2011/07/british-police-arrest-top-anonymouslulzsec-leader/40473/

As home buying and selling activity increases, and so does the risk of identity theft as personally identifiable information (PII) is shuffled around from one home to the next. During this busy time, buyers and renters become preoccupied with financing their new homes, closing and opening new banking and utility accounts, and packing and moving—all stressful tasks that can distract them and cause them to simply overlook protecting sensitive documents and PII.

According to Javelin Strategy and Research, more than eight million Americans fell victim to identity theft in 2010. To protect yourself from this threat in 2011, we at IDGuardian recommend that you take precautions and follow a list of simple steps homeowners can take throughout the moving process to help protect their identity.

1. Submit a Change of Address Form. Submit an official Change of Address Form through your local post office, and once the request has been filed, keep an eye out for a confirmation from the Postal Service. You’ll want to use this to verify that your new information has been correctly updated.  You can expect your mail to arrive at your new address within 7 to 10 business days after filing.
2. Shred sensitive documents. All important documents and paperwork that will not be coming with you should be shredded to prevent thieves from finding any information in your trash. A small investment in a shredder is well worth it when you consider the headache it could be preventing.
3. Monitor financial statements. Watch over your bank and credit card statements for suspicious activity.
4. Use reputable moving companies.  Many Americans use a moving service to help pack and move their boxes, but mover fraud is becoming more commonplace in the U.S. Take the time to read reviews, research the company and ask trusted friends, family or real estate agents for recommendations. Always check the mover’s reputation with the Better Business Bureau and  make sure the mover is registered with the Federal Motor Carrier Safety Administration (FMCSA), and has a U.S. Department of Transportation (USDOT) number before signing any agreements or obtaining an estimate.
5. Keep documents with you. Transfer all important physical documents that will be making the move, such as wills, stock certificates, bonds, etc., to a safe and secure place such as a locked box. Keep the physical documents with you during the move and do not leave any secure receptacles for movers or others to transport.
6. Lock down your computer. Devote time and resources before your move to make sure all computers in your home are hack-proof and packed and out of sight before movers arrive.
7. Supervise the move. Make sure you are present for the entire duration of the move. Your presence could deter potential theft from occurring and you can rest assured that your personal belongings are being taken care of properly.
8. Check your credit report. Take a look at your credit report for several months after you’ve moved. Any suspicious activity on the report may be a sign that your information has been compromised and local authorities and banks should be contacted.
9. Verify mail is being delivered. After the move, verify that you are receiving all mail from the list of senders you identified and contacted beforehand.

In a highly publicized event in Washington, DC on July 12^th, the Federal Trade Commission and the Department of Justice’s Office for Victims of Crime hosted Stolen Futures: A Forum on Child Identity Theft, a one-day forum on the growing problem of child identity theft and what we need to do to help prevent it.

Child identity theft is a growing problem nationwide, with some studies finds that child identity fraud is more than a hypothetical risk with over 140,000 U.S. kids as victims. And in most cases the victims have no way of knowing they’re being victimized until they’re young adults, entering the credit world for the first time, only to face a mountain of work to reclaim their stolen identity.

The forum focused on a number of challenges, including the growing problem of theft of a child’s identity by family members and the constant risk of identity theft of children in foster care. In a recent report by the Sacramento Bee, of the 60,000 kids that leave foster care in California every year, as many as one in every five face some kind of identity theft.

According to the report “Their Social Security numbers and birthdays – easily accessible to birth parents, foster parents, siblings, social workers, and courts – were hijacked so others could get quick cash from banks, keep electricity and water flowing, avoid criminal conviction, or even save on taxes and medical costs.”

This is a growing problem that we need to address with some urgency. Criminals know that kids are a good target for identity theft as they have clean credit histories, don’t think about identity theft, and shouldn’t have a credit report on file. And most thieves can easily get away with the crime because many years can pass before the victim ever discovers their identity has been hijacked.

Lessons learned?

• Guard your child’s Social Security number closely and don’t leave it anywhere in the home where it can easily be accessed by either a burglar or visitor.
• Check regularly with the credit bureaus for any reports in your child’s name. If there is a report, it means someone’s abusing their identity.
• Keep your child personally identifiable information secure and close. Question when people and organizations need your child’s PII, and if it is necessary, ask what kind of security is in place to protect it.
• If you receive any inappropriate mail for your child such as an application for loans or for credit cards, your child’s identity may be compromised. Contact a group like ITAC or the Identity Theft Council for immediate assistance.
• If you allow your children access to networks of any kind online, understand the privacy controls of each network and know how to keep your child’s account “locked down” when your child participates in online social interaction.

RELATED STORY: Stolen Futures – A Forum Presented by the FTC
http://www.ftc.gov/bcp/workshops/stolenfutures/

My son, Ace, is 12, and he wants to be on Facebook. I told him “No” because the regulations of Facebook state that you have to be at least 13 years old to have an account. Ace protested that his friends all have Facebook accounts and they aren’t 13. I told him, “The fact these kids lied about their ages to get accounts doesn’t mean that you’re going to do it, too. Talk to me when you’re 13”.

Ace is right; a lot of his 11- and 12-year-old friends are on Facebook, and they aren’t alone. Despite the fact that Facebook’s regulations state that you must be 13 to use the site, a Consumer Reports study published last month found that 7.5 million kids under the age of 13 used Facebook in the past year. Of those 7.5 million, 5 million were under the age of 10.

Clearly not all parents feel that letting their children lie about their age is a problem, and it might not even be an issue for much longer. Mark Zuckerberg, founder and CEO of Facebook, recently said he wants to open Facebook to children under the age of 13. The truth is, though, even if Facebook changes its rules, I would still hesitate to allow my 12-year-old son to have a Facebook account.

Facebook, and sites like it, are great things when you know how to use them sensibly and safely — even as an adult. I’m a blogger; I use Twitter; and I am a regular user of Facebook. I am a believer in social media and I think it enriches our lives in many ways. I don’t disagree that there are some benefits to letting your kids have Facebook accounts. For instance, parents who allow their underage kids to use Facebook often claim it’s because the site allows their children to stay in contact with distant family members. Nor do I believe that Facebook is inherently bad. But social media sites are not risk-free for users, and parents need to consider the risks carefully before allowing their children to jump into the deep end of the social media pool.

On of the biggest risks to children using social networking sites come from their own behavior and from other children.Cyberbullying and online harassment by peers continues to be a huge and pressing issue on social networking sites. Just last week in Seattle, Washington, a 12-year old girl and her 11-year old accomplice were sentenced for cyberstalking another 12-year old through Facebook.  According to the earlier-cited Consumer Reports study, over one million children experienced cyberbullying on Facebook in the past year. It can cause stress, depression, anxiety and, in some extreme cases, even lead to suicide.

Some experts argue that the brains of adolescents are not developed enough to allow them to comprehend the impact of their online behavior. Brain development is not complete until the mid-twenties, and the areas of the brain that allow people to understand consequences are the last to develop. Facebook, by design, encourages over-sharing and impulsive behavior. Preteens may not have the cognitive development necessary to curb impulses, which can lead to disastrous results when coupled with the confusing and emotional social experience that is middle school and the instant gratification of social media. In the earlier-cited Seattle incident, for instance, the two defendants were posting on the victim’s Facebook account sexually explicit material. The defendants’ motive? They “had a falling out” with the victim.

Another issue parents need to consider is their children’s digital footprint. Information posted online leaves a record that can last far beyond the moment.  Everything posted on the Internet, including Facebook, should be regarded as permanent and searchable. People will use that digital footprint to judge your child both now and in the future. Can an 11-year-old be savvy enough to understand the permanence of what they say and do online?

Privacy is another area of concern. Do you know who can see your child’s profile and information? When Ace told me that his friends were on Facebook, I decided to take a look. I logged into my Facebook account and searched for several kids using just their first and last names. Not only did I immediately find them, I also found that I could see their entire profile. None of these kids were using the available privacy settings. I could read birthdays, addresses, likes and dislikes, all of it. To an identity thief or other criminal, information is currency, and children need to be taught to protect theirs.

Is your preteen able to take all the steps that are necessary to protect their personal information? Do they even understand why they need to protect their information? These are the things I’m considering as I decide whether my child is old enough and mature enough to safely navigate Facebook. Yes, some risks can be mitigated with a policy of restraint, careful judgment, and common sense on the part of the user; but let me ask you this, do the words “restraint,” “self-control,” and “common sense,” describe most of the preteens you know? Parents need to think carefully about whether the benefits of early adoption of social media really outweigh the negatives for our kids. Grandma and Grandpa can still keep in contact with Little Joey over the phone or by email, after all. Just because Facebook makes things easy doesn’t mean it is the best choice for young children.

Parents also have to be involved when their child becomes part of the global network, be it Facebook, online gaming, or the Internet in general. Consumer Reports found that the majority of the parents of those five million Facebook kids under 10 were not supervising their kids’ use of the site. So if you’re going to allow your child to be on Facebook, then you need to be on Facebook, also. Friend your child. Teach them about online safety practices. Help them with the privacy settings. Check out organizations like ConnectSafely.com to become educated about the issues for kids and social media. Know what is going on in your child’s online life.

As for me… I will, in time, allow my children to use Facebook. For now, the answer to my son asking “Can I have a Facebook account?” is “No” at least for one more year. Once he is 13, we can revisit the issue, and maybe then it will be time to let him dip his toes into the social media pool — but only with me looking over his shoulder as his “Friend,” so I can teach him how to swim safely.

We’ve been saying for years that hackers and identity thieves follow the crowds, which is why social networking sites such as Facebook have become such a hotbed of criminal activity. So naturally whenever a new social networking site debuts, we expect the bad guys to be waiting in the wings.

And they didn’t disappoint. Maybe you haven’t heard of Google+ yet, but it looks like the bad guys have. Google+ is Google’s latest venture into the social networking arena and has many of the same functions as Facebook, which is why scammers are already targeting the site. In a first salvo, scammers are sending out fake emails pretending to come from real Google+ users inviting the recipients to join the new club on the block.

But clicking on the link in the email will take unfortunate users to a site promoting something far less tasteful. It’s certainly not the most sophisticated or dangerous social networking scam we’ve seen, but a clear sign that the bad guys are wasting no time in exploiting the phenomenal interest in social networking.

But scams like these do have a positive benefit. They are a great way to remind us all that while social networks have changed the world, they don’t come without risks. And with a new crop of social networks emerging, those risks also increase.

In a recent article, Network World explored some of the up-and-coming social networks that you might not have heard of but which could surge in popularity in the coming years.

For example, social networking site Empire Avenue is growing in popularity, in part because it allows real people to invest virtual currency in other people and even brands. The mere fact that some kind of financial transaction takes place, even if it’s not real money, is sure to make it a magnet for scammers.

5 hot social networking sites

http://www.networkworld.com/news/2011/070511-social-networking.html?page=1

SCAREWARE.

Does that word sound familiar? It is yet another variant of cyber threats that get consumers to do something on the Internet that compromises their PC and, more importantly, their identities, bank accounts, brokerage accounts, credit cards and likely all of their online accounts.

Here is how it works: You see an email or navigate to a site that has an ad for anti-virus software and the ad is showing some very impressive (but made up) statistics to get you to investigate further. Take the malware called MacDefender for example (also seen under the moniker MacProtector, MacSecurity, MacGuard, and MacShield). When you click on the ad, it gives you what appears to be very impressive statistics on how vulnerable you are and how MacDefender can protect you FREE.  As it looks realistic you may be tempted to click and download the software, as many people have done so already Once downloaded, the software  looks and acts like real AV software in that it installs, an icon in your system tray and runs fake scans on your PC, ultimately giving you fake results (and very impressively showing how many threats you are being protected from). MacDefender even has a really good configuration screen closely mimicking the behavior and user experience of the well known legitimate AV software available on the market.

MacDefender will then start to list certain infections and threats that can only be eradicated by upgrading and registering the software through their site, with a nominal fee. If you balk and try to not upgrade to the paid version, the MacDefender software will take over the behavior of the default browser and start to open Web pages that would be considered very inappropriate, as well as reporting more and more PC threats. In the end, a lot of people pay the fee in order to “upgrade” to better protection. On payment, the cyber criminals have met their objectives and taken your money. You now have a useless piece of software on your Mac that you believe is working to protect the computer.

Scareware is basically fake anti-virus software. While MacDefender is specifically targeted at Macs, other scareware targets the much larger PC market. Regardless of the operating system, all scareware scams work substantially the same way.

Here is what you should look for when you see advertising for anti-virus software on Web pages:

1. Ads that shout about the threats on the Internet and not the features of the software should give you pause.
2. Ads that quote impressive statistics about the percentage of malware blocked by their AV software should be closely scrutinized. AV providers know that protecting users from malware is a full-time job and very difficult to battle in today’s threat environment.
3. Do not install software from the Internet without checking on the company behind the software. There are a myriad of ways to check out software offers:
• Google the company and read the reviews.
• Look for surveys of the most popular and downloaded software in the security category.
• Reference tech review websites like Macworld, PCWorld, Top Tech Dog, and Nifty Tech Blog.
• Reference resources that specialize in revealing fraudulent vedors like the Better Business Bureau, the Federal Trade Commission, and Mashable.
• Be inventive in researching the vendors’ name.
4. If you have downloaded and installed bad software, use a legitimate antivirus program to get it off your system or take a look at this column for credible online resources.

PC security has high top-of-mind awareness for all of us. Cyber criminals know this and prey upon the fear of threats that are out in the cyber world in order to snare as many of us as possible into giving up our money.

Use common sense, use readily available surveys of the best software available and do not download any software that is not rated or well-known. When a free software tells you that you can only beat threats by upgrading and paying, uninstall it immediately. This is a sure sign that there is bad behavior present and potential fraud being committed against you.

Common sense is the best weapon against Scareware. Use that common sense to its full potential.

As we have mentioned on this blog, child identity theft is a growing concern, and on July 12, The Federal Trade Commission and the U.S. Department of Justice are hosting a forum on this alarming issue. Experts from a variety of resources including government, business, non-profit, legal service providers, as well as victim advocates will discuss exactly how important a priority combating child identity theft has become in this age of information and social networking.

Featured on this podcast is Anne Wallace, President of ITAC, the Identity Theft Assistance Center and Steven A. Schwartz, Executive Vice President, Consumer Services at Intersections.

Our audio and video columns can be listened to in a variety of ways:

• Through the blog via the media player found in this blogpost
• Through a manual download by clicking on the “Download” link
• By subscribing through iTunes
  

Thank you for listening,
and stay safe.

About an hour ago, this appeared in my Facebook News Feed. Here are a few things to note about how this is revealed as a clickjacking scam:

1. This is a supposed video tweet, but note under the link the main “home” for this URL is heading back to LinkedIn.com. An odd correlation.
2. Poor punctuation. There’s not apostrophe in Justin Bieber’s name.
3. This unflattering photo hit headlines on March 2, not today (or “20 minutes ago” as this link claims)

These may all seem like minute details, but these details are what hackers and spammers are counting on you glossing over. In the “speed of one click” you can easily surrender control of your Facebook account credentials, counting on you to race to see who can share a sensational link first in your network. Whenever you have shared URL’s like this appear in your News Feeds, it is best to stop and think before you click. Many of these scams can be caught right away from the small image (or thumbnail) associated with the link. (Obvious malicious links will be displaying intimate parts of male and female anatomy.) So if something like this pops up in your News Feed, don’t click just yet. you may regret it.

Remember that clickjacking is a hackers’ tactic technique of tricking users into clicking on a link possessing code that can surrender personally identifiable information without the user’s knowledge, allowing hackers to take control of an online account (or, more dramatically, their computer). The reason why these scams are so prevalent on Facebook is that 20 percent of Facebook users click on these links. This is according to a study, reported by CNET, in 2010.

It’s a refrain that the Apple-loving hordes of Macanistas have been hearing from cyber-security experts for more than a decade: when the sheer number of people using the platform reaches a certain critical mass, more attacks will inevitably arrive.

Recent evidence of this, including a scheme aimed at selling fake anti-virus software to Apple users, appears to prove that this long-awaited prediction may finally be materializing.

I know, I know — it’s a story that’s been written over and over again for many years and the needle on the number of Mac-oriented threats in particular, compared to the stunning avalanche of Windows-based attacks, has hardly moved an inch.

But the fact that someone has gone to the trouble of creating a so-called “scareware” campaign – which attempts to trick people into thinking they’ve been infected by malware so that they’ll buy useless and often itself infected phony AV software —seems to prove that at least some attackers feel it’s worth their while to create and distribute such a Mac-focused attack.

Those of us who have watched the cybercrime culture evolve over the years know that when attackers devote that level of energy to their work, it’s usually because they’re already making some money in a similar regard.

All that said, rather than debating the growth rate of the Mac-ware attack environment, it logically follows that as more of these attacks occur, and fear grows among end-users, there will very likely be a greater number of wholly legitimate anti-virus and security products available for the Apple devices.

For now, let’s take a look at some of the options available for people looking for additional protection.

The world of Windows is littered with more security products than you could list in a day, and from the sound of industry executives, we’re sure to see far more Mac-oriented products very soon.

Right now there are fewer options than there are for Windows users, though still many, for Mac users seeking added protection for their endpoints.

What follows is a list of some of the best-known legitimate security programs on the market for Macs today.

Please feel free to post replies listing anything that we’ve inadvertently left off, or offering your opinions on their respective capabilities (as long as they’re expressed appropriately!):

• AVG LinkScanner for Mac: Automatically alerts users when visiting a website that contains malicious scripting.
• Avast AV Mac Edition: A full-service AV scan engine that includes protection for the desktop, mail and automatic signature updates.
• BitDefender Antivirus for Mac: Offers to identify and block viruses and other common forms of malware for you.
• ClamXav: A free AV package based on the open-source ClamAV engine that also has some supported third-party extensions.
• Hotspot Shield for Mac: A free program that claims to encrypt all Internet connections, specifically for those connecting in public WiFi environments.
• Intego VirusBarrier X5: Promises advanced signature-based and behavior-based scanning and malware filtering.
• MacKeeper for Mac: Part systems management, part security, this product helps weed out unwanted and malicious programs.
• MacScan: Offers to identify, block and remove many common forms of spyware, including keystroke loggers and Trojans.
• McAfee VirusScan for Mac: One of the Windows market leaders’ standalone virus scanners for Mac systems, includes a number of bells and whistles.
• Norton Internet Security for Macintosh: Windows market leader Symantec’s flagship Mac package offering, with lots of advertised features and functions.
• PC Tools iAntiVirus: A free tool that scans for Mac-specific attacks both on the hard-drive and during Web browsing.
• Sophos AV for Mac Home Edition: An all-purpose AV package that promises to identify, quarantine and remove both known and emerging attacks.

These are just some of the major, supported products that are out there today; but whether it is a free Open Source utility or a paid-for application, be careful what you download. The ones to look out for include MacDefender, MacProtector, MacSecurity, MacGuard, and MacShield. These are the fake, malicious scareware programs mentioned above that everyone is currently talking about.

Those are the ones you don’t want, no matter what machine you may be using.

Be careful out there.

–Matt Hines

Summer is about to begin (although with record breaking temperatures, it feels like it’s here already), and now both individuals and families turn their thoughts to the big getaway. Travel plans are confirmed, bags are packed, and all that’s left on the “To Do” list is to hit the road for destinations far and wide. According to the U.S. Travel Association, 2.1 percent more vacation travel just in the United States is expected this year than in 2010.

No matter where travelers are headed, domestic or international, they will likely be distracted by their new surroundings, making them prime candidates for identity thieves.   Identity thieves prey on unsuspecting tourists – even the savviest of business travelers – banking on the fact that many travelers are focused more on their itinerary than on their identity exposure.

So in the days before hitting the road or checking in with your airline, you might want to stop and consider how secure your identity is while on the road, as well as in your vacant home. By investing a few minutes in some basic safe practices, you can help to minimize the impact of identity theft.

1. Protect your home. Have your mail collected or held at the Post Office, ideally have someone visit and turn lights on and off, and do not leave financial documents lying in plain view.
2. Avoid advertising your whereabouts on social networking sites. This gives thieves the information they need to target empty homes.
3. Disable geotagging features on smartphone apps and other devices. This is an extra tool for the bad guys to know your whereabouts and to potentially break into your home while you are away.
4. Guard your computer. Protect yourself from key loggers, hackers, spammers, and botnets by installing anti-virus and anti-spyware software on your laptop computer. If browsing the Internet with a wireless connection, do not assume public “hot spots” are secure.  Ensure you are using encryption to scramble communications over a network.
5. Exercise caution when logging into public networks. If you need to access your email from a cyber café or other establishment, limit your access. Avoid entering any passwords to your personal financial accounts, and be sure to log off when you are finished with your session.
6. Be aware of potential phone scams. If you’re staying at a hotel or motel and receive a call from the reception desk asking that you confirm a credit card number, tell them you’ll provide the information at the front desk instead.
7. Limit the number of credit cards you bring with you. Carry just one and keep a backup in the hotel safe. Keep a copy of the emergency contact numbers for your credit cards and bank accounts handy in case they’re lost or stolen.
8. Limit debit card use. It is not recommended that travelers use their debit cards while on vacation, but if they do, they should be cautious and protective of their PIN when withdrawing money. When withdrawing money from an ATM, be cautious, and be protective of your PIN.
9. Keep documents in a safe place. Remove all documentation and cards from your wallet or purse that you don’t need during your travels.
10. Back up your documents. Make a photocopy of the cards and documents in your wallet or purse, including credit and ATM cards, store cards, drivers’ licenses, to leave with someone you trust so you know what to cancel if your wallet is stolen.
11. Consider utilizing a credit and public monitoring service. If you’re leaving for an extended period of time consider using a credit and public monitoring service that alerts you to potentially suspicious activity.

By being aware of your identity and all that is associated with it, and by following the tips outlined above, you can invest quality time with your family and relax while you are away.

IDGuardian welcomes to the blog Megan Howard, an accomplished writer, blogger, adjunct English professor, Irish dance teacher, and mom. Her blog posts have been nationally syndicated by BlogHer.com and featured on FiveStarFriday.com, and now Megan brings her parental perspectives on protecting your children’s identity to our blog.

I renamed my children in 2008. My son was 9, and my daughter was 5. Their first names, those names we gave them when they were born, were still perfectly good names. My kids just needed new names because I, their mother, was writing a blog.

I never set out to write a mommy blog.  My blog name does not to have Mom or Mommy or Mama in the title. I consider my blog to be a personal blog. I write about my life experiences. It just so happens that I am a mother, though, and being a mother constitutes a great deal of my life experience right now. Therefore, I write about being a mother and I tell stories about mothering my kids on my blog. Yeah, a mommy blog.

I started the blog in 2006, but it wasn’t until 2008 that it began to take off – and by “take off” I mean, someone other than my mother read it.  In 2008, it began to grow and people who were not directly related to me, or didn’t even know me at all in real life, began to read it. Up to that point, I was blogging partially anonymously. I intentionally didn’t use my full name on my blog. I used my husband and children’s first names, but not their last name. I also was careful to leave out specific details about exactly where we live.  I knew that if someone wanted to find us, they could with some sleuthing, so I didn’t want to broadcast our address on the Internet. It just didn’t seem necessary.

Then, in 2008, when my blog began to get more traffic, I reconsidered using my children’s first names. I decided that if more people were going to read my blog, I needed to use pseudonyms for my kids.  It took an entire day to go back through the blog archives and change the names on every post and every picture, but at the end of that day, my son became “Ace” and my daughter became “Tink.”

I didn’t switch to pseudonyms because I’m overly worried about stalkers and pedophiles.  Like writer, Cybele Weisser, discusses in her article for The Wall Street Journal about why she posts publicly accessible pictures of her newborn on Flickr, I don’t believe the information on my blog poses any more risk to my children than the risks they face in daily life.  I decided to change my kid’s names because I don’t think it’s fair to make their entire childhood easily Google-able. I don’t want my high school-age son to be faced with a bunch of kids at school saying, “Ha! We Googled your name and found pictures of you in diapers!” The teen years are difficult enough without your blogging mother providing easy ammunition for teasing and bullying.

I know a lot of bloggers struggle with the issue of how much to reveal about their children’s lives online.  When you are a parent and you write about your life, how do you avoid writing about your children? Your children are a major part of your life.  How can you leave them out? Also, the success of personal blogs is directly linked to the authenticity and openness of the writers. Blogging is a conversation, a shared experience. Often it is a conversation between people in shared situations, like parents. Blogs offer parents a way to connect, commiserate, and educate each other. How do we do that if we don’t write about the center of our experiences as parents – our children?

At the heart of the issue is really this question  – whose stories are they, the parent’s or the child’s? Does a parent have the right to share personal stories about their children in a forum where those stories become permanent?   In an article by The Globe and Mail about this issue, blogger Catherine Connors of Her Bad Mother says she feels ownership of her daughter’s stories because her daughter is her “muse.”

On the one hand, it would seem that mom bloggers swapping stories on their blogs is no different than moms sitting together and swapping “You won’t believe what Tommy did” stories on the playground.  But those playground stories don’t get broadcast to a potentially infinite and timeless audience, as they can be if they are sent out onto the Internet as a blog post.  At a time when we are counseling our adolescents about the need for caution and discretion online, and with the government considering legislation to protect the Internet privacy of children, it is an issue that parents who blog about their children need to consider.

In the end, it is a largely personal decision. Some bloggers, like the most famous of mom bloggers, Heather Armstrong of Dooce, are completely open. Others, like blogger Jen Lawrence of T.O. Mama, stop blogging altogether when their kids are no longer babies because “their stories are now their own.” Most, like me, try to find some kind of middle ground where we feel we can blog authentically about our experience as mothers, but also provide some privacy for our children.

For my kids, that means having two names, and while it started out with one name for real life and one name for the blog, the line has blurred over the past four years.  My kids have taken on their blog names as their own in their daily life. Ace regularly refers to himself as “Ace” in conversation. My daughter signs all her letters and cards with a jaunty “Tink.” No matter how strictly I try to draw the line between online life and off-line life, it keeps getting blurred.

But even if Ace and Tink tromp through both my blog and my house, Google won’t easily find them, and I’m good with that.

With National Internet Safety Month now upon us, it seems appropriate that Congress is sitting up and taking notice of their own security practices, particularly when it comes to Twitter. As seen in recent news, Rep. Anthony Weiner remains under fire for a lewd tweet allegedly sent from his account to a college student. Weiner’s defense of “My account was hacked…” have other representatives (and their staff) concerned about exactly how secure Twitter is. This concern led to Twitter’s Capitol Hill liaison, Adam Sharp, to send out an email that read:

“Some of you inquired today about the security of Twitter accounts. While we won’t comment on individual accounts, news reports of the past few days are a good reminder of the importance of actively protecting your account credentials.”

For National Internet Safety Month, we’d like to point out your first defense against hackers is you, the user. Sharp says as much when he emphasizes “the importance of actively protecting your account credentials.” What exactly does this mean? This means when you receive an unexpected “Direct Message” (commonly known as a “DM”) that might read:

*LOLz* Iz dis u? Ha Ha Funy Vid! http://bo.gus.URL/

Your only option is to not click the offered link.

The above example is a classic phishing tactic serving one goal: obtaining sensitive data. While these attacks may seem common to frequent Twitter users, phishing scams may catch casual users off-guard. Antivirus software developer ESET staged a classic phishing attack in February in order to gauge how effective they were on Twitter. Their results showed one out of five Twitter users hit provided sensitive data, the data ranging from their password to credit card information, all provided by a trusting user on the receiving end of the attack.

Another problem plaguing your Twitter account is who holds access. For high-profile Twitter users “Ghost Tweeting” has now become a very popular option. First coined by marketing powerhouse Guy Kawasaki, ghost tweeting is when an account is manned by someone other than the account holder. In some cases such as @ChryslerAutos and @VodaphoneUK where hacking had been suspected, it was a “ghost” (intern, third-party ad agency, assistant, etc.) tweeting on behalf of the organization or individual. Whether a mistake in earnest or a case of “office rage” these tweets can generate embarrassment, reputation damage, and unwanted attention. When considering “ghost tweeting” as an option for your high-profile account, make certain the individual or team behind the account understands boundaries and can accept responsibilities when a tweet’s intent is either misdirected or lost.

Before using the “I’ve been hacked…” defense in the wake of compromising or controversial tweets, it is essential to review what could have led to the damaging statement or action:

• Have any unsolicited or suspicious DMs been received by your account?
• Is the person sending the DM someone you know? If so, are they sending the tweet in a manner you are used to, or are they using odd abbreviations or lazy spelling as seen in the above example?
• Were links provided in the suspicious DMs and were they accessed?
• Were you or someone else managing your Twitter account at the time of the tweet being sent?

To protect your Twitter account (and your reputation, identity, or otherwise) from being hijacked, make sure to avoid suspicious links arriving in your feed. If asked unsolicited by a third-party to surrender your password, don’t. As Twitter now uses the open protocol OAuth to grant permission (that you at any time can revoke) to third-party sites, a reputable third party should never need your password. Remember that Internet safety begins with you and your own policies and practices. Be discerning on what you share when online, and your account will remain safer than those who do not.

With the close of this month, we all look ahead to the summer of 2011. We also look at June as National Internet Safety Month, a time where we across the country we all need to take a moment to think—really think—about what we (and our kids) are doing online. How safe are we behaving, and what should we consider. While there are many different kinds of threats out there, perhaps a prevailing one over the years has been Identity Theft. Despite all the claims and noise around this topic, the term “Identity Theft” still strikes fear in every person who hears it.  Why? Identity Theft is a violation of your person, and it may surprise you how many people you know who have experienced its aftermath. Identity Theft can happen to you while you are online, but there are things you can do to prevent it.  As this is a fast moving current, you have to stay engaged and aware in order to be protected. In other words, you have to know and understand (to a point) what threats are out there.

Have you heard the term Social Engineering?  This describes how people fool you into voluntarily giving up information about yourself or specific information about your financial accounts.  It starts out very innocently when you get an email that tells you that your bank account login information has expired and that you need to click on a link to update your information. (This is what is known as a Phishing scam.)  So the cyber criminal has suggested to you that an action is required, but you voluntarily click on the link and give up your account data.  Once the criminal gets your login data, they empty your account.  Amazing is the fact that today, four years after Phishing first hit the internet, it is still the most effective tool to steal someone’s online identity and their money.

Are you aware of the term Pharming?  In a Pharming attack, malicious code is downloaded to your computer that will look for specific online account activity.  When you open your browser to go to your bank, the malicious code will redirect you to a fake website that looks like your bank and you then enter your user name and password which the cyber criminal captures.  They put up a message that the site is temporarily down, please try again later, and then use your captured credentials to log on to your bank to clean you out.  Is it effective? YES, with thousands of new victims monthly.

How about the term Keylogging — have you heard it?  This is yet another nefarious way that cyber criminals can get to your private data.  Through many creative ways, the criminals get you to click on a link or a picture or an email that downloads malicious software code to your PC that has only one purpose: copying every keystroke you make on your PC and in real time transmitting those key strokes back to them.  So if you are typing your user name and password for your bank, they see it in real time.  If you are typing in your credit card number, a card verification value (CVV) number, address and name for an online purchase, they see it in real time.  If you are filling out a credit application that requires personal data, they see it as you are typing it.

It is scary what is being done today by cyber criminals to capture your very personal data so that they can violate your identity, or so they can sell it to another criminal that will do the same.  The obvious question is “What can we do to protect ourselves?” There are several good steps:

• Implementing and maintaining up-to-date anti-virus software
• Working with solutions that encrypt and auto log you on to your online accounts
• Installing anti-keylogging software
• Employing services that provide protection and remediation when something bad happens.

The Internet is here to stay so finding ways to enjoy this amazing communication medium while being safe is important.  In the end, the single biggest deterrent is being aware and being careful of where you are and what you are clicking on.  Have a circle of trusted friends and associates and do not click or open email from anyone outside that circle is certainly one approach you can take, but there are many.  Caution can pay very big dividends.

Wake up. Be Safe.

To bring attention to this week being National Small Business Week, I have put together this blogpost concerning a recent study from Javelin Strategy & Research. This report takes a long, hard look at the impact of identity theft on small businesses; and the news isn’t encouraging.

The Javelin study of more than 5,000 small business owners, extrapolated that U.S. small businesses lost approximately $8 billion to identity fraud in 2010, and although financial institutions and merchants covered most of the losses, victimized firms had to absorb more than $2.6 billion.

The study also found that small businesses suffer greater losses than consumers, with the average cost of fraud more than double that faced by consumers. And as the Javelin report also pointed out, small businesses don’t enjoy the same zero liability protections that most consumers do. Which means they’re on the hook for any losses their bank can’t recover.

Javelin’s report came on the heels of a number of other troubling reports. In April 2011, the FBI issued a warning that cyber crooks were increasing their focus on small businesses, and that small and mid-sized businesses lost more than $20 million to unauthorized bank transfer scams in 2010.

The amount of money lost in each attack ranged from $50,000 to $985,000, and Chinese cyber gangs were believed to be responsible.

In an interview with BankInfoSecurity.com, Tom Wills, a fraud analyst with Javelin Strategy & Research commented that “the low-hanging fruit for these overseas criminal syndicates is clearly small and medium-sized businesses, which, because of inadequate and antiquated security controls at 99 percent of U.S. banks, combined with the larger bank balances that businesses typically hold, represent much better financial yields to the fraudsters than when consumers are targeted.”

He added “Financial institutions of all sizes in the U.S. need to focus their risk management efforts on the small-business segment with some urgency.”

Things to think about…

• We need to do more to protect our small businesses. According to the U.S. Small Business Administration small businesses represent more than 99% of all businesses, employ more half the U.S. workforce, create more than half of the nonfarm GDP, and represent 97% of all identified exporters.
• Banks and credit unions need to take a lead in this fight, and do more to educate small business owners about the variety of risks they face – and the serious consequences for ignoring them.

This week, when honoring small business owners, we also need to consider the threats they face and how they affect us as consumers as well. Later this week, I’ll be featured on the IDGuardian podcast in a video segment I recorded concerning small businesses, their security plans, and what we all can do to protect ourselves. When and where we can, we must help protect the small business owner from potential threats and remain vigilant ourselves as we continue the fight against fraud and identity theft.

Back in March, Intersections Inc. CEO Michael R. Stanfield presented a three-part series on the Digital Footprint of a College Graduate. His blogposts covered:

• A Graduate’s Social Media Profile
• A Graduate’s Credit Profile
• A Graduate’s Job Search Profile

In this episode of the IDGuardian Podcast, Michael looks at the earlier years of a child’s life, and how important it is for parents to keep a watchful eye on the credit and identity of their children as identity theft against minors is on the rise.

Our audio and video columns can be listened to in a variety of ways:

• Through the blog via the media player found in this blogpost
• Through a manual download by clicking on the “Download” link
• By subscribing through iTunes
  

Michael R. Stanfield co-founded CreditComm, the predecessor to Intersections, in May 1996 and has been Chairman, Chief Executive Officer and a Director since that time. Michael has been involved in management information services and direct marketing through investments and management since 1982, and has served as a director of CCC Information Services Inc. and BWIA West Indies Airways.

This podcast is copyrighted 2009-2011, IDGuardian.com, All rights reserved.

Any use of the Content not expressly permitted by IDGuardian’s Terms of Use may violate U.S. or international copyright, trademark, and/or other laws. For questions or feedback please contact us at questions@IDGuardian.com.

Thank you for listening,
and stay safe.

The events of May 1, 2011 are dominating the news headlines.  A reoccurring tone in all these commentaries on the death of Osama bin Laden has been vigilance against terrorism, staying safe, and keeping our guard high. This alert is also about vigilance, but on completely different subject matter: Phishing and malware scams.

It did not take long at all for opportunists to set up bogus links to websites, supposed “de-classified” video from the strategic strike against Osama’s compound, and images ranging from actual location shots to conspiracy theorists’ “faked death” photos, all of these links merely triggers for a variety of malware targeting your computer.

Kurt Baumgartner, a senior security researcher for Kaspersky Labs, stated in an ABC news article that cybercriminals started using top search results related to bin Laden in Google Images to redirect people to pages filled with malware and even scareware alerting unsuspecting users that a virus has, in fact infected their computer (a common trick used in obtaining credit card numbers). Sophos Labs reported a “Osama bin Laden death video” spreading virally on Facebook. The messages leading to the video link claim there is “a video of bin Laden’s final hours, banned by media censors.” Once Facebook users “Like” or share the link, Facebook users give cybercriminals access to their contacts.

Read the entire article here.

In light of current events, it is easy to get swept up in the fact-checking and breaking headlines, but a few seconds of caution is all that is needed:

• If the link sounds too good to be true (example — “OSAMA BIN LADEN EXECUTION VIDEO! CLICK HERE”), it is. Don’t click it.
• Rely on established news resources for your facts, your images, and your video links.
• If your computer suddenly informs you that you have a virus, do not panic and click on links that offer you antivirus software. Instead, either run your current anti-virus package or purchase software that comes from a trusted vendor of anti-virus protection.

UPDATE: Along with the Osama bin Laden videos and stills, there are two other “clickjacking” scams viral on Facebook:

• “See how you will look in 20 years…”
• “Find out who’s stalking you…”

These apps are phishing scams. Do not click on these links. Alert your friends sending these chat messages or wall posts, and encourage them to remove the dangerous posts from their walls and change their FB passwords.

Do you have any inactive smartphones or cellphones in your house? Chances are you do; and as there is credit to be earned towards a brand new smartphone or a deduction to add to your tax report, donating an old cellphone to a charitable organization or recycling an older model phone is the smart, responsible, and environmentally friendly thing to do. Upgrading our conveniences though, can sometimes have us suspend our common sense and put ourselves in precarious situations where our private data is at risk.

Just in the past five years, between the Blackberry blazing the trial, the iPhone defining it, and the Droid making a claim for the “digital heavyweight champion,” the mobile phone has dramatically changed from a small pocket device armed with basic Personal Digital Assistant (PDA) abilities to computers able to access the Internet from the palm of your hand. Like any technology, upgrades promise better communication, better connectivity, and state-of-the-art apps. These new advancements pose new challenges and new responsibilities, and these responsibilities begin with your previous cell phone.

As reported by MSNBC, a British study revealed that over half of second-hand mobile phones obtained in random purchases from eBay and brick-and-mortar stores still carried sensitive data on them, including credit and debit card PINs, passwords, bank account details, and friends’ phone numbers. Adding to the confusion as to “how” and “why” this personal identifying information (PII) had remained on these previously-owned phones, this study also revealed that 81 percent of the people donating their old phones believed the devices were clean of personal data.

The later models of mobile phones — the HTC, Apple’s iPhone, Samsung’s Galaxy — are referred to as smartphones due to their expanded capabilities via apps. Smartphones offer you all the conveniences of bill pay, flight tracking dining out, and shopping right in the palm of your hand. It is difficult not to take full advantage of your smartphone’s capabilities, and here at ID Guardian we try to encourage and empower users with tips and resources on being responsible with what is stored on your smartphone.  When you are ready to upgrade your smartphone, check to see if you have:

• Logged out of e-commerce apps?
• Logged out of apps for paying bills?
• Logged out of your banking apps?
• Logged out of your dining out apps?
• Disabled your “Save password” option?

That last item on your checklist is important as part of the convenience of smartphone apps is the ability to remember your login data automatically.

These are the essential considerations you must keep in mind when upgrading your smartphone, but what if you’re upgrading from the more basic cell phone models? These phones are usually offered for free when signing up for a contract, or at a more economical price. The apps on a cell phone are more simplistic and the Internet scaled down to bare-bones basics.  The windfall for identity thieves if they get hold of these phones resides in your collection of contacts, usually found inside the phone or stored on the phone’s removable Subscriber Identity Module (or SIM) card. Even the low-resolution cellphone cameras provide a bonus for identity thieves as the contacts now have faces to go with the names. Finally, simple memo applications allowowners to enter in sensitive data such as security PINs, passwords, and the like under the guise of a harmless reminder to ones’ self. While not as sophisticated, the basic mobile phone models offer their own unique vulnerabilities when being recycled or donated.

“This report is a shocking wake-up call and shows how mobile phones can inadvertently cause people to be careless with their personal data,” stated CPP Group’s mobile data expert Danny Harrison. CPP is an English data-protection company that commissioned the study cited in this column.

As we have reported on this blog before, identity thieves can accomplish a lot with a legitimate cell phone number. Add to that images and names, the possibilities increase. Bring in password and login credentials and the danger becomes less speculative, more real. So here is a checklist to follow on how to clean out your mobile phone’s data:

• When activating  your new phone, backup your data from your previous phone and then attempt to transfer your old data on to your new phone.
• Once the previous phone’s data is backed up and/or transferred, find the “Settings” feature of your phone (usually this is where you customize your phone with ringtones, personal messages, wallpapers, and the like) and look for an option labeled “Restore to Factory Settings,” “Reset,” or simply “Erase.” (It may be different from model to model. Consult your phone’s user guide, the phone manufacturer’s website, or your cellular provider’s site for details.)
• Confirm you have erased your data. Power up your phone and go through it. If you cannot find your applications, your login credentials, or any PII present, you have successfully removed your data.
• If applicable, remove the phone’s SIM card. If you are no longer using that SIM card, destroy it. Do not simply throw it away but destroy it, preferably by shredding or cutting it to pieces.

Any investment in technology means eventually there will be a need and desire to upgrade to something better, something more powerful. To be green we should recycle, but a cell phone or previous smartphone model is not an empty milk jug or soda can. Sensitive data on the recycled phone is merely a USB connection away so make certain to remove PII before tossing that phone away.  Security should always be your first consideration.

Tim Rohrbaugh, Vice President of Information Security for Intersections, Inc. and a regular contributor to this blog, was contacted yesterday by USA Today to comment on the recent news story that Sony’s popular PlayStation Network (PSN) was hacked, an intrusion that put 75 million global users at risk of identity theft.

Here is just part of what Tim had to say about this incredible breach:

“On something like a PlayStation or (Internet-connected) TV, you can’t use the same password that you use on your bank account or the accounts where a lot of damage can happen.”

This breach could not have happened at a worse time as many highly-anticipated titles, including Portal 2, hit retailers last week. We have on this blog discussed the risks and dangers of online gaming systems. Now, we emphasize that caution again, as well as encourage PSN users to watch their bank and credit accounts carefully.

Read the entire USA Today news article here.

Tax season is a time of year when thieves and scam artists are very active. The risk for identity theft and identity fraud runs high. This episode features Steve Schwartz, Executive Vice President, Consumer Services for Intersections Inc. Steve talks about some of the latest scams that are circulating this year, and also gives us some important tips for staying safe.

Our audio and video columns can be listened to in a variety of ways:

• Through the blog via the media player found in this blogpost
• Through a manual download by clicking on the “Download” link
• By subscribing through iTunes
  

Steve Schwartz, before stepping into Intersections’ role of Executive Vice President, Consumer Services in 2006, served as Senior Vice President at The Motley Fool, as well as Vice President at Time Life, Inc. During his career, Mr. Schwartz has worked extensively in the direct response marketing field, including positions at Book-of-the-Month Club and Columbia House.

This podcast is copyrighted 2009-2011, IDGuardian.com, All rights reserved.

Any use of the Content not expressly permitted by IDGuardian’s Terms of Use may violate U.S. or international copyright, trademark, and/or other laws. For questions or feedback please contact us at questions@IDGuardian.com.

Thank you for listening,
and stay safe.

You have heard us talk about harmful or unknown links and arbitrarily clicking on them. These malicious URL’s usually lead to some form of malware that either hinders the performance of your computer, or monitors your computer’s activity in the hopes of obtaining your Personally Identifiable Information (PII) while shopping or managing your bank accounts online. These are legitimate threats and yet, as reported by Time’s Techland blog, in an independent study, 68 percent of Facebook users would click on links received through the social network. It’s a logical assumption: As you are receiving a link through your Facebook network, it should be a link coming from someone you know. According to this study, though, 42 percent of the people in this experiment admitted having people in their network they didn’t know.

Today, the carefree clicking reached a new height through an extremely deceptive Facebook app. This time, the hook wasn’t “a funny vid” or even a random wall post from friends. The hook is the fan base for the Twilight films, and here’s how it works:

You may receive a notification that you have been tagged in a photograph (pictured below) recently posted on Facebook, appearing in your feed like this:
However, the notification provides a link to a Twilight: Breaking Dawn promotional game instead of the usual tagged photograph. Clicking on this link takes you to a customized Facebook page inviting you to play this promotional game.

Thus begins a multi-level attack:

• Upon clicking the “Play Now” link, your account is clickjacked (meaning a page tricks users into performing undesired actions) and automatically spreads the link to your friends’ accounts under the “Like” feature.
• The application then asks for permission to access your Facebook account in order to access your basic information, post on your account wall, and have the ability to access your data at any time.
• The final part of the attack comes through a survey that supposedly asks you to verify your identity.

If you are concerned about whether or not your account has been compromised by this (or a similar) scam, watch this video courtesy of Sophos Labs:

We recommend the following:

• When notified you are “tagged in a photo” and the notification leads to a game, this is a scam. Do not click any further!
• When notifications you suspect are SPAM in nature appear in your feed, make sure to remove them from your wall by moving your cursor over the announcement, clicking on the notification, and selecting “Mark as Spam” from the “X” in the upper-right corner of the post.
• If you receive a posting or an unsuspecting chat invite from anyone (friend or otherwise, as seen in the graphic below) that opens with a cryptic URL, do not click on the link. Stop and ask that friend (see Fig. 1) either in chat or in a message if they sent it. If it is a stranger, block or remove that person immediately from your network. A good sign it is a spam or a compromised account is the message itself is full of typos or poor sentence structure (see Fig. 2).

• When an application asks you for permission to access your account, ask if that access is really necessary, particularly if you do not know what this application will really do.
• When in doubt, change your password on Facebook, preferably with a code hard to decipher. (Do not use the same password for Facebook as you use for your bank, ecommerce, or other PII sensitive websites.)

It may seem overly cautious to confirm with other Facebook users, maybe even people you know and chat with regularly, whether or not they just dropped you a link; but what harm would it do if you dropped that friend a quick message asking if they were, in fact, sending you a link? With these preventative tips you can still enjoy the social benefits of Facebook while avoiding malicious links that only bog down your computer’s performance or (far worse) cause problems for your online reputation and image.

Think before you click. This is a good mantra to repeat when enjoying the social aspect of social networking.

Administrators’ Note: Just last month, we ran this article concerning tax preparation and the scams found cropping up around this time. With deadlines fast approaching, we present a re-post of our March 8 posting, complete with tips that will keep you safe before and after the 2010 tax season.

Tax season involves the exchange of a lot of documents and communications which contain sensitive personal information including addresses, Social Security numbers (SSN), employer information, and bank account numbers, all of which can be used to compromise or steal the identities of their owners. Identity thieves will use various scams and schemes this year to either forcibly gain access to this information or con taxpayers into willingly and unknowingly handing it over. And with new IRS regulations, within two years, all paid tax preparers will be required to submit all returns electronically. Adding to this digital deluge of incoming data, the IRS has reported that the majority of income tax refunds will be sent to taxpayers electronically, making your computer and electronic networks everywhere a prime target for identity thieves.

In years past, fraudsters have used a number of methods to steal or obtain personal information. Fraudsters commonly masquerade as the IRS, calling and convincing unsuspecting tax payers to turn over their Social Security or bank account numbers in order to correct a factual error on their return or expedite the deposit of their refunds.  Fraudsters have also distributed emails claiming to be from the IRS with attachments or links that contain Trojans or other malware that can easily empty the victim’s bank account. Consumers need to be cautious not just of scammers working under the mask of the IRS, but also of emails or phone calls from property tax appraisers or local county tax assessors, which could just be another rouse employed by identity thieves.

In order to help you avoid even the best laid identity theft traps, we have compiled a list of tax season safety tips to guide consumers this year.

Top 13 Tips for a Safe & Secure 2010 Tax Season:

1. Be suspicious of any calls or emails purporting to be from the IRS, no matter what the issue. For example, some scams claim that someone else has already filed tax returns in your name or with your SSN.  The IRS will always write to you first, will rarely call, and will never email you.
2. Never confirm your SSN or bank account details by email or over the phone.
3. If your bank or employer has been taken over lately, be wary of any calls asking you to confirm your tax information or employment status.
4. Guard your mail because it’s especially attractive at tax time.  Ideally, have your mail delivered to a P.O. Box and mail tax returns and sensitive information directly from the post office.
5. If you plan to use an online tax preparation service, make sure you stick with a reputable one that has adequate security measures in place.  And be careful when typing in the URL or web address of an online service in case you misspell the name and end up on a fraudulent site that looks like the real one. Invest in software that can help you stay safe by alerting you to questionable sites when you type in URLs.
6. If you plan to use online tax preparation software and intend to keep a copy of your return on your computer, you should immediately rename your return with a different file extension.  It is also highly recommended you use a USB external drive to save your information instead of storing it directly on your computer.
7. Make sure your computer is free of malware like computer viruses and spyware that can steal a copy of your SSN or bank account password.
8. Choose your tax preparer carefully and don’t be afraid to ask them important security questions, such as how your information is protected at their offices during and after preparation, how long they will keep a copy of your tax return, and whether they conduct background checks on their employees.
9. If you owe money to the IRS, try to pay online through their system.  If you have to pay by check, spell out the name “Internal Revenue Service” because it’s harder to forge than the letters IRS.
10. Don’t email tax information or returns to your accountant.  Email is not a secure way to send any document.
11. If you make copies of your return on a photocopying machine, be aware that many machines keep a copy of your pages in short term memory!  Using photocopiers in public locations is not recommended.
12. Don’t forget to shred any unnecessary documents or copies when tax season is over.  Dumpster divers will be on the prowl to get your banking account details and SSNs.
13. Finally, check your credit report immediately after tax time and again a few months later to make sure your personal information wasn’t stolen and is not being used against you.

For more information concerning tax safety please see our other IDGuardian blog posts:

• Phising: A Demise That Has Been Greatly Exaggerated (Jerry Thompson)
• A Re-Routed Refund (Anne Madrid)
• Tax Season 2011: Making Identity Theft Far from “EZ” (Neal O’Farrell)

Remember to use extra caution and care when filing their taxes this year.

Administrators’ Note: With 2011′s Income Tax deadline closing in fast, we asked Cybersecurity expert Neal O’Farrell to return to his earlier posting concerning tax scams. Please comment and syndicate this 2011 edition of tax tips that will keep you safe before and after the April deadline.

Is it just me or does it feel like tax time was not that long ago? As the tax deadline looms just around the corner, one group of citizens is just giddy with excitement. No, not tax preparers. For identity thieves, tax time is one of the best and busiest times of the year as they prey on unsuspecting taxpayers caught in a whirlwind of returns, refunds and rebates.

So why is tax time so good for identity thieves? Three simple reasons:

• A lot of money will be on the move as millions of citizens send and receive billions of dollars in tax payments over a very condensed period. According to the IRS during last year’s filing season nearly 100 million taxpayers received refunds totaling $260 billion. That doesn’t include all the checks that went out to the IRS from taxpayers.
• Tax time involves a lot of documents, laws, and communications – the ideal time to trick a busy taxpayer. And of course many of these documents contain the taxpayer’s crown jewels – name, address, spouse, employer, Social Security Number, bank account number and much more.
• The letters IRS scare most people and scare tactics have always worked well for thieves (Your computer has been infected, your bank account has been suspended – any of these sound familiar?)

Tax time scams are nothing new, and the scams we’ve seen so far this year are a predictable rehash of previous years. But what you really need to watch out for are more clever variations that are more likely to catch you off guard.

Most of the scams you’ll probably encounter this year will come in an email or phone message, although you shouldn’t rule out the possibility of a snail mail scam.

Here’s a selection of the kinds of tricks the scammers will use, and most are likely to come as pretty convincing IRS communications that will prey on fear, urgency, or greed:

• Someone else has submitted a tax return using your Social Security number and in order to fix the problem you’ll have to confirm your Social Security number (or submit an online dispute or claim form that includes your SSN).
• The IRS can expedite your refund if you submit your bank account and routing information.
• If you don’t accept direct deposit of your refund directly into your bank account, you’ll face a fee or penalty.
• The IRS has your stimulus check or rebate and would like to lodge it in your account. This can be a very effective trick because there are so many stimulus programs or discussions going on.
• The IRS would like you to participate in a taxpayer satisfaction survey which will eventually either ask you for personal information, or the link in the email will lead to a malicious download.
• The IRS now offers a generous installment payment plan if you owe taxes, and you can begin by submitting your bank account information.
• You’re being audited and you must respond within 24 hours using an online form.
• The IRS already sent you a check but it has not been cashed, and you’ll need to confirm your bank account information or Social Security number in order to have the check resent.

Banking Trojans are a major threat this year, and definitely not the kind of malicious software you want on your computer. These very sophisticated programs are designed to steal your bank login and password, clean out your bank accounts, and sneak away before you know it.

And if you have a banking Trojan on your computer when you file your taxes online, there’s a good chance you’ll lose your Social Security number too.

According to security firm Panda, Trojans made up nearly two thirds of all new malicious software identified during the first quarter of 2010, and the majority of these were banking Trojans according to the company.

Consumers are not the only target. Businesses can expect to receive fake IRS emails containing attachments purporting to be changes in tax laws, a tax problem with a specific employee, or threat of an audit.

The attachment or link is likely to contain a Trojan or other malware that could easily empty the victim’s bank account, and the FBI estimates that more than 200 businesses lost more than $40 million through this scam in 2009.

These can be very effective scams because businesses expect to receive this kind of correspondence, although they shouldn’t expect them by email.

And don’t just watch for IRS scams. There are numerous scams in circulation focusing on property tax appraisals, so keep an eye out from scam emails and even letters purporting to be from your local county tax assessor.

So what should you do to avoid being scammed?

• Be suspicious of any calls or emails purporting to be from the IRS, no matter what the issue. For example, some scams claim that someone else has already filed tax returns in your name or with your SSN.  The IRS will always write to you first, will rarely call, and will never email you.
• Never confirm your SSN or bank account details by email or over the phone.
• If your bank or employer has been taken over lately, be wary of any calls asking you to confirm your tax information or employment status.
• Guard your mail because it’s especially attractive at tax time. Ideally, have your mail delivered to a P.O. Box and mail tax returns and sensitive information directly from the post office. Better still, have your taxes filed online.
• If you plan to use an online tax preparation service, make sure you stick with a reputable one that has adequate security measures in place.  And be careful when typing in the URL or web address of an online service in case you misspell the name and end up on a fraudulent site that looks like the real one.
• If you plan to use online tax preparation software and intend to keep a copy of your return on your computer, you should immediately rename your return with a different file extension.  It is also highly recommended you use a USB external drive to save your information instead of storing it directly on your computer.
• Make sure, before using tax preparation software, your computer is free of malware and spyware that can steal a copy of your SSN or bank account password.
• Choose your tax preparer carefully and don’t be afraid to ask them important security questions, such as how your information is protected at their offices during and after preparation, how long they will keep a copy of your tax return, and whether they conduct background checks on their employees.
• If you owe money to the IRS, try to pay online through their system.  If you have to pay by check, spell out the name “Internal Revenue Service” because it’s harder to forge than the letters IRS.
• Don’t email tax information or returns to your accountant.  Email is not a secure way to send any document.
• If you make copies of your return on a photocopying machine, be aware that many machines keep a copy of your pages in short term memory!  Using photocopiers in public locations is not recommended.
• Don’t forget to shred any unnecessary documents or copies when tax season is over.  Dumpster divers will be on the prowl to get your banking account details and SSNs.
• Finally, check your credit report immediately after tax time and again a few months later to make sure your personal information wasn’t stolen and is not being used against you.

A recent audit by New Jersey State Controller found a very troubling pattern of lazy security when it came to disposing of personal information on state-owned computer hard drives.

Although the state has very clear guidelines and procedures for the secure disposal of information on any device owned by the state (especially smart phones and computers, before they were auctioned or disposed of), state employees seemed to completely ignore those rules.

The audit was triggered by reports that state employees responsible for disposing of computers were rigging auctions for them or selling valuable computers for scrap.

What the auditors found, though, was much more troubling:

• Investigators found data on 46 of the 58 hard drives.
• Data found included addresses and phone numbers of children placed in state care, completed tax returns, Social Security numbers, a list of State employee computer passwords, and reports on children who may have been the subject of abuse (including the names and addresses of the children).
• State agencies regularly disposed of computer equipment without ensuring that data on the devices had been properly removed.
• 13 of 37 drives that contained business-related or sensitive data were packaged and ready to be shipped for public auction.
• Contrary to State requirements, agencies sent shipments of computer equipment for disposal with no certification that the equipment’s data had been removed.

One of the laptops tested contained numerous files of one State judge that included the judge’s life insurance trust agreement, his tax returns for three years, documents with the judge’s Social Security number, as well as sensitive legal correspondence.

What’s most troubling about the report is that it’s not unique. State agencies across the country are struggling with budget and manpower issues, and in many cases key precautions are overlooked and data is simply given away.

The criminal community is only too well aware of this opportunity, which is why they can often be found lining up at state computer auctions ready to pay cash for any kind of computer. They only need to get lucky once to pay for the investment.

RELATED STORY: N.J. Computers Sold to the Public at Auction May Contain Private Data

http://www.nj.com/news/index.ssf/2011/03/nj_computers_auctioned_to_publ.html

The job market is a far different one from the time your parents searched for a job. It has changed even between the classes that graduated when you first entered as a freshman. Four years ago (or five, depending on your undergraduate studies), Facebook and Twitter were gaining momentum, and the unassuming site LinkedIn was a stark, streamlined social network that focused on the professional sector. Job sites such as CareerBuilder.com, Monster.com, and even Craigslist have been online for more than a decade, but the job opportunities that were advertised there were geared mainly for the IT industry.

Welcome to the new-and-improved, virtual job market. As we mentioned in Part One of this series, this is a job market where your first impression begins not when you walk into the door but online where your digital identity resides with public galleries of candid photos, tweets and personal postings, and where you keep company via check-in’s on Whrrl and Foursquare.

Being aware of your online identity is important and should be reviewed and vetted before beginning an online job search.  Once you are comfortable that your online profile conveys the image you want potential employers to see, it’s time to start building up business networks in the hopes of securing a job.

LinkedIn, a network of more than 90 million registered users, has earned a reputation for being serious about business; and today, job recruiters and Human Resources departments tap into the site more and more looking for potential associates.  LinkedIn claims it has a new member joining the networking site every second of every day, or approximately one million every 12 days. Adding to these impressive statistics of growth and activity, they report as of January 2011, that executives from all 2010 Fortune 500 companies are now members, and that its hiring solutions were used by 69 of the Fortune 100 companies as of December 31, 2010.

With your LinkedIn network, resumes are sent out one by one at your discretion, or potential employers can request to review your profile.   When filling in the various fields of your LinkedIn profile, be mindful as to what contact information you offer.   Javelin & Strategies 2011 Identity Fraud Survey Report warns that LinkedIn users are more likely to become victims of fraud involving Social Security numbers (SSNs) and addresses.

For graduates looking to build on their work experience, sites such as Monster.com, CareerBuilder.com, Dice.com, and even Freelance.com all offer to promote your resume online and find opportunities tailor-made for you. Behind the scenes of these recruitment sites, some online opportunities ask you to complete surveys rating the “overall experience” of applying for the available position. These results are sold to various third parties (keeping the job sites free for public use), and then you are subject to endless spam e-mail, even after you have shut down your profile with that recruitment site. Another concern with job sites, following Monster.com’s data breach at the beginning of January 2009, is their security.  Even as recent as February 2011, recruitment sites continue to be a prime target for hackers looking for Personal Identifiable Information (PII). Websites like LinkedIn and CareerBuilder reach millions of people, a great advantage from the days of circling classified ads and sending out resumes one at a time. With the right approach, you can still take advantage of the digital approach to job hunting without putting your personal data or your identity at risk.

• For contact information, avoid listing your address. Perhaps in the days before email and mobile phones, a home address was essential so potential employers could contact you to formally invite you in to notify or reject your application. Present day, the need for your full address is no longer a necessity. Any job site insisting that you provide such information should be scrutinized and, perhaps, avoided.
• For telephone contacts, consider a number other than your home phone. If you have two separate lines — a home phone and a mobile phone — opt to use the mobile number. Better yet, look into signing up for a separate Google Voice telephone number, a free service that will re-route your call to whatever phone number you designate, or Google Voice will immediately route your calls to voice mail. This service can conveniently allow you to track all incoming calls that may be job related.
• When filling out online profiles, fill in Age Ranges but avoid full birthdates. Again, there really is no need to supply this information to a potential employer. This also applies for other sensitive data such as Social Security numbers and/or Passport numbers (if applying for jobs that may have you traveling abroad). Keep this data offline and private.
• If a job sounds too good to be true, it usually is. Scammers are getting much better at setting up credible-looking online sites, making you think you are working with a legitimate company.  Be aware of job opportunities including:
  • Work-at-Home
  • Incredibly high salary for entry-level position
  • Interviews only over the phone, never on-site
  • Personal information (including your Social Security number) asked for at the interview before the job is offered.

  Other ways of checking to see if the job and the company behind it are truly legitimate include consulting the Better Business Bureau or Federal Trade Commission, or simply Google the company and research their history. How long have they been around? Are people talking (or warning) about them? Never hesitate to do a little homework.

When job hunting, the drive and desire to enter the workplace can threaten to cloud your judgment. Don’t let that happen. Remember that with all the profiles you set up and the more information you share in your quest for a job, the more your information is distributed across global networks, putting your identity at risk. Your identity carries the same worth as that dream job you’re searching for and a compromised identity can prevent you from obtaining it. Stay safe, and always consider how much is too much when sharing personal information online.

Do you have a wireless network in your home? Any idea how secure it is? Ever change the password the wireless router originally came with?

These are not unimportant questions, because if you have not properly secured your wireless network, you could be creating easy opportunities for criminals to do bad things in your name.

A recent story on the Today Show caught my eye, not only because it was a frightening example of how the careless use of Wi-Fi in your home can get you into a whole heap of trouble, but because it was such a case of déjà vu. I remember covering stories just like this nearly a decade ago, and yet many users still haven’t woken up to the risks.

Users like Malcolm Riddell, a Florida resident who got a rude awakening when FBI agents recently swarmed all over his condo and accused him of being a major distributor of child pornography. According to the FBI, they had monitored the exchange of more than 10 million child pornography images over his wireless network. And if it was his network, and he was the only one with access to it, then the images had to be his. Case closed.

But not so fast. After a little investigating, the FBI changed their mind and focused instead on a small boat moored at a marina within clear view of the condo. That’s where the real child pornographer lived, and even though he was a few blocks away he was able to hijack the victim’s unsecured wireless network to share his stash of illegal images, and make sure the victim looked like the bad guy.

And it all happened because the victim had never bothered to create a password for his wireless network. Which not only meant that anyone within range of his network could use it for free, everything on his computer was also open to casual intruders.

And this victim is not alone. In a quick demo, the Today Show was able to uncover more than 1,500 wireless networks in just 30 minutes, simply by driving around with some home-made detection equipment that included a Pringles chips can. Of those 1,500 wireless networks, a quarter had no passwords. And based on experience it’s probably safe to assume that many if not most of the rest still had the default factory-set password that most hackers know anyway.

Lessons learned?

• If you use a wireless network, make sure you have all security and encryption features enabled, and make sure the factory-set password has been changed to something long, complex, and as random as you can make it.

RELATED STORY: Is a Criminal Using Your Wi-Fi?

http://digitallife.today.com/_news/2011/03/09/6227119-is-a-criminal-using-your-wi-fi

It’s something we’ve come to expect. Not only are security threats everywhere, they no longer have to come looking for you. Drive-by downloads are on the increase, where malicious code hangs out around infected web sites just waiting for the next unlucky passerby. And it seems like no sector is immune.

Security firm White Hat Security recently released their study findings into web site vulnerabilities discovered throughout 2010.

According to their findings:

• Most web sites were exposed to at least one serious vulnerability every single day of 2010.
• Education web sites appeared to be the most vulnerable, with 71% of these sites exposed to at least one serious vulnerability every day last year.
• This was followed by social networking sites (58% of them), and retail sites (51%).
• During 2010, the average web site had 230 serious vulnerabilities.

There was some good news. Half of all banking web sites tested, and less than a quarter of other financial web sites, were found to be exposed to a serious vulnerability for less than 30 days during the year.  And on average, the banking industry was the fastest to respond to the discovery of these vulnerabilities, with 50% of the issues resolved in 13 days.

But 50% of organizations required up to 116 days to fix their exposure, and the slowest was the telecommunications industry which required on average 205 days to fix at least half their vulnerabilities. In fact, the report found that not a single telecommunications web site was found free of serious

vulnerabilities fewer than 30 days of the year. So you might want to keep this sobering statistic in mind the next time you’re browsing for a new cell phone, or checking your phone bill online.

This is obviously not good news. It’s a reminder that cyber criminals are becoming far more sophisticated. Instead of trying to push their scams through traditional channels like phishing emails, they’re going after poorly protected web sites. Once these hackers find an unprotected site, they can hijack the site without the site owner’s knowledge, pack it full of malicious code, and just sit back and wait for unsuspecting visitors to wander by. Now that’s a powerful business model. And if major organizations, who have dedicated web site security teams, can’t protect their web sites, how many small business web sites are wide open?

Lessons learned?

• Only browse where you need to be.
• Keep your shields up, especially your anti-virus software, software patches and updates, and any browser security tools you can get your hands on (like Finjan’s free SecureBrowsing).

A whole bunch of people who had the kindness to take some time out of their busy day to donate blood will now each be rewarded with a letter from the blood bank that’s not a thank you.

Donors to the Core Blood Registry, the world’s largest stem cell bank – some 300,000 of them – have started to receive letters from the registry informing them that their personal data was on an unencrypted tape stolen from a vehicle in San Francisco.

According to the registry, the tapes did not contain medical bills or records, but worse than that – names, addresses, credit card numbers, and even Social Security numbers.

The letter provides the usual caution that there’s no evidence so far that the stolen data has been used to commit identity theft. The registry has offered the now standard one year of free credit monitoring, but that’s of little comfort when we know that professional thieves will often wait for months before using the data, knowing that by then the fury will have died down and victims will have dropped their guard.

And of course, there’s no expiration date on stolen Social Security numbers, so the thieves are in no real hurry anyway. Even as I write this they could be making a small fortune selling the data on underground forums where credit monitoring doesn’t reach.

There are many troubling but all too familiar red flags in this breach. The letter to victims asserts that “keeping your personal information secure is of the utmost importance to us” and “we are committed to maintaining the security of your confidential information.” Yet in addition to the fact that such sensitive information was left unattended in a car, none of the data was encrypted.

To make matters worse, the breach occurred in early December yet some of the victims didn’t receive their notification letters until mid-February.

Actions speak louder than words, and it appears this company didn’t even grasp or implement the very basics of data security. When I recently visited the company’s web site, I couldn’t find any mention anywhere of the breach. But I did see that the company’s slogan is “the name you can trust.”

I hope it doesn’t impact the commitment of future donors.

RELATED STORY: Possible stem cell bank data breach

http://abclocal.go.com/wtvd/story?section=news/local&id=8001870

We’ve spoken many times about the growth of skimming, and how thieves are able to steal millions of dollars by tampering with ATMs and gas pumps. Criminals may now be widening their focus to include Point- Of-Sale, or POS systems, especially those used by smaller firms.

Security firm Trustwave recently claimed that its research indicated POS systems continue to be the easiest method for criminals to obtain the data necessary to commit large scale payment card fraud. Trustwave conducts investigations on behalf of the major credit cards processors like Visa and MasterCard.

Their report is based on an analysis of more than 220 investigations conducted as a result of suspected security breaches. It found that in 75% of cases, the target for criminals was the POS system. 85% of the data at risk was classified as payment card data, while corporate information and trade secrets only accounted for 11%.

Smaller businesses are believed to be particularly vulnerable in part because they don’t have sufficient security experts or processes in place, in part because they tend to use third parties to develop and deploy their POS systems.

Why POS systems? Because they usually grab a copy of everything that’s on the magnetic stripe of the user’s card – all the information the criminals need to clone that card.

And what are the most popular types of businesses for hackers? According to the report; food and beverage and retail industries accounted for 75% of all investigations, followed by hospitability, government, and education.

And in a worrisome sign that many businesses are still asleep at the wheel, the report found that the majority of investigations, 60%, were triggered by regulators, while only 20% were discovered by the actual breached organizations.

Lessons learned?

• Thieves are everywhere and always looking for new targets to exploit. Your best defense is always education and vigilance.
• Monitor your credit card and bank statements on a regular basis and be cautious of any unusual transactions.

If you’re one of the millions of Android smart phone users, prepare to have your phone fumigated for malware. Remotely; whether you like it or not.

In an unprecedented move, Google is rushing to automatically remove at least 50 apps from Android smart phones after they were discovered to be hiding a dangerous Trojan called DroidDream.

Apparently the creators of the malicious app used Google’s very open Android Market to launch the attack. Android Market is where developers create, share, and promote new Android apps for phone users, and unfortunately there is little policing of the hundreds of thousands of apps sold and given away in this marketplace. At least 50 apps were believed to have been compromised in the attack, affecting as many as 200,000 phones in just four days.

Once installed, DroidDream downloads an application written to prevent anyone from either recognizing or installing the malware. That protects the malware and allows it to steal information about the phone, including user IDs, and even install any other software it wants to. This is an increasingly common tactic among malware developers, copying the military model of protecting the command and control center before launching an attack.

If you’re an Android user, you can expect to get an email from Google with an explanation. You’ll also be forced to download to your phone a security update that is supposed to fix any problems created by DroidDream.

According to PC World “the DroidDream incident marks the first wide-scale infestation of Google’s official Android Market with malware.”

Lessons learned?

• Be very selective in the kinds of apps you download to any phone.
• When using your phone for sensitive transactions, like online banking, avoid shortcuts like “saving passwords” and automatic logins. Treat any sensitive transaction through your phone as if you are online (which you are).

RELATED STORY: After Attacks, Google Patches the Android Market

http://www.pcworld.com/businesscenter/article/221471/after_attacks_google_vows_to_fortify_android_market.html?tk=rel_news

With every tragedy comes opportunity. The opportunity to learn, to rebuild, to do things better, and to prove that people around the world will rush to the help of their fellow man. Between the 6.3-magnitude Christchurch Earthquake on February 22 and the 8.9-magnitude earthquake and tsunami off the coast of Japan on March 11, stories of hope emerge. From Christchurch came eyewitness accounts of individuals sporting superhuman strength in order to reach buried survivors. Japan, still reeling from their own geological events, is now receiving assistance from 91 countries and regions and six international organizations; including teams from the United States, South Korea, Australia, Germany, Mexico, New Zealand, China, Hungary, Singapore, and the United Kingdom. (Japan’s own search and rescue team was still in New Zealand, assisting with recovery efforts from the recent Christchurch earthquake, when Japan’s earthquake and tsunami struck.)

But these dark events also bring with them another kind of opportunity. Hidden amongst that crowd of good citizens are heartless opportunists who see another’s tragedy as their chance for a quick buck.

Whenever there are natural catastrophes like these, emails and websites from bogus charities quickly appear offering links to graphic videos or photos of the event and calling for donations. Instead, these links lead to malicious web sites looking to steal your personally identifiable information or install software designed to track your online activity and transactions. Scams like this cropped up during the Christchurch disaster, and are now quickly emerging within days of the Japan earthquake and tsunami.

According to the BBB, any criminal can create a fake charity website in a matter of hours, and are often just carbon copies of the real charity sites. The goal of these illegitimate websites is to solicit donations, steal personal information, and install malware on the giver’s computer. The Better Business Bureau (BBB) has a list of scams including charity based scams in their Top Five Identity Theft Scams of 2010.

A common tactic by scammers is the offer of a sensational video that races like a virus through web sites and social networks. As predicted, a variety of these scams are now making the rounds on Facebook, quickly taking advantage of the events in Japan. The scammers are inviting users to watch the footage and spread the message and link to their friends. But anyone falling for the scam instead finds themselves redirected to paid surveys and quizzes, all with the intent to either gain personal information or simply generate click-based advertising revenue.

It never ceases to amaze me that there are so many heartless people in the world who only see human tragedy and suffering as a way to make a quick buck. However, there is a powerful lesson to be learned: These scammers only devote so much time to these scams because they work. They know that enough people will fall for whatever trick they’re peddling in order to make it financially worth their while.

You can still make a difference though without exposing yourself or your friends to these scams. Before you click on that “Donate” button, take just a few more seconds to consider the following:

• Is the website you’re making your donation through the real thing or just a fake lookalike? The best way to ensure you’re on the correct website is to carefully type in the URL or domain name yourself, and not rely on email or Facebook links.
• Before making a donation, remember to review any charity with BBB’s Wise Giving Alliance  http://www.bbb.org/charity to verify that a charity meets the BBB’s 20 Standards for Charity Accountability.
• Give only to charities you know and trust, and preferably direct through their website rather than in response to a phone call or mail solicitation.

And concerning the social networking video scams…

• Control your curiosity, especially around major news stories and tragic events. Get your news from reliable sources and don’t overindulge.
• Be very careful about clicking on any links relating to these stories that come through Facebook or Twitter.
• Watch out for the warning signs, especially language like “Amazing, you’ve got to see this video…” etc., and any message that asks you to share with your friends or download or install something in order to view.

Scammers should never stop you from being human and wanting to help your fellow man. Don’t let them.

Be careful. Be vigilant. Be a hero.

March ushers in warmer temperatures, a deep-seeded passion for college hoops, and a change from the bleakness of Winter to something brighter and livelier. March also means students begin planning for their Spring Break destinations. Some may head down south to Key West or even further into the tropics. Some may set their week-long respite for destinations abroad. With online venues like Expedia, Priceline, and Orbitz, incredible deals on airline tickets and hotel rates are only a click away, offering stress-out students exciting opportunities for fun in the sun.

In the excitement of planning a trip with your closest friends on campus, it is easy to forget how the Internet and vacation sites are also hotbeds of opportunity for scammers, identity thieves, and organized crime gangs. Perhaps you are more concerned about how you look as opposed to how vulnerable you are, which stands to reason. A lot of things are happening — and happening fast — before you and your friends even hit the road or reach the departure gate for your Spring Break getaway.

The good news is that planning for your safety while traveling does not have to be the “buzz kill” of your Spring Break. Making sure you and your friends are safe only takes a few minutes to implement.

Before your departure date:

• Avoid travel deals that are too good to be true. While the earlier cited travel sites offer incredible deals, you might find better ones on Craigslist, Backpage, or Epage. Just because a deal is online, has an up-to-date timestamp, and might even link back to some really tantalizing images doesn’t mean the deal is legitimate. Stick with reliable sources, or check to see if the vendors offering these price-busting packages are endorsed by organizations like the American Society of Travel Agents, U.S. Tour Operators Association, or the Better Business Bureau.
• Discuss in detail your travel plans. How deep you go into the explanation of the trip will depend on the agreed itinerary and how flexible you want to be with it. Print up your travel plans (hotel, planned stops, etc.) and leave a copy with your parents or trusted contact, complete with hotel and mobile phone numbers. When traveling overseas, temporarily upgrade mobile plans to include international calls, but be clear this is for emergencies only.
• Apply for your passport early. Regardless of a student’s age, applying for a passport should happen no less than three months before your departure date. Routine processing time for a passport takes 4-6 weeks, while expedited service takes just under three weeks. There are express services online that may promise you a passport within a week, or even faster; but these services are expensive and require you to provide personally identifiable information (PII) in a rush capacity. If you do need expedited passport services, make sure you use a service suggested by the U.S. Department of State and not some random website offering “the best deal.”
• Make two photocopies or digital scans of sensitive PII. Sensitive PII is defined here as your driver’s license, your passport, and the primary credit card you’re using while away. Leave one copy at home in a safe place. Pack the other photocopy in a different bag from where you keep your PII. If your wallet or identification is stolen, immediately contact the local authorities or (when abroad) visit your home country’s embassy with photocopy in hand. If your photocopy is damaged or lost, contact a trusted friend or family member. Let them know where to find your photocopied PII and have them either fax or email it to you.

During Your Trip:

• Use a credit card instead of a debit card. While it does feel like you’re spending money you don’t really have and interest rates tend to run high on credit cards, protection plans against credit card fraud tend to be better than bank-issued debit cards. As mentioned on CreditLoan’s The Credit Blog, credit card customers can contact their card issuer if the card is lost or stolen, and be fully reimbursed for fraudulent purchases.  Fraudulent debit card purchases, on the other hand, are subject to protection limits issued by the individual bank. This protection is eliminated if the fraud is not reported within a specified period of time.
• Protect your identification and technology possessing PII. Now that you have reached your destination, regardless if you are staying with friends or in a hotel, keep your identification and charge card on your person at all times. As reported by Neal O’Farrell, hotels tend to be a central point for criminal activity. While alarming news reports surface of hotel-related crimes, this does not necessarily mean that your hotel is a den of organized crime. However, this does not mean that you should leave sensitive PII out in the open. Check to see if your room has a safe. Secure your iPad, laptop, and other electronic devices before heading out to enjoy your destination and avoid bringing these valuables to the beach where they can easily be stolen.
• Secure your digital media devices. If there is no hotel room safe, or if your room safe does not have room for an iPad, tablet, or laptop, activate security measures on your mobile devices. Featured on ID Guardian are several security measures that can lock out others from your portable devices, and even remotely lock down or erase the data if your portable media is lost or stolen.
• When traveling overseas, find out the contact information of your country’s Embassy or Consulate in your destination country. If you find yourself in trouble at any time, your country’s Embassy should be the first number you call. Find out where the embassy is in relation to where you are staying. Also have on a small card, preferable attached to the earlier mentioned pre-paid phone card, the phone number of the Embassy, Duty Officer, or Consular Section.

More safety tips and travel information can be found online at the State Department’s website, Travel.State.Gov.

By investing in a few precautions, you only ensure you and your friends a stress-free respite from academic pursuits. Now pack your bags, bring extra batteries and media cards for your camera, and have fun!

Yesterday I read a very interesting article entitled the Seven Human Weaknesses that Cyber Criminals Exploit.

According to the author, the human weaknesses that can get us into so much trouble with cyber crooks include:

• Sex – using alluring images of attractive men and women to tempt you to click on or download something.
• Greed – like the promise of a free iPad, a lottery that you never heard of, or an inheritance from a long lost Nigerian relative.
• Vanity – you’ve won a contest, a lost love is checking your profile, or you’ve been chosen to be listed in an exclusive Who’s Who.
• Trust – readily exploited on places like Facebook, when you click on something suspicious just because the sender claims to be a “friend of a friend.”
• Sloth – just too lazy to read the warning signals that usually accompany most scams.
• Compassion – for a friend stuck in a far away country and needs financial help, or a charity looking for donations to help victims of the latest natural disaster.
• Urgency – act now or regret it forever.

But redemption is at hand. You can avoid these menial sins by simply doing the opposite:

Ignore sex appeal – no legitimate friend or business will try to tempt you with sex

Check your greed – if it sounds too good to be true, it’s probably a scam.

Vanquish your vanity – sure you’re cool, maybe even universally admired. But chances of you being selected by People Magazine as the most interesting person on the planet? Probably remote.

Mis-Trust – Nothing wrong with admitting that it’s not like the good old days, when you could trust every stranger and you never locked your door. Those days are gone, at least for most of us. A little  cynicism may not be a bad thing.

Slow down, sloth – actually the best way to beat many scams is to actually be more sloth-like. Slow down, read carefully, and think twice before you click on anything.

Compassionate caution – don’t lose your compassion for anyone or anything, just because the bad guys try to take advantage of your good nature. Just temper your compassion with caution, and while you’re giving generously, do so cautiously.

Insurgency – it’s time to saddle up and fight back. Cybercrime affects us all, directly and indirectly, and we all pay the price. But the most powerful crime fighting technology is wedged right between your ears. It’s time for every individual to get involved and guard their small corner of cyberspace.

RELATED STORY: The Seven Human Weaknesses that Cyber Criminals Exploit.

http://www.baselinemag.com/c/a/Features/Seven-Human-Weaknesses-That-Cyber-Criminals-Exploit-876389/

Do you ever wonder why the third month of the year is called March? It could be due to the fact that everyone is on their feet and marching into some sort of high-focused, all-encompassing activity where the outside world disappears. For some, it is Spring Break, that magic week within the academic year that promises fun and sun, a welcome respite from the winter. For others, March means basketball. March Madness, in particular, where teams from across the country whittle down to the Final Four.

But for many, March is that time where receipts are gathered, numbers are organized, and accountants are clocking in overtime. Yes, March means preparation for the following month’s Income Tax filing.

Tax season involves the exchange of a lot of documents and communications which contain sensitive personal information including addresses, Social Security numbers (SSN), employer information, and bank account numbers, all of which can be used to compromise or steal the identities of their owners. Identity thieves will use various scams and schemes this year to either forcibly gain access to this information or con taxpayers into willingly and unknowingly handing it over. And with new IRS regulations, within two years, all paid tax preparers will be required to submit all returns electronically. Adding to this digital deluge of incoming data, the IRS has reported that the majority of income tax refunds will be sent to taxpayers electronically, making your computer and electronic networks everywhere a prime target for identity thieves.

In years past, fraudsters have used a number of methods to steal or obtain personal information. Fraudsters commonly masquerade as the IRS, calling and convincing unsuspecting tax payers to turn over their Social Security or bank account numbers in order to correct a factual error on their return or expedite the deposit of their refunds.  Fraudsters have also distributed emails claiming to be from the IRS with attachments or links that contain Trojans or other malware that can easily empty the victim’s bank account. Consumers need to be cautious not just of scammers working under the mask of the IRS, but also of emails or phone calls from property tax appraisers or local county tax assessors, which could just be another rouse employed by identity thieves.

In order to help you avoid even the best laid identity theft traps, we have compiled a list of tax season safety tips to guide consumers this year.

Top 13 Tips for a Safe & Secure 2010 Tax Season:

1. Be suspicious of any calls or emails purporting to be from the IRS, no matter what the issue. For example, some scams claim that someone else has already filed tax returns in your name or with your SSN.  The IRS will always write to you first, will rarely call, and will never email you.
2. Never confirm your SSN or bank account details by email or over the phone.
3. If your bank or employer has been taken over lately, be wary of any calls asking you to confirm your tax information or employment status.
4. Guard your mail because it’s especially attractive at tax time.  Ideally, have your mail delivered to a P.O. Box and mail tax returns and sensitive information directly from the post office.
5. If you plan to use an online tax preparation service, make sure you stick with a reputable one that has adequate security measures in place.  And be careful when typing in the URL or web address of an online service in case you misspell the name and end up on a fraudulent site that looks like the real one. Invest in software that can help you stay safe by alerting you to questionable sites when you type in URLs.
6. If you plan to use online tax preparation software and intend to keep a copy of your return on your computer, you should immediately rename your return with a different file extension.  It is also highly recommended you use a USB external drive to save your information instead of storing it directly on your computer.
7. Make sure your computer is free of malware like computer viruses and spyware that can steal a copy of your SSN or bank account password.
8. Choose your tax preparer carefully and don’t be afraid to ask them important security questions, such as how your information is protected at their offices during and after preparation, how long they will keep a copy of your tax return, and whether they conduct background checks on their employees.
9. If you owe money to the IRS, try to pay online through their system.  If you have to pay by check, spell out the name “Internal Revenue Service” because it’s harder to forge than the letters IRS.
10. Don’t email tax information or returns to your accountant.  Email is not a secure way to send any document.
11. If you make copies of your return on a photocopying machine, be aware that many machines keep a copy of your pages in short term memory!  Using photocopiers in public locations is not recommended.
12. Don’t forget to shred any unnecessary documents or copies when tax season is over.  Dumpster divers will be on the prowl to get your banking account details and SSNs.
13. Finally, check your credit report immediately after tax time and again a few months later to make sure your personal information wasn’t stolen and is not being used against you.

For more information concerning tax safety please see our other IDGuardian blog posts:

• Phising: A Demise That Has Been Greatly Exaggerated (Jerry Thompson)
• A Re-Routed Refund (Anne Madrid)
• The Taxman (and Identity Thieves) Cometh (Neal O’Farrell)

Remember to use extra caution and care when filing their taxes this year.

In February, Javelin Strategy & Research released their 2011 Identity Fraud Survey. Since 2003, Javelin Strategy & Research has conducted this survey in order to provide a detailed, comprehensive analysis of identity fraud so that consumers and businesses better understand methods for prevention, detection and resolution. The survey is comprised of a nationally representative sample of 5,004 U.S. adults, including 470 fraud victims.

Intersections Inc. CEO Michael R. Stanfield, on reviewing the 2011 survey data, offers in this podcast advice for women in their own efforts to protect their identities.

Our audio and video columns can be listened to in a variety of ways:

• Through the blog via the media player found in this blogpost
• Through a manual download by clicking on the “Download” link
• By subscribing through iTunes
  

Michael R. Stanfield co-founded CreditComm, the predecessor to Intersections, in May 1996 and has been Chairman, Chief Executive Officer and a Director since that time. Michael has been involved in management information services and direct marketing through investments and management since 1982, and has served as a director of CCC Information Services Inc. and BWIA West Indies Airways.

This podcast is copyrighted 2009-2011, IDGuardian.com, All rights reserved.

Any use of the Content not expressly permitted by IDGuardian’s Terms of Use may violate U.S. or international copyright, trademark, and/or other laws. For questions or feedback please contact us at questions@IDGuardian.com.

Thank you for listening,
and stay safe.

According to the newly released 2011 Javelin Strategy & Research Identity Fraud Survey Report, identity fraud has dropped. After two years of a consistent rise, identity fraud victims in the United States fell by 28 percent. The Javelin Study suggests this drop is due to “…changes in the U.S. economy, increased efforts by law enforcement, more sophisticated fraud‐ detection systems and behavioral changes by consumers.”  The report also attributes this drop to fewer data breaches in 2010. In other words, personally identifiable information (PII) remained secure due to “…increased awareness and compliance of the Payment Card Industry Data Security Standards (PCI DSS) by merchants.”

While encouraging, the Javelin findings should not be misinterpreted to mean consumers don’t need to worry about identity theft as new account fraud, and friendly fraud are on the rise; as well as costs consumers pay to resolve these types of fraud. We all need to continue to be vigilant about protecting our personal information, and sometimes the best way to be vigilant is to take a good, hard look at what we are making public knowledge.

At the beginning of February, Wired Magazine reported what appeared—at first glance—a blatant, public display of identity theft. A dating site calling itself “Lovely-Faces.com” went on Facebook and helped themselves to personal information from 250,000 profiles in order to fill their website with singles looking for love. This practice of extracting data from one website and displaying it on  another is known as scraping (or Web Scraping).  These users and their data were obtained from publicly accessible Facebook pages. Publicly accessible.

When new and experienced users access Facebook profiles, the Profile Page results will vary. Some users will adjust their Privacy Settings to limit access to certain details, thereby changing what people see when they pull up a profile.

click image for a full view

Above is an example of a “publically accessible” profile , in this case with Privacy Settings are filtering out what the Facebook user prefers to keep private, as seen here:

There are other profiles, however, where everything is shared with everyone: names, photos, relationship status, and even current locations. All of this information completely open and viewable by the public. The number of Facebook’s 500 million users that have left their Privacy Settings on the “Everyone” setting introduced in December 2009 is unclear; but with Face-to-Facebook’s social experiment, there were at least 250,000 users that did just this.

Now it would be easy to take the argument that critics like Face-to-Facebook creators, Paolo Cirio and Alessandro Ludovico, make:

“Facebook, an endlessly cool place for so many people, becomes at the same time a goldmine for identity theft and dating—unfortunately, without the user’s control. But that’s the very nature of Facebook and social media in general. If we start to play with the concepts of identity theft and dating, we should be able to unveil how fragile a virtual identity given to a proprietary platform can be.”

This cavalier disregard to sharing personal data, though, is not just limited to the confines of the Internet. Not by a long shot. Think of the last time you were in a public place—an airport, a coffee shop, or standing in line at the grocery store—and a complete stranger begins having a conversation with someone on their mobile phone, complete with far too much volume and personal details being shared. For an identity thief, this indiscretion is a welcomed opportunity.

From Above the Law, a blog covering the realities and business side of the legal profession, comes a rather disturbing story of one such phone call from a professional who should know something about the importance of sensitive data. On the Acela train between D.C. and New York, the managing partner of a prominent law firm called an up-and-coming lawyer to present them with a potential job offer. The terms of the offer were as follows:

• Base compensation: $300K in the first year.
• Additional compensation: $50K upon bringing in $1MM; 15 percent of anything over $1MM.
• Equity: Possible equity in the partnership after one year.

The partner then proceeded to call his firm’s Human Resources department, and provided the potential’s full name, home address, and authorization to start a background check.

All this overheard by the Above the Law tipster, along with a full-to-capacity Acela express train.

So while Javelin’s numbers tell us that cases of identity fraud are going down, there are some things we as consumers and users of modern conveniences, can do better:

• Limit the amount of information shared on social networks. Use common sense. Think about what information you want to share, who you are sharing it with, and always assume that others outside of your protective network are going to see it too.   Then decide if you want to post it.
• Avoid private discussions in public places. Again, there is no “private” in public places. Voices carry; and when sharing PII during a phone call, your voice carries a lot more than just words.
• Avoid sharing PII on public Wi-Fi networks. As seen in this editorial from CNN Money, many free Wi-Fi networks are unsecure. This means that hackers can easily gain access to your computer and mine it for a variety of data. Also keep in mind the Internet places you visit while in public places. Just as people can inadvertently listen in on a phone call, they can also watch your laptop screen from a distance.
• Share with your friends and business associates what is and isn’t permissible to share in public. While you can do a lot to protect yourself online and in the real world, you should also advise your friends, family, and co-workers what you deem as “private.” If they don’t know, what may be perceived as a harmless photo on Facebook or a detail shared over the phone could cross a boundary or two.

When it comes to protecting PII, a lot of advances have been made and the 2011 Javelin Study backs up these efforts with the data. This does not mean we should become lax in our vigilance. A little common sense and taking a moment to consider how much you are sharing with the public can go a long way in protecting yourself and your identity.

Attending the RSA Conference this year is Steve Schwartz, Executive Vice President of Consumer Services at Intersections, Inc. Steve sat down with Tom Field, Editorial Director of Information Security Media Group, to discuss the 2011 Javelin Strategy & Research Identity Fraud Survey as well as the myths and realities of identity theft. This podcast is presented via syndication from the Information Security Media Group, the people who bring you BankInfoSecurity.com.

Our audio and video columns can be listened to in a variety of ways:

• Through the blog via the media player found in this blogpost
• Through a manual download by clicking on the “Download” link
• By subscribing through iTunes

Steve Schwartz, before stepping into Intersections’ role of Executive Vice President, Consumer Services in 2006, served as Senior Vice President at The Motley Fool, as well as Vice President at Time Life, Inc. During his career, Mr. Schwartz has worked extensively in the direct response marketing field, including positions at Book-of-the-Month Club and Columbia House.

Thank you for listening
and stay safe.

Today, Javelin Strategy & Research released their eighth annual Identity Fraud Survey Report. Sponsored in part by Intersections, Inc., Javelin’s Identity Fraud Survey Report is the most comprehensive research study of identity theft cases in the United States. It assesses the effectiveness of methods used for fraud prevention, detection and resolution and provides the basis for fact‐based benchmarking and recommendations. Javelin Strategy & Research has produced this video as an orientation to their findings, and a resource for quick tips in staying safe.

The Javelin Strategy & Research 2011 Identity Fraud Survey Report is co-sponsored by Fiserv, Intersections, Inc. and Wells Fargo. Their findings have shown that in 2010, identity theft and fraud claimed fewer victims than in any other period since Javelin began conducting surveys in 2003; however, out-of-pocket costs to consumers increased.

Click here to find out more from the 2011 Javelin Identity Fraud Survey’s Consumer Report.

It is not quite the end of January and I have already received more than five phishing emails from the IRS and my bank concerning last year’s tax returns and this year’s payments or refunds, whichever is applicable.  The emails are variants of the same scam.  Essentially what they are asking me to do is verify my Social Security number (SSN) for IRS’ records, or verify which bank and bank account number I would like my refund or overpayment sent to.

These emails are a warning of how organized cyber criminals are, and how they are getting an early start to victimize consumers.

According to Tracy Kitten on a recent Bank Info Security News blogpost, “The number of phishing attacks launched on consumers has jumped from one or two a week to more than 70 per day”.  Phishing attacks have been around for five years, and the concept is really quite simple. The attacks are built around the fundamental belief that consumers want to correct a wrong, want to make sure that their information is updated, and want to ensure all of their assets are in good order. This is why virtually all phishing emails are sent from cyber criminals posing as banks.

Let’s take a step back and briefly explain phishing.  It is a process called Social Engineering where the criminals use some personal information about the consumer to try to get them to volunteer their personal data needed to steal their money.  In the early days of phishing you would get an email asking you to verify all of your account data, and at the end of the process “secure” that data by also verifying your SSN.

Amazingly, consumers volunteered this data by the hundreds of thousands.

As word got out that banks would never ask you for personal information via email or by phone, consumers got smarter.  Unfortunately, so did the cyber criminals and their games continue today.

When I think of online fraud I gravitate to the advanced malware attacks that are ongoing that steal the bank data without you even knowing it. I mistakenly thought phishing was a relic, a thing of the past. Then I got my email from cyber criminals posing as the IRS, notifying me that I overpaid my 2009 taxes and that I was due a refund which would be wire transferred to my bank account once I submitted the appropriate account and routing numbers.  The email stated that the IRS no longer mails checks but only issues refunds by direct deposit, so if I wanted the money I should provide  my bank account information and verify my identity by providing my SSN.

Very slick and creative, and I am sure based on the new data citing the number of attacks happening daily, it will be very successful.

What can consumers do to protect themselves from phishing attacks?  The answers are simple and have not changed since this scam began:

• Never give out personal information based on an unrecognized email or unfamiliar incoming phone calls.  This would include:
  • Social Security numbers
  • Bank information (account numbers, routing information, etc.)
  • Personal data (home address, workplace, children’s names & ages)
• Remember the IRS only reaches out to you via US Mail. They don’t call. They don’t email. If you receive an email from somebody stating to be with the IRS, immediately delete the message and do not open it.
• Do not reply to a suspicious email as clicking on it can potentially infect your PC with a strain of malware.  Also, do not forward suspicious emails to others asking for their advice. Simply delete the message.

While Christmas is considered the season for giving, these three months around April 15^th is a holiday for cyber criminals trying to steal your hard earned money.  Be smart and be careful.

While many economists are increasingly upbeat about the pace of the economic recovery, the jobless rate remains painfully high at 9.4 percent.  With this persistent weakness in the job market, scammers are turning to the internet with a new take on traditional work-from-home scams.  As WTOP recently reported, one popular scam entails emails to victims promising all the resources they need to work from home in return for their credit card information.

But as DC resident Emily Cox discovered, the so-called job actually turned out to be a ploy to steal her credit card number.   When she entered the product codes for the job materials she was promised, the codes didn’t work and her email replies to the organization continued to be bounced back.  Fortunately, her credit card company was able to return the money she lost, but the even more insidious threat with these job scams is potential identity fraud and the loss of your personal information.

Work-from-home scams can take on a number of different forms, and the Better Business Bureau (BBB) recently said we can expect an uptick in scams targeting jobseekers this year.  In a recent advisory, the BBB listed some of the most common false promises they’ve seen, which include an offer teaching the secrets to making money online as well as claims that you can make money assembling items at home or get paid to be a mystery shopper.  In fact, some victims later found that their opportunity to “work-from-home” actually involved facilitating criminal activity.

Another related scheme also preys upon the optimism of jobseekers by asking a jobless person to pay a fee for the mere chance of being considered for a job.  The jobs don’t actually come to fruition, and instead the placement company has gained access to your identity, including personal information such as credit card information, bank account numbers, or even Social Security numbers.

To avoid these common variations of job scams and protect your identity, remember these helpful tips:

• In order to be successful, email scams require you to be a willing, albeit unwitting participant. If you don’t cooperate, the crime can’t happen.
• While the emails can sometimes be convincing, be on the lookout for misspellings and poor grammar — the telltale signs of fraud.
• Never provide confidential, personal, or secure information in response to any email.
• Teach all family members to be wary of such emails — it only takes one unsuspecting user.
• Remember that legitimate job placement agencies impose fees after you get the job.  These fees are usually paid not by you, but by your employer.

And don’t forget – if it sounds too good to be true, it probably is!

To everyone who sent me eCards over the holidays, instead of a traditional printed greeting, thank you. And sorry. Thank you for thinking of me, and thank you for being kinder to the planet. And sorry, but I didn’t open any of them.

I know you meant well, but I never open eCards, no matter where they come from. In fact I’ve been dissing them for years as one of the easiest ways to spread more malware than cheer.

And if you received and opened an eCard this year from the White House, you should have listened to me. Seems like a bunch of government employees and contractors have reported receiving eCards that came from Whitehouse.gov that turned out to be hiding a data-stealing Trojan. And worse, seems like most of the recipients (or targets) were cyber security specialists.

According to an article by Network World, the card contained the message “As you and your families gather to celebrate the holidays, we wanted to take a moment to send you our greetings. Be sure that we’re profoundly grateful for your dedication to duty and wish you inspiration and success in fulfillment of our core mission.”

Clicking on the eCard instantly downloaded a copy of the dreaded Zeus Trojan, a very advanced and dangerous piece of criminal malware designed to steal documents and passwords, as well as invade and overwhelm bank accounts. In this case, the goal seemed to be espionage, and it was estimated that this particular attack managed to snag a few gigabytes of sensitive and possibly classified information.

Security expert Brian Krebbs even went as far as identifying some of the experts who fell for the trick, including an intelligence analyst at the Massachusetts State Police, an employee at the National Science Foundation’s Office of Cyber Infrastructure, and an employee from the Financial Action Task Force.

Which leads me to wonder. If the cyber security experts tasked with protecting the nation can seem to so easily fall for such an obvious scam, what hope for the rest of us?

RELATED STORY: Espionage Via Spoofed White House eCard

http://www.networkworld.com/community/blog/espionage-spoofed-white-house-ecard?source=NWWNLE_nlt_security_2011-01-04

Welcome to the New Year! Around this time resolutions are made (and forgotten) and people are working on mastering their “big gift” from the holidays. If your Wish List included items from the Top Ten Most Wanted of 2010 Christmas Gifts, chances are you found an iPad under your tree, or an iPhone, Droid, or the new Windows Mobile in your stocking.   These tech toys keep us in touch with friends, family, work, hobbies—24/7—and now we can slip the power of a small laptop easily into our pockets and shoulder bags.

Intuitive as this mobile technology may be, there is a great deal of liability in owning and, yes, handling such devices. Your most important data, ranging from online billpay to addresses and phone numbers of those closest to you personally and professionally, are stored on these devices. As easy as it is to enter in your PII into an iPad or a Droid, it is equally easy to lose track of your device, whether by accident or due to theft. The mantra “With great power comes great responsibility…” rings true. especially when it comes to protecting your PII.

The good news is developers are well aware of the human element when it comes to technology, and there are services out there that can help you keep track of your new tech toys and protect the data stored on them. Some of these options are free while others charge a yearly subscription fee, but all of them help you in safeguarding your mobile technology.

Apple users are offered with their mobile devices the Find My iPhone service. Once your device is “paired” with the app, Find My iPhone will allow you from your computer or from another mobile device to “ping” your iPhone or iPad. You can have your device display a message, play a sound (even if it is in a “silent” mode), or both. If you find, though, that your mobile device is not where you last left it, you have two additional options. Remote Lock will initiate a full lockdown of your device, as if it were passcode protected. For additional security you can choose the Remote Wipe option. Remote Wipe will erase all unique data on your iPhone or iPad, resetting it to the factory settings as if it is fresh out of the box.

As of November 22, 2010, Apple began offering this service for free. Unlike the other apps covered here, there is no blog support for Find My iPhone, but under the “Support” section of Apple.com are some Frequently Asked Questions, if you have any concerning the service.

Android users have a similar “lost device” locator, called iTag. The app works similar to Find My iPhone in that if your device is lost (or stolen), the website will allow you to locate your missing phone by having it play your ringtone (even overriding its “silent” setting). Unlike Find My iPhone, iTag incorporates a “social networking” approach to finding your Droid as you can enter into your iTag a Friend Locator and locate friends close by it. You can then privately or bulk message them from the iTag website. If, however, you suspect your phone to be stolen, you can lockdown or remotely wipe your Droid. iTag will also send you an alert if your phone’s SIM card is swapped out. Though its website, iTag will retrieve this new SIM number and contact the local authorities.

The basic iTag service is free. A $20/year subscription fee grants you access to all iTag options. The app developers also feature a security-minded blog geared towards mobile device users, regardless of the device you are using.

For new Windows Phone and loyal BlackBerry users, the trusted security vendor MacAfee have just acquired WaveSecure. Featuring many of the same services as Find My iPhone and iTag, WaveSecure gives you the ability to locate your phone, remote memory wiping, and tracking SIM cards swapped out for yours. WaveSecure also offers Uninstall Protection for your phone. In case your phone is stolen, WaveSecure will prevent anyone from uninstalling the app, ensuring you access to it even in the hands of its thief.

WaveSecure, available for the Android and other mobile devices as well, carries a price tag of $19.90/year subscription fee. A blog is offered on their website, but the posting is sporadic at best and specifically targets WaveSecure users.

Some other options to consider, completely app independent:

• Read up on your phone’s built-in security features. Find out what they can do.
• Take advantage of your mobile devices passcode functions. Whether it is a four-digit number or a trace pattern only you know, take that step in protecting your phone.
• Get into the habit of keeping your mobile devices within reach. At home, either leave them connected to the computer or within eyesight of the computer.

Regardless if it is a free service or a yearly subscription, your data is worth these extra steps. Keeping this offered advice and considering these apps covered here, another worthwhile investment is time taken to truly understand how your new tech works. The less room you have for human error, the safer your sensitive data will be.

You’ve entered the dark cave of the evil orc goddess, silently infiltrating her defenses with your cloak of invisibility.  You skirt around the edge of her throne chamber, stalking quietly, and draw your assassin’s blade.  You remove the threat of her elite guards with deft slashes of your trusty blade and spring forth to take on the powerful goddess.  You can almost taste the experience points that you’ll earn when you take her down.

But before the battle commences, an elf steps forward and offers to sell you The Blade of Cthulhu, a +45 broadsword that offers a +25 critical hit against orcs.  Wow, this thing would really help you take down the evil orc goddess!  He says that the fastest way for him to sell it to you is for you to open up a new browser session and pay him for it via PayPal.

STOP!  Do not follow that elf offline!  No evil orc goddess is more dangerous than an out-of-game transaction!

I have covered the dangers of identity theft in online gaming before, but the popularity of gaming is being exploited by another group of scammers; and with the holidays upon us, gamers must remain vigilant.

One of the most common methods for identity thieves to attack is phishing, or sending fake email to you that contains a link to a fake site set up to harvest your identity.  According to a study put out by Internet Identity (PDF download), criminals took increasing advantage of the popularity of gaming in the third quarter of 2010.  There was a whopping 347% increase in phishes regarding online gaming.  In fact, this was the first quarter in which there was more phish focused on online gaming than on online auctions.

In particular, World of Warcraft has been a rich target, as have recently launched Starcraft II and Call of Duty: Black Ops.  The thing is that phishers go after hot topics, and within the past few months more and more games are in the news.  Attacking in a timely fashion makes phishing attacks more likely to succeed.

One of the big phishing attacks posed as an email from Blizzard Entertainment that claimed to be inviting users to join a new expansion pack on World of Warcraft.  By clicking on the link in the email, excited users eager to beta test the expansion pack were taken to a fraudulent site where they were instructed to enter all of their login information for WoW.  The thieves went so far as to clone the Blizzard website, but when a user registered, all they saw was “processing”.  So the user thinks there’s an error with the site and moves on.

Unfortunately, thousands of gamers had their WoW usernames and passwords stolen. Big deal, you think.  Who cares if I lose a month’s payment to Blizzard?

It’s not that simple.  The stolen WoW usernames and passwords were used to create in-game fraud like the situation described above.  If that was your account, you would quickly find it shut down because of this fraud, and you’d lose all of the great items and capabilities that took so long to develop.

No website should need your account number, username, and password.  That’s asking for too much.  Think about it: shouldn’t they already know that your account number is linked to your username?  By providing both, you would give the identity thieves everything they need.

The only difference is that in this case they’re stealing your in-game identity.  And for those of us who are passionate about gaming, this can cause plenty of damage.

Today is Cyber Monday, the online version of Black Friday where vendors are marking down inventory and offering great holiday gifts at fantastic discounts. A full listing of today’s online deals can be found at CyberMonday.com; but if you are prowling the Internet for incredible deals, you might come across offers not covered on Cyber Monday’s official site…

…and this is where we at IDGuardian offer you some cautionary advice.

If deals found off the beaten path of the Internet sound too good to be true, many times they usually are. Along with last week’s post, IDGuardian is offering this “podcast replay” from Neal O’Farrell. Originally aired last year, this is Neal’s commentary on Black Friday, and helpful tips that work just as well for today’s online bargain hunting.

Our audio and video columns can be listened to in a variety of ways:

• Through the blog via the media player found in this blogpost
• Through a manual download by clicking on the “Download” link
• By subscribing through iTunes
  

Neal O’Farrell is a nationally recognized expert on cybercrime and identity theft. Neal is a board member of the Center for Information Security Awareness and the first to train an entire police department in identity theft awareness. He is also the founder of the Identity Theft Council, just launched this year in the San Francisco Bay Area.

This podcast is copyrighted 2009-2010, IDGuardian.com, All rights reserved.

Any use of the Content not expressly permitted by IDGuardian’s Terms of Use may violate U.S. or international copyright, trademark, and/or other laws. For questions or feedback please contact us at questions@IDGuardian.com.

Thank you for listening, shop smart,
and stay safe.

As the biggest holiday shopping days of the year quickly approach, consumers everywhere will be lining up at stores on “Black Friday,” (11/26) the ceremonial kickoff day for the holiday shopping season. For those that don’t want to fight the massive crowds at the malls and local shopping centers, they’ll surf the Web on “Cyber Monday” – the Monday right after Thanksgiving (11/29) – to catch even better sales, conveniently ordering their gifts online to have them shipped all over the world.

ID Guardian recommends the following safety tips for holiday shoppers:

1. Protect your computer from online threats including money-stealing Trojans. According to the Q1 2010 PandaLabs Report, Trojans accounted for 61 percent of all malware and continue to be the leading choice of cyber criminals for stealing personal information as well as bank and credit card details.  Cyber criminals are using more sophisticated Trojans to grab your bank account and credit card login information, disable your security software, and sneak into your bank account by pretending to be you. The best way to avoid Trojans is to (a) not open attachments or click on email links; (b) be careful where you surf and stick to online “neighborhoods” where you really feel safe; and (c) regularly patch your computer and update your anti-virus, anti-spyware and firewall software.
2. Take a tip from online merchants and “trust but verify.” A study conducted by BIGresearch found that about 32 percent of online shoppers will make their purchases on the web this year.  As more and more people turn to the Internet for their holiday shopping, it’s important to make sure the websites they are using are secure and legitimate. The best way to determine if a website is safe is to see if there is an “s” in the website address, i.e., https:// instead of http://.   Another way to make sure the website is safe is by looking for a closed padlock in the bottom of the screen; an open padlock indicates an insecure site. There are also tools available that securely store and enter user log-in data, preventing the information from being exposed to ID thieves. It also verifies the IP address of the site you are logging into to make sure it’s legitimate.
3. Be careful buying gift cards. Gift cards will remain the most requested holiday gift this year. One of the latest gift card scams to recently surface is the increase of fraudulent gift cards being sold on auction sites. Sellers on auction sites are also taking advantage of unknowing buyers by overstating the value of the gift cards so buyers don’t end up with the gift card amount they think they are purchasing. Be sure you are purchasing gift cards from a reliable source.
4. Avoid Tweet Traps! Scammers fully understand the power and reach of social networks, and gathering places like Facebook and Twitter are a feeding ground for all kinds of thieves this holiday season. The biggest threat to be wary of this year is the “Tweet Trap” – a message that appears to be from a trusted friend or follower passing on some great news, a real bargain, or a worthy cause, but instead hides spam, phishing fraud, or a malicious download. Consumers should be cautious about Tweets or Facebook messages about great holiday deals, must-have gifts, or hard luck stories, even if they are coming from “friends.” If they sound interesting, do your own research to see if they’re genuine, but don’t click or download!
5. If a deal sounds too good to be true, it probably is. This scam has focused on promising shoppers the hard-to-find gift at an irresistible price and in most cases, the gift doesn’t exist, doesn’t arrive, the seller demands far more for it, or simply steals the shopper’s credit card information. But this year, hackers are upping the stakes by hacking into the search ranking systems of the major search engines like Yahoo! and Google so that their fraudulent or malware-infected web sites appear at the top of shopper searches. And most shoppers still believe that if a Web site is at the top of a search engine’s list, it has to be legitimate.
6. Do NOT give out your financial information over the phone or email. If your bank or credit card company sends you an email or even calls you warning you of insufficient funds or other problems with your account, contact them directly using the customer service numbers posted on their web sites. Don’t respond to their emails or to any number they provide in an email or phone message.
7. Do a post-holiday credit health check-up. After the holidays are over, be sure to check your credit reports, credit card statements and bank statements to verify all transactions. Each transaction you made, either in retail stores or online, could have been compromised, adversely affecting your credit and your credit score. Notify your bank or credit card company immediately if you see anything suspicious.

Simple ways to protect yourself is to be vigilant about where you shop (online or at the mall), be aware of what information you provide and to whom, and to protect your computer from spyware, malicious code and Trojans. While we are “making spirits bright” during the holiday season, we must also practice a bit of common sense. Be safe. Remain vigilant.

I’ve predicted for a while that because the more recent generation of malware – and especially Trojans – has been so effective, we’re going to see lots more of the same. And better, more sophisticated ones. And I was right. Again.

One thing I’ve learned over the years is that if an attack, scam or exploit makes sense, it will eventually happen. And it seems like that’s exactly what we’re seeing with a new kind of Trojan that has adopted some of the characteristics of its close cousin the worm, to create a very dangerous new malware hybrid targeted at banks. And when I say “banks” are targeted, I mean “you and your bank accounts” are targeted.

Here’s a quick background: A new generation of banking Trojans has been doing the rounds for nearly two years now, and this very sophisticated type of malware has claimed thousands of victims, emptying their bank accounts to the tune of millions, if not billions of dollars.

But these Trojans have had one limitation — they can only infect one computer at a time. A worm, on the other hand, can spread to thousands – even millions – of computers in a matter of days, even if it doesn’t do too much harm.

So imagine if a banking Trojan could behave like a worm and automatically spread itself to thousands of computers? Well, that’s what seems to have happened with the new hybrid malware dubbed Qakbot. And what’s worse, it seems to have been created exclusively to target U.S. banks.

The malware is so sophisticated it is able to filter the data it captures so it knows exactly what to steal. And one researcher described is as a “life grabber” because of its ability to track and steal everything it can about a user. But if that gives you a scare, hold on — it gets worse. Researchers claim to have discovered a variant of Qakbot that is completely invisible to anti-virus software. That’s right, your own anti-virus software may be useless against this threat.

Scary times.

In response to this spiraling threat, financial institutions are re-evaluating their security and spending a lot of time studying the motives and methods of these cyber highway robbers. The toughest part is that the robbers understand the banks they’re robbing. They know what current security measures banks have in place, and are able to evade those defenses. And like master chess players, they’re able to predict the banks’ future security responses and take these into account when designing their codes.

It really is a cyber war, and consumers are not just victims, but we should all be combatants, too. It’s very obvious that technology alone won’t protect us all the time, and as consumers there are many things we can do to protect ourselves and others from this growing threat:

1. Scan all business and home computers, either using your existing anti-virus software or using any of the free scanning services available.
2. Layer every computer with the best virus and spyware protection available and update it constantly. But be aware that having the latest anti-malware protection in place is no guarantee that you’ll be able to prevent or detect an infection.
3. Make sure your computer automatically downloads and installs security patches as soon as they become available.
4. Avoid opening email attachments or click on links in emails unless you’re able to verify the email is legitimate, and be careful about visiting web sites you’re not familiar with.
5. Be especially vigilant for phishing schemes and to watch out for unusual or “personalized” emails (possibly beginning with “Mr. John” or “Ms. Samantha”) with attachments or links that are not familiar.
6. Set up account alerts to notify you of any transactions or changes in account balances, and work with your bank to see if there are additional layers of authentication they can use to prevent or alert you to unauthorized transfers.
7. Spread your funds between multiple accounts and limit the number of users on each account.
8. Change your passwords regularly, make them tough to guess, and protect them well.
9. Use just one computer for online banking, and make sure that computer is highly secure and ideally not used for email or any other internet connected activity.
10. Be vigilant when visiting your bank login page, especially for any changes to the login procedure or requests for additional information.

For more on this Trojan-worm hybrid, take a look at this article from CU Info Secuirty — http://www.cuinfosecurity.com/articles.php?art_id=3075&rf=2010-11-08-ec

I have some bad news for you: Recent research shows that it has become far easier for thieves to steal your identity than it is for you to protect it.

CA Technologies, maker of software used by large companies to manage and secure their networks, issued a report:  “State of the Internet 2010: A Report on the Ever-Changing Threat Landscape.” (PDF) The report itself is 56 pages long and covers such topics as newly discovered threats, prevalent threats, and more.

The thing that caught my eye is a 15 page section on crimeware.  According to the study, “crimeware is a class of threat designed to automate cybercrime.  It collects and harvests valuable information through a large-scale malware infection. It is primarily designed to perpetrate data and identity theft to access user’s online banking services, shopping transactions, and other Internet services.”

The report highlights several key facts about crimeware:

• 96% of Trojans are components of a larger underground market-based mechanism we call Crimeware-as-a-Service.
• Crimeware is primarily designed to perpetrate data and identity theft.
• The economics of crimeware is “Delivering threats over the Internet.”
• Crimeware is an on-demand and Internet-enabled service.
• Crimeware’s main distribution mode is through social engineering and drive-by download attack.
• Crimeware highlights cloud computing as a new delivery model.
• Social media is the latest crimeware market.
• Crimeware’s latest offensive capabilities highlight Zeus and Spyeye.

I spoke to Don Debolt, Director of Threat Research at CA Technologies, and primary author of the report, to get a handle on this organized threat to our identities.  We had a lively discussion and from that I’m able to pass along this description of how crimeware-as-a-service works.

In essence, what’s happening is that we’re seeing the foundation being laid for  an underground marketplace for malware that can be used to steal your identity.  You can think of this sort of like a black market where a criminal could go to buy a weapon to use to attack you, except the weapon isn’t a gun or a knife, it’s a custom designed software.  And don’t think that these are a bunch of 15 year olds just chatting on message boards.  As Don said, “This is a componentized, monetized series of systems designed to harvest every aspect of a person’s digital persona.  Pieces of identities are bought and sold every day on the Internet”.

The bad guys are shockingly organized.  Different criminals use their specialized talents to develop parts of an attack.  Someone develops the exploits, someone else packages them into distributable malware, someone else runs a botnet that they push the malware to, and then along comes someone who buys or rents the whole thing.  And, get this, these guys offer guarantees – like “we guarantee this malware you paid us to write can’t be found,” or “we guarantee you’ll get 500 identities or your money back.”  They also offer tech support to their customers. (I wonder if they outsource their tech support to some guys who follow a flow-chart in India. My guess is that they don’t.) Which makes me wonder if the criminals can get better tech support than we can from security vendors such as Symantec, McAfee, and Trend Micro.

The conversation got kind of scary when I asked Don who is winning. He really didn’t hesitate to say, “I think the bad guys are winning.”  His rationale was that it is getting easier and easier to steal your identity, and harder and harder for you to protect it.  The bad guys get a one-stop shop.  You get a hodgepodge of security products, such as a network firewall and anti-malware software to run on your computer.

I asked Don what new threats we’re seeing and his answer was pretty interesting.  Basically, if there’s a way that you’re sharing information, there is someone figuring out how to steal it.  For example, everyone’s phone now has built-in GPS.  It’s possible to install spyware on a smartphone that taps into the GPS and relays your location to a criminal.  Now they don’t even have to “case the joint” to find out when you leave your home or business unattended because your phone tells them.

What can you do to protect yourself?  Put up a wall of suspicion online, or as Don says, “there is no true trust online.” Use the security measures that are available to you and be aware that every bit of information about you, as innocuous as it may seem, is but a piece of the puzzle.  When criminals get enough pieces you’ll lose your identity.

I love my kid. She loves to play, loves to laugh, genuinely cares about the well-being of others, and is polite to a fault. This is why I get a little upset when I see other kids overlook all these incredible qualities about her, and look at her as a target. They insult her. They pick on her. My child’s pleas to “stop” fall on deaf ears. I stepped in the middle of such a situation (because if they won’t listen to her, they might listen to the grown-up), and was shocked at what I discovered. While these backyard bullies immediately went silent, their parents merely shrugged and said “Well, kids are just being kids. They can work it out amongst themselves.”

Turning the blind eye. This is how bullying starts. And now, technology has made bullying easier, more anonymous, and accessible to a global audience.

In the wake of Tyler Clementi, the 18-year old Rutgers University freshman who committed suicide after being bullied across several social networks, cyberbullying continues to dominate the headlines, talk show circuits, and blogs; and alongside Clementi are other incidents like Asher Brown in Texas and Phoebe Prince in Massachusetts. With these cases from 2010 alone, State and Federal governments are now considering laws that will directly address cyberbullying with harsher penalties. The true tragedy of cyberbullying is, though, that it has been in our online communities for years, appearing in a variety of forms: Harassment, physical threats, intimidation, and unwarranted confrontation all carried out through email, websites, and social media. Perhaps a reason cyberbullying has not been seriously scrutinized until recently is the cyber aspect of the crime. As it is happening online, it’s not “really” happening. At least, not in the real world. It’s limited to the Internet. You don’t like what someone is posting? Just turn them off. You can do that on the Internet.

Smartphones, WiFi, and the ability to share media quickly and easily online, however, have made it harder for people to just “turn off” online aggression. Communications now come to you on your computer, your phone, and even your gaming system; and these messages can be easily distributed to others and even go viral.

Perhaps the most infamous of cyberbullying cases comes from 2003 when Star Wars fan Ghyslian Raza appeared on YouTube wielding a golf ball retriever as the two-edged lightsaber seen in Episode I: The Phantom Menace. As of 2010, this video (uploaded by students that regarded their cyberbullying as a harmless prank) has been viewed  more than 18 million times, just on YouTube. Another resource claims that from the spinoffs and other online video sharing servers, Raza’s video has been seen a total of 900 million times.

Raza was dubbed “The Star Wars Kid” and proceeded to appear in numerous parodies of the original video, ranging from outright spoofs on shows like South Park, Arrested Development, and The Colbert Report, to the jumbotron programming at the San Francisco Giants ballpark. This endless ridicule (that, I admit, I chuckled at, in the beginning…) drove Raza to drop out of high school and seek psychiatric counseling.

Cyberbullying, along with various technological avenues, also utilizes identity theft as one of its tools.  As reported on this blog, truly brazen, uninhibited individuals will go on to online forums under their mark’s credentials, and leave abusive or lewd comments, turning its contributors against him or her. In more lascivious settings, the cyberbully will leave a phone number or address with an inflammatory post, essentially driving unwanted traffic off the Internet and right to their victim’s doorstep. This kind of online impersonation can lead to cases of stalking, assault, harassment, or far worse.

Confronting such people, be they online or in the real world, is a part of life’s experiences; but this does not mean you cannot take precautions. There are strategies you can implement to help deal with cyberbullying:

Keep your child’s computer in a visible, open space in your home. This may seem to be an invasion of their privacy, but this is no different from asking your child “who’s house are you going to, have I met this boy’s/girl’s parents…” or asking your teen “who are you going out with tonight, where you are going, what time are you coming home…” Monitoring what websites your child visits, and applying security settings on browsers and operating systems is basic parenting.

Keep communication lines open with your children. I know in many cases this is far easier said than done; but by making sure your kids know they can come to you when harassment occurs, you will be kept in the loop on exactly what is happening in your kids’ lives. Remind your child of what makes them unique and that cyberbullies, in many cases, are usually working through their own insecurities. (This was a tough truth to come to grips with when I was bullied, but in retrospect it makes a lot of sense to me now.) While that may smack of Pollyannaism, the truth is that we all have something about us that is unique, and a reminder of that quality—especially from a parent—does abate a bully’s sting.

Find strength in numbers. From my own personal experiences (one cyberbullying incident as recent as two years ago), I found strength in the circle of friends I kept. It can be your best friend or a group of friends, but find solace in their companionship. For me, that was always a great help.

Have your kids consider consequences, even in private. Quite often, especially in social media, photos and videos are taken in moments that, maybe, shouldn’t be shared with the public. Do your kids appreciate that? As with what is said in Facebook updates and tweets, kids should consider carefully what they say or do in public, and regard their behavior as if it public and being recorded for posterity or shared with the world. “Being online” is not the same as “being in the privacy of your own home.”

Impress upon your child the importance of identity protection. Online impersonation can be easily avoided if your children learn to respect their identity’s worth. Teach your children not use the same passwords from account to account as that opens them up for additional problems if a cyberbully gets hold of that “All Access” pass. Discourage nonchalantly loaning out passwords to friends who might need to log on to a favorite network or forum “just take care of something.” User Identification (UID) is another form of PII, and should be regarded with the same care and importance.

Keep a print record of the harassment. Many websites will recommend to block or delete harassing messages, which is easy to do; but if the bullying continues or escalates to physical threats, a physical paper trail of harassing emails, Facebook messages, and now (with many smartphones) SMS messages provides hard evidence. If messages appear to be coming from an anonymous source, contact your Internet Service Provider for assistance in tracking the email’s IP address and exposing the cyberbully to their parents or to law enforcement.

Have your kids take a “Zero Tolerance” stance against cyberbullying. This is, perhaps, the toughest thing to ask of your kids as the desire to “fit in” and peer pressure hasn’t changed all that much from the time that I, or my parents, went to school. The intent you should be pushing on your child is that cyberbullying is wrong, that “just because it happens online doesn’t mean it’s no big deal.” Impress upon them that on the other end of the computer is a person, and that insults can hurt online just as much as in person. Not only should your child not bully online, neither should his/her friends. If they do, then suggest your child put some distance between those friends; or, to really get the message across, befriend and defend the person being bullied. If we want to stop bullying of any kind, taking away the power from those who bully is the Number One priority. If the bully loses interest in the mark, then they lose their power.

This will be the hardest act for your child to carry out. It will also be the bravest.

Be careful whom you pick on. I have a few stories I could tell, ranging from my own to friends of mine that rose above the bullying; but when it comes to stepping up to the cyberbullies and coming into his own, look no further than the Star Wars Kid himself, Ghyslain Raza, as the blog Geekosystem reports:

“After eight years of laughs at his expense – and a few campaigns in his defense – Ghyslain is back. Now in his early 20s, he’s reemerged as the president of the Patrimoine Trois-Rivières, a conservation society that aims to preserve the cultural heritage of his hometown of Trois-Rivières.

Revenge of the Sith this isn’t, but he’s putting his litigious experience to some use, getting his law degree at McGill University in Montreal.”

Not bad for someone who faced cyberbullying on an epic scale.

All this advice we can take to heart and apply, but along with getting our kids to adopt a “Zero Tolerance,” we as parents and as mature adults also must adopt such a policy. When kids resort to cyberbullying, they become predators. They prey on another’s resolve and exterior, and continue to push until something gives. Cyberbullying is not “kids being kids online.” It is harassment fueled by ignorance, hate, insecurity, and malicious intent; and enabled by technology. Hard to police, yes; but this does not mean we, as individuals and as parents, are helpless.

This is where bullying stops. With all of us.

Law enforcement in the United Kingdom just announced they have nabbed an identity theft gang that stole millions from British banks.

The Brits proudly announced the capture of nineteen members of a cyber gang that had used the now widely available Zeus Trojan to steal nearly $10 million from British banks. And get this – they netted that massive haul in just 12 weeks.

If you’re not familiar with Zeus, this is a piece of malware known as a banking Trojan that has ripped through financial institutions across the world over the last two years, bypassing even the most sophisticated bank security and ripping off possibly billions of dollars from banks, businesses, and individual customers.

It works by sneaking on to unprotected computers, taking over those computers by taking control of security like anti-virus software, and then raiding the victims’ bank accounts posing as the legitimate user.

One police officer interviewed after the arrests suggested that the total haul of the gang could be in the billions of dollars. And as if to keep up with changes in banking, security researchers also recently confirmed that Zeus had graduated from computers and was now targeting mobile phones – obviously in an attempt to take advantage of the dramatic switch to the use of smart phones for mobile banking.

Lessons learned?

• Never let your guard down against malware, or assume that good anti-virus software is all you need. Malware like Zeus are far too clever to be defeated by basic security.
• Keep Zeus off your computer by keeping your computer constantly patched and being very careful where you surf and what you download.

RELATED STORY: Police arrest 19 Zeus online fraud suspects

http://www.zdnet.co.uk/news/security-threats/2010/09/29/police-arrest-19-zeus-online-fraud-suspects-40090331/?tag=mncol;txt

I realize I am dating myself, but when I started banking, as a teen, Automatic Teller Machines (a/k/a “ATMs”) were the latest and greatest, high tech banking contraption. Using an ATM card was far more convenient than writing a check to “Cash”, as long as you kept the receipt and remembered to record the withdrawal in your check register.

ATM cards were not as yet accepted by merchants. If you are younger than 30 and reading this, you may not know that the “old fashioned” ATM card was not partnered with VISA or MasterCard, and always had to be used with a PIN number at a bank branch.

As long as you didn’t tell anyone your PIN number or create a PIN that was easy for someone to figure out, it would be difficult for someone to use your card if for some reason they were able to get a hold of it.

Then merchants began accepting ATM cards, and later partnered with Visa and/or MasterCard, which added the benefit of allowing you to use your ATM card anywhere Visa or MasterCard were accepted. With each advance in the banking industry it provided the bad guys with more and more ways to exploit the system and steal from you.

The advent of Skimming, the use of a device that electronically retains the information off the magnetic strip of your ATM or credit card, is one such exploit. When a card is skimmed, your data is reprogrammed onto a counterfeit credit card. If your revolving credit card—that which collects interest and is paid month to month—were “skimmed”, assuming you check your bills and caught it within the mandatory reporting period, at least the issuing bank would not hold you responsible for the charges and you would not accumulate interest while they conducted their investigation. These charges, regardless of the nature of the reported fraud, are not refunded immediately as the issuing bank or merchant must still conduct an investigation to make sure you have not filed a false claim.

Your revolving credit card also used to require a real pen with a real ink to sign your name, and touching the receipt, which was then retained by the merchant (otherwise known to Law Enforcement as a “potential lead”). Now, many merchants have electronic signature pads, and do not required  and/or are discouraged from asking for identification. Some even require no signature at all for purchases under a maximum dollar amount.

Now let’s look at worst case scenario. Your credit or debit card is skimmed and the information from the magnetic strip, which is directly linked to your checking account, is reprogrammed onto a counterfeit card. The suspect can now use that card anywhere Visa or MasterCard is accepted and drain your account and any account that is set up for overdraft protection, savings, home equity, other credit card, and so on. By the time you figure it out all your money is gone and your outstanding checks are bouncing.

Sure, your bank will eventually give your money back, but often not before they have conducted their investigation and you have helped prove that none of the charges are yours.

So what should you do?

• Inspect ATMs carefully and make sure there are no external devices attached to the machine. If it doesn’t look right, don’t risk it. If you need to withdrawal cash, you are far safer using an ATM at a bank than a standalone machine within a random business, as they are much easier to compromise.
• If you don’t count on the convenience of the Credit or Debit card, only carry an ATM card, which requires a PIN number that only YOU know, and/or a regular revolving credit card which offers you the protection of not having your bank account drained.
• If you must have the Credit or Debit card, as I do, never let it out of your sight. If a merchant must physically handle your card, do not let them walk away with it. Yes, that means you cannot use it at restaurants where they walk away with your card to process the transaction. Restaurants are the most common location where cards are skimmed. If you don’t typically carry cash, keep a revolving credit card with you for any occasion where a merchant must walk away with your card.

With all that said there is a new un-detectible skimming method called Shimming, which is nearly impossible to prevent. Shimming works by compromising a perfectly legitimate card reader (like an ATM) through a very thin flexible circuit board inserted using a “carrier card” through the card slot. This circuit board locks it into place on the internal reader contacts that reads card data. Once inserted, the shim is not visible from the outside of the machine. The shim then performs a man-in-the-middle attack between an inserted credit card and the circuit board of the ATM.

So even though you are taking the above precautions by using only ATMs at bank branches, checking the ATM for sometimes sophisticated external skimming devices, and not allowing the card to go out of your site, you can still become a victim.

It really would seem that there is no safe way to bank anymore. I am not suggesting we go back to keeping cash under our mattresses, but you must check your accounts regularly, know your bank’s fraud policies and liability limits, and report any inconsistencies immediately, so that you have the best chance of getting your money back.

A couple of months ago I started helping an eighty-year-old woman who lost nearly $200,000 to a couple of identity thieves who turned out to be her kids.

She lives in one of California’s largest cities (1 million+ residents) and was worried that her case might simply fall through the cracks and leave her helpless. She was right.

I asked her if she had filed a police report, and she said she tried. She filed a complaint and was told that a police report would be mailed to her. Two months later she still had not received a copy of her police report and can do little to defend herself.

When I contacted the police department, I was directed to an investigating officer whose voicemail box was always full and could not accept any new messages. I contacted the District Attorney’s elder abuse divi