Archive for August, 2013

The New York Times and Twitter are the latest victims of the hacking group Syrian Electronic Army. The newspaper's and social media's websites were hacked Aug. 27 and had their domain names edited by the cybercriminals, . The Syrian Army, which supports Syrian president Bashar al-Assad, has taken responsibility for the most severe attack taken by the group.

The Times' website crashed around 3 p.m. Eastern on Aug. 27, . As of the morning of Aug. 28, The New York Times spokesperson Eileen Murphy said the website was close to being fully restored.

"If someone is still having trouble accessing the site, it is most likely the result of their Internet service provider not having yet restored the proper domain name system (DNS) records," she said.

SEA got access to The Times and Twitter through Melbourne IT, a company based in Australia that specializes in domain name registration. Melbourne IT is the vendor for The Times domain name.

The SEA focused their efforts on editing the Times' and Twitter's domain name system, or DNS, information, which is used to direct web traffic to a specific server. The hackers changed the DNC details so Internet users trying to access NYtimes.com would be routed to a website hosted by the SEA, BBC reported.

Before The New York Times' website was restored, The Times was forced to send their news through another website: News.nytco.com, USA Today reported. Marc Frons, chief information officer for The New York Times Co. warned Times employees to be careful with sending email communications this week due to the data privacy and security risks.

SEA targeted Twitter's twimg.com website, which is a separate domain on which the social media network stores image data and styling code. The attack disrupted the site and caused many Twitter pages to display incorrectly, BBC reported.

The SEA posted this Tweet: "Hi @Twitter," the group said in one tweet, "look at your domain, its owned by #SEA :)" to announce it had hacked the website.

Melbourne IT responded to the hacking attack, BBC reported.

"We are currently reviewing our logs to see if we can obtain information on the identity of the party that has used the reseller credentials, and we will share this information with the reseller and any relevant law enforcement bodies," the company said.

Previous SEA Attacks
The SEA has also hacked The Washington Post's website, as well as those of CNN and Time, earlier this month, USA Today reported. In those events, the SEA accessed the Internet service of Outbrain, a content recommendation company whose software widget is embedded into the news sources' websites.

Matt Cullina is chief executive officer of IDentity Theft 911.

Sisyphus
By Neal O’Farrell

We can claim to be winning a few battles here and there. ACH fraud does appear to be down, as does check fraud. But a handful of successful skirmishes doesn’t win a war. After more than a decade of growing consumer awareness, a barrage of new laws and regulations, and impressive advancements in security, the bad guys still appear to be gaining ground.

The most recent study from Javelin Research seems to support this, concluding that more than 12 million Americans fell victim to identity theft in 2012 – one of the worst years on record. And it’s important to put that in perspective. If you compare the number of identity theft victims to reports of other crimes, that means there are more victims of identity theft than there are reported burglaries, attempted burglaries, auto thefts, arsons, purse snatchings, pick pocketing, and shoplifting – combined.

Of course, it’s easy to win when the other side just walks off the field. I’ve identified a dozen compelling reasons why after so much progress in the fight against identity theft, that fight is still steeply uphill.
(more…)

Credit card skimming devices are becoming more popular around the United States and causing a growing number of Americans to have their personal identity stolen by thieves who install these small devices at gas station pumps.

Credit card skimmers are installed on pumps so when a customer swipes their card, their account info is copied from the magnetic strip on the back, . If a person is using a debit card, their PIN is also copied by these devices. The identity thieves then create counterfeit cards using this information to withdraw cash from ATMs or to make purchases.

Many gas pumps can be opened with a master key and criminals are getting their hands on duplicates of these keys to access the inside of the pump and install the skimming device. It is also becoming more popular for criminals to use wireless internal skimmers that send card data to them through a Bluetooth device, which eliminates the need for the criminal to return to the pump to retrieve the skimmer and stolen information stored on it, the Consumer Reports article stated.

"They just need to be within 30 feet of the skimmer, so one guy can go in to buy a Slurpee and distract the clerk while his partner sits in their car near the pumps downloading all of the stolen card data," Al Pascual, senior analyst of security risk and fraud at Javelin Strategy & Research, told Consumer Reports.

Hard to Detect
As skimming becomes more common, the technology criminals are using is becoming more advanced. The skimming devices are now harder for law enforcement to find, the . In southern California, criminals are making devices from just $50 worth of electronics and installing them at gas stations. Criminals target this area because they believe the people visiting gas stations have a higher income and because the stations are generally empty after 10 p.m., which makes it easier to open the pump and install a skimming device, the article stated.

Sgt. Scott Spalding of the Orange County Sheriff's Department's economic and computer crimes detail told the OC Register that skimming in southern California is a "sophisticated system."

Avoiding Becoming a Victim
Consumer Reports offered some identity theft tips to avoid becoming a victim of skimming at the gas station. Instead of using a credit or debit card, use cash to pay for gas, the source said. If you must use a card, use a credit instead of a debit card, and if you have to use a debit card, never enter your PIN. There should instead be an option that allows you to use a debit card as a credit card.

Raul Vargas is a fraud operations team leader at IDentity Theft 911.

The National Security Agency made the news this week after more details on its surveillance activities were reported. Consumers were also warned this week about the prevalence of malware on Android devices, and senior citizens were told about the dangers of medical identity theft. As data threats become more serious, it was also reported this week that companies are investing in cyber insurance to protect against the financial loss that comes with a data breach.

NSA's Surveillance
NSA has the ability to see about 75 percent of all U.S. Internet traffic, including the written content of emails sent between U.S. citizens, this week. However, an October 2011 judgment from the Foreign Intelligence Surveillance court was just declassified this week, making it open to the public. The court ruled that some of the NSA's surveillance activities were unconstitutional and the agency responded by paying million of dollars to internet companies like Google and Yahoo that were involved in the Prism program and incurred costs to meet the certification demands of the court, .

Malware on Androids
A new report by McAfee shows that 17,000 new Android malware species and 320,000 new samples of ransomware were found in the second quarter of 2013. The amount of ransomware found is more than double than what was detected in the first three months of the year, . Ransomware works by holding a computer or other device hostage and forces the owner to pay a fee to free it, . "Not only do criminals make relatively safe money from this scheme, they often do not remove their malware – leaving the poor victim's system as dead as before," the report stated.

Seniors At Risk
A Medicare card may put seniors at a greater risk of identity theft, this week. A Medicare number is the same as a person's Social Security number, and using a Medicare account to fill prescriptions, file a claim or even get medical treatment exposes them to a greater chance of that information getting into the wrong hands, the source said. Medical identity theft can not only cause a financial burden to the victim, but if an ID thief uses a stolen identity to get medical treatment or drugs, it can mess with a person's medical record. "It's a medical harm as well as a financial harm," said Lisa Schifferle, an attorney with the Federal Trade Commission's division of privacy and identity protection.

Cyber Insurance on the Rise
Companies are becoming more aware of the financial loss that comes with a data breach, and many more organization are responding by investing in cyber insurance, . A number of surveys showing the growing popularity of cyber insurance are proving this trend, according to the source. On average, companies that experience one or more cyberattack face a financial loss of $9.4 million.

Matt Cullina is chief executive officer of IDentity Theft 911.

Upright citizens know it is their duty to report to jury service. However, scammers are taking advantage of this sense of civic responsibility in a new trend of identity theft schemes. U.S. District Judge David Herndon in Illinois is cautioning residents after there were reports of calls that seemingly come from local courthouses or law enforcement agencies notifying them of missed jury duty assignments, .

Criminals are calling residents, claiming they missed jury duty and are subject to a fine before attempting to collect their personal information. To perpetuate this telephone scam, criminals are using sophisticated methods to assume the identity of court or law enforcement officials using what is called caller ID spoofing. This technology allows scammers on the other line to modify their voice and even recreate the background noise that could be heard at a police station to fool residents, .

Not only do these criminals try to collect payment for fake fines, they also make an effort to obtain personal and financial data from their victims, including Social Security and credit card numbers. As a scammer tries to extract pieces of useful information from the first instance of contact, they can record the conversation to play it back and reiterate it during a second call to make their scheme more convincing. Those targeted by identity thieves for this particular jury duty scam tend to be older because they are more trusting and responsive to calls of civic duty.

Scammers can obtain caller information gleaned from business documents that were not shredded completely or online from social networks or professional websites. They even resort to finding and contacting victims' friends or family to pressure them into paying.

Tips for Responding to Phone Scams
In case citizens do run into this particular scam, avoid giving scammers any information. Herndon said federal courts do not collect sensitive information via phone calls. Legitimate organizations will leave a paper trail. Request that you receive the notice in writing. If they ask for your address, tell them that they should have it on record since they were the ones that sent the jury summons – or whatever the issue is – and called you.

The payment methods asked for paying a fake fine should also be a red flag. Scammers tend to use payment channels like Western Union, MoneyPak and similar prepaid cards because they are untraceable once money is sent. 

As soon as you're off the phone call, do a quick Google search to find out the number of the institution that is supposedly calling you. Call the organization, explain the situation and ask if they are, in fact, trying to contact you for any particular reason.

Eduard Goodman is chief privacy officer at IDentity Theft 911.

Kardashian

Celebrities do lots of things we do. They take their kids to the beach. They nosh on pizza. And, they fall victim to identity theft.

A Florida woman and her son were recently arrested for accessing the personal information of celebrities such as Kim Kardashian, Ashton Kutcher and Paris Hilton, according to . They used the information to steal the celebrities’ money and credit cards.

The duo—Kyah Green, 41, and Luis Flores, 19—had in their apartment tens of thousands of dollars in wire transfers and a flash drive of information on First Lady Michelle Obama, Vice President Joseph R. Biden, Bill Gates, Beyoncé Knowles and Tom Cruise, the U.S. Secret Service reported. The information had been published online by computer hackers.

The crime raises questions about the challenges to protecting personal information. If some of the most protected people in the country can fall victim to identity theft, how does that bode for the rest of us?

(more…)

After a series of high-profile reports, it is widely known that the National Security Agency regularly monitors phone records as part of its surveillance program – and email messages might be next. With the ability to derive information that can trace messages back to their users – including their geographical location and the time the message was sent – email content and its associated metadata are prime targets for government surveillance, hacking and other malicious Internet activity.

In the past, email encryption provided by companies like Lavabit and Silent Circle have allowed their users to send private messages that are difficult to decrypt. Recently, both have discontinued their services in order to protect user information rather than hand it over to the government in the event of federal information requests, . Email is harder to protect compared to text messages and voice calls because it is dependent on Internet protocols, which can result in recorded user information.

"Email as it is standardized, is intrinsically insecure," said Jon Callas, co-founder and chief technology officer of Silent Circle, to . "IP address geo-location has turned from a fantasy to a fine art. So, in every email you have a timestamp and an IP address that places the author in the exact space and time they were when they hit send."

Tips to Increases Email Security
While Lavabit and Silent Circle have shut down their services, another company called Hushmail said it intends to continue its protected email service. Using an encrypted email service adds another layer of security by making messages seem like gibberish if someone is monitoring another user's Internet activity. A service like Hushmail helps prevent data breaches caused by hackers by requiring a passphrase to decrypt messages before being able to read emails. Hushmail also allows users to include private email attachments and even access their inbox securely on Android, iPhone and BlackBerry devices.

Create Strong Passwords
As a first line of defense, users should choose passwords that are difficult for others to crack. Passwords that are considered weak use common words or phrases are vulnerable to hacking. Do not include passwords that include birth dates, phone numbers or street addresses, .

Create strong passwords using 14 characters or more that are easy-to-remember phrases instead of strings of numbers like 1111 that are simple to guess. Use unique passwords for different sites to make it difficult for hackers to access other accounts if one is compromised. Keep passwords in a safe place. Do not store passwords in a hard drive that can be stolen or misplaced.

Eduard Goodman is chief privacy officer at IDentity Theft 911.

This week in news found federal organizations and businesses working together to strengthen privacy protection for children with Apple recently revising its app rules. SC Magazine reported on the illegal access of a database for defense contractor Northrop Grumman containing linguists' information and government-issued ID numbers. The NSA makes headlines again after an internal audit shows the agency broke privacy rules thousands of times while monitoring Americans and green-card holders. To better focus on IT security, the Federal CIO Council restructured its organization to streamline operations.

Apple Updates App Rules to Comply with COPPA
In July, the Children's Online Privacy Protection Act (COPPA) was revised to limit the collection of data from users younger than 13. To comply with the updated rules, Apple introduced new guidelines in its App Store, Information Week reported. These require that apps intended for children must come with a privacy policy and must be made for children ages 5 to 11, who have to acquire parental consent before engaging in online purchasing. In order to limit behavioral targeting and marketing to under-aged users, app developers are now only allowed to ask for user ages to confirm that their use follows the new COPPA rules. Developers are also prohibited from sharing personal information such as location data.

Defense Contractor Database Hacked
The database for the linguist program of defense contractor Northrop Grumman was recently hacked, SC Magazine reported. Thousands of the defense contractor's employees are linguists, but the number of users who had their information affected by the data breach was undetermined. An undetermined party gained illegal access to the database from November 2012 until May 2013. Once the breach was discovered, the database was shut down. Information that may have been compromised include blood types and identification numbers given by the government. Identity protection services were given to victims for free and Northrop Grumman is currently performing measures to prevent other data breach occurrences.

Internal Audit Reveals NSA As Frequent Privacy Rule Breaker
An internal audit in May 2012 showed that the National Security Agency frequently violated privacy rules, CNN reported. Former NSA worker Edward Snowden gave the report to the Washington Post, revealing the agency illegally collected, stored and accessed data from protected communications 2,776 times since 2008. The NSA was reported to have broken a court order and accessed data from 3,000 Americans and green-card holders.

"I … will continue to demand honest and forthright answers from the intelligence community," said Sen. Patrick Leahy (D-Vt.), chair of the Senate Judiciary Committee. "I remain concerned that we are still not getting straightforward answers from the NSA."

Federal CIO Council Restructures to Focus on Security
The Federal CIO Council is streamlining its committee structure and plans to focus more on IT security, Gov Info Security reported. The council is shrinking down the number of committees from six to three that concentrate on information security and identity management, portfolio management and innovation. The council aims to provide more accountability while strengthening privacy and accessibility.

"Under the new structure, the CIO Council will become more agile in its approach to supporting key administration priorities and will continue to develop valuable tools, resources and data for federal CIOs and their staffs," a CIO blog said.

Matt Cullina is chief executive officer of IDentity Theft 911.

Every day, people take pictures on their smartphones and immediately post them to social media sites like Facebook and Twitter. But they may not realize the images are geotagged to include location.

"The information is great for recording the location in which the photo was taken, which can then be used to sort photographs later – that's how I and most people use it and that's what it was originally designed for," Larry Pesce, senior security consultant with NWN Corporation in Waltham, Mass., . "However, there are a few security issues, mostly related in how the stored location information is used. I think the majority of people have no idea that the location of their images is being tagged. The big issue here is being aware of what exactly you are posting."

A 2010 news story on geotagging has gained renewed popularity in light of the NSA leaks. Kansas City NBC affiliate KSHB reported that people can use add-on data included in posted pictures to determine the exact location of the photographer. In one example, a mother took a picture of her daughter in their home, and the news source was able to find the location of that home along with the daycare, a restaurant and park the child visits based on picture information.

Yet, for the most part, this troubling information regarding mobile data security was ignored, the . The recently revealed information of how the government is using cellphone data to track Americans has brought new attention to the issue of geotagging. The KSHB report from nearly three years ago became one of the top trending online videos this week.

Turning Off Location Data
The video showed viewers how to turn off this geotagging feature on their iPhone, which would enable users to continue to take pictures and post them online – just not reveal their exact location by doing so. Turning off the general "Location settings" button, will actually deactivate any map tool on your phone, KSHB reported. However, if you specifically turn the "camera" setting to off under "Location settings," this will disable the GPS feature for the pictures you take, meaning the location won't be posted online where it could end up in the wrong hands.

Those with a Windows 8 phone will find that their device automatically attaches the exact longitude and latitude of the place a picture was taken, . To avoid people using this information for the wrong reason – say, for a criminal to determine where you live – a user should go to the photos and camera settings on their phone and make sure the "Include location info in pictures I take" option is not checked. This will prevent location data from being reported in pictures you take on your phone. Other phones should have similar options under their settings.

Matt Cullina is chief executive officer of IDentity Theft 911.

Hurricanes, wildfires and other natural disasters can not only wreak havoc on homes and infrastructure, they can expose victims to identity theft. Identity thieves see disasters as an opportunity to steal personal information from victims.

Important documents, credit and debit cards and other sensitive data can be washed away when a home is hit by a hurricane, putting this information at risk of landing in the hands of a criminal. In the event of a wildfire, too, when families may be forced to abandon their home, there are things you can do to prepare for natural disasters and protect your personal information from being exposed in such an event.

Hurricanes
The National Oceanic and Atmospheric Administration predicts between six and nine hurricanes this season, with as many of five becoming major storms and winds stronger than 110 mph. NOAA also says there is a 70 percent chance this 2013 hurricane season will be busier than normal, .

As we reach the peak of hurricane season, Americans will want to take several steps to make sure they protect against identity theft if they are hit by a storm.

Originals of important documents should be stored outside the home in a secure place, like a security deposit box at a bank. Copies can go in a portable lock box if you and your family are forced to evacuate your home quickly, Inside should be copies of IDs, passports, and medical and insurance information, along with Social Security cards and any other important legal documents.

Backing up computer files on a portable hard drive or in a cloud server is also a smart idea. These services are typically easy to use and affordable.

Wildfires
Wildfire season in the United States is also worse than normal. In California alone, 43 percent more wildfires have hit the state this year than last, damaging twice as many acres as in 2012, .

Like with hurricane preparation, families should have an ID theft protection plan in place should they be forced to their homes as wildfires spread, which includes storing important documents in a safe place. Among other smart identity theft tips is asking the U.S. Postal Service to hold off delivering mail to your home for a time being to avoid having your mailbox full with personal information that ID thieves can get ahold of.

After any natural disaster, Americans should be wary of anyone contacting them saying they are a company that has lost their personal data. Criminals will target their phishing scams to devastated areas and victims after a disaster. Scammers may also pretend to be a charity asking for donations for restoration work following a disaster. Make sure to research the charity before giving away money or personal information.

Raul Vargas is a fraud operations team leader at IDentity Theft 911.