Two days ago, the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center jointly issued a Fraud Alert to financial institutions warning them of alarming trends in unauthorized wire transfers overseas in amounts ranging from $400,000 to $900,000. The Fraud Alert explains that after targeting financial institution employees with spam and phishing e-mails, the cyber criminals installed keystroke loggers and Remote Access Trojans to be able to completely access internal networks and logins to third party systems. In other cases, the cyber criminals stole employee and administrative credentials allowing them to avoid verification methods used by the financial institutions to prevent fraudulent activity.

This enabled them to peruse through multiple accounts, selecting those accounts with the highest balances to conduct wire transfers from. According to the Fraud Alert, the cyber criminals were able to “handle all aspects of a wire transaction, including the approval… obtain account transaction histories, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payment systems.” The Fraud Alert theorized that the cyber criminals used distributed denial of service (DDOS) attacks against the financial institutions’ public websites as a distraction to keep them occupied and distracted while fraudulent wire transfers were being conducted.

Yesterday, the Financial Services Information Sharing and Analysis Center raised their Current Financial Services Sector Cyber Threat Advisory from “elevated” to “high,” leaving the Physical Threat Advisory at “elevated.” Soon after, Reuters reported, “the consumer banking website of JPMorgan Chase & Co was intermittently unavailable to some customers. The problems followed issues with the website of Bank of America Corp on Tuesday amid threats on the Internet that a group was planning to launch cyber attacks on a U.S. bank.”

This incident occurs amid the heated debate in Washington over how to bolster the cybersecurity in the United States and reminds us just how important cybersecurity is in this new digital age. We must consider as a nation, the impact cyber attacks from criminals, terrorists, or other countries can have on us as a whole. Imagine what could happen next time financial institutions were attacked if the main goal was not to steal millions of dollars but to take the whole banking system down? In order to improve, there has to be change on a national level. The challenge now facing us is how best to balance the competing interests of privacy protection, avoiding over-regulation, and providing room for effective individual cybersecurity protocols.

Senator McCain’s SECURE IT Act has yet to reach the Senate floor, but will likely face intense scrutiny over the potential lack of government regulation and concern over privacy protections. Even modest improvements to our national security picture will require that we put aside the contentiousness and work together in earnest. Unfortunately, it seems that Congress may not be up to that task and President Obama might have to resort to issuing an Executive Order. This action, by its nature, will create more strife and disagreement in an already gridlocked Congress.

“Banks Warned of Heightened Cyber Threat by FBI” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

A report released by Norton (Symantec), a leader in cybersecurity that develops antivirus, anti-malware, and other related products and software, demonstrates just how pervasive cybercrime is in today’s digital age. The report was the final product of 19,636 interviews of adults, parents, children, and teachers from 24 developed and emerging countries.

cybercrimeThe report confirms that cybercrimes are becoming more common than normal “offline” crimes. This may be due to the fact that cybercriminals are very difficult to find, even as they continue to commit more criminal acts. Norton found that there are approximately 1,000,000 cybercrime victims every single day of the year. This amounts to a cost to society in the amount of $388,000,000,000 ($388 Billion) in just 2011. Of that amount, $114 billion accounts for money actually stolen or money spent to resolve cybercrimes. The remaining $274 billion of that money is in the form of time and costs to victims dealing with cybercrimes. To give a better idea of the staggering size of cybercrime’s financial costs, Norton compares the $388 billion cybercrime cost to the global black market of marijuana, cocaine, and heroin combined at $288 billion. In fact, the sum of all global drug trafficking is valued at $411 billion, only $23 billion more than cybercrime costs.

Unfortunately, the spread of cybercrime is unlikely to slow down as the number of people using the Internet, computers, and especially mobile devices increases. Of those surveyed, 69% of all adults have been a victim of cybercrime, and of those, 65% were victims in 2011 alone. The report shows that the more time one spends online, the more likely they are to become a victim of cybercrime. This is supported by their results which show that 75% of “millennials” (aged 18-31) have been victimized at some point compared to only 61% from the boomer generation. Usage of mobile devices to peruse the Internet is widespread and growing, with 44% of mobile device owners using their device to surf the Internet, and nearly 60% of millennials doing the same.

Even more disturbing is that the spread of cybercrime to these mobile users is just beginning. In 2011, 10% of all mobile device users online had fallen victim to cybercrime. Considering that the number of mobile users surfing the Internet is already large, and that the number will certainly go up as time goes on, it is safe to assume that mobile device related cybercrime is inevitably going to increase. In this society, even a minor increase in percentage of victimized users, will be a very large number of individuals affected.

Despite the staggering number of cybercrimes being committed on a yearly basis, the public perception of these crimes continues to underestimate how severe and common they are. Of the people interviewed, 44% had been a victim of cybercrime in the last year while only 15% had been a victim of some form of offline crime. That mean that cybercrime is nearly three times more common than “off-line” crimes. The perception problem is that, of the people surveyed, only 31% thought that they were more likely to become a victim of cybercrime than offline crime.

This misconception helps explain why 40% of adults surveyed did not have an up to date security suite to protect their personal data. Not only are consumers not adequately protecting themselves online, but only 21% of actual victims reported the cybercrime to the police after becoming a victim. This perception that cybercrimes aren’t quite the same as offline crimes might be reinforced by the lack of avenues to get help after becoming a cybercrime victim. Of those who reported suffering both cybercrime and offline crime, 59% felt there were fewer ways to get help after the cybercrime.

It is clear from Norton’s Cybercrime Report that cybercrime is here to stay and should be considered a high priority by law enforcement and consumers who use the Internet. People must be educated about the risks associated with Internet use and encouraged to protect their personal information in this digital world. The next time you are about to log onto the Internet from your desktop or mobile device, take a moment to consider whether you have taken enough steps to protect yourself from cybercrime.

“Norton Cybercrime Report 2011: Painting a Dismal Picture” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC_Blog.

If you have scratched below the surface of the avalanche of articles on identity theft, scams, cyber-security, or related topics, you have probably run across the term “spoofing.” However, even many of us that work in the field are not very good at explaining to others what the term means, and the various ways the term might be used. So, here goes….

From www.dictionary.com:

spoof; noun

  1. a mocking imitation of someone or something, usually light and good-humored; lampoon or parody: The show was a spoof of college life.
  2. a hoax; prank.

In the context of cyber-security and related subjects, “spoofing” means providing false information in order to make the intended victim think the communications has come from either someone they know, or a business or entity that they would tend to trust. However, there are a number of types of “spoofing”, some more technical than others:

  • IP spoofing is a technique used to make a computer user think that a particular Internet IP being presented is a safe computer/server, and should be trusted. Most of us don’t directly confront this type of spoofing, and probably are unaware of how it works. Just like phone numbers, IP addresses are supposed to signal a unique address or location across the Internet, so faking an IP address can be used by criminals as a method of becoming part of a trusted network. A consumer is unlikely to be directly confronted with IP spoofing, unless they are working in a technical field.
  • Caller ID Spoofing is used to make an incoming call present a phone number that the intended victim might know or trust. However, the number appearing on the Caller ID is not the real calling number, and “spoofing” the number is used for exactly that purpose, to gain trust in a situation when none should be given. With the advent of VOIP or Internet-based phones, the ability to make an incoming call look like it was from San Diego, when the caller is in Russia, is a fact. Caller ID cannot be trusted to determine anything about the caller. Caller ID Spoofing is done quite often, and the average consumer is often in the dark as far as knowing who is really making the call. If in doubt, the best policy is to disengage from the call, then look up the company by name, and call a listed number for the company to inquire about the contact. It should be remembered that people who do business with you already have the information about you, your account number, etc. It is an entirely different situation if you call the company, and are asked for credentials before they will discuss your business with them. However, if the call is coming from them to you, they are the ones that need to prove who they are before you give them any information. Be warned!
  • Email Address Spoofing is probably the most common type of spoofing. Most of us have seen this many times on incoming email, although we may not have recognized it. All of us observe the senders name/address on incoming emails to see who the sender might be, and whether we think about it or not, we tend to give credibility to that email based upon any previous knowledge we may have of the purported sender. Spoofing the “From:” address is often done as part of a fraudulent scheme. If the “From:” address makes you think the email should be trusted, then you are much more likely to click on a link or take other action, or otherwise give some credibility to an email that is coming from a complete stranger, and possibly a thief. Many of the emails used in “Phishing” schemes will have spoofed sending addresses. In fact, a more deadly form of this attack, called “Spear Phishing” uses email addresses from someone recognized as an authority, such as a highly placed executive of your company, to make your response even more likely. You are not going to turn down a request from your Vice President are you? And, it’s a given that website links in these spoofed emails cannot be trusted: they are spoofed also, and will very rarely point your web browser to the address that the link purports to be. Altogether, it is wise for all of us to be wary of incoming email, unless we are very sure of the sender and the authenticity of the message.
  • SMS or Text Spoofing: In a similar fashion to Caller ID and email spoofing, it is also possible for a text message (SMS) to appear to be from a trusted source, while it really is from a quite different sender. In a manner similar to other types of spoofing, be very aware when a text message invites you to take actions, or strongly implies a course of action that you had not anticipated. Like other forms of spoofing, the best answer is to be suspicious and fact check, before you act.

Spoofing is a part of the world we live in now, and it is a key element of the “social engineering” used against consumers in attempts to commit fraud and identity theft. Being skeptical and checking information by other means is really the key to avoid becoming a victim.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

These days we hear a lot about “the cloud.” There are services encouraging you to upload your data to the cloud, and you can access it from anywhere and easily share files with others. But the flip side is the fact that you’re pushing your personal information from your own computer to data centers where you no longer have control over it. If you backup your computer to an online, or cloud, backup service, how do you know your data is safe?

What Is Cloud Backup?

Let’s first define what a cloud backup provider is: a cloud (or online) backup service consists of an application that runs on your local computer which copies files to an online data center. In the event of a hard drive failure, theft, fire or flood, you can then restore (or copy) your data to your replacement drive and not lose any files.

Cloud Backup Encryption

Many files contain personal information, which should remain confidential. In order to do this, cloud backup services encrypt the data before transmitting it. Most services use at least 128-bit encryption (the same as banks use) and will transmit the data via a secure connection. To decrypt the data, your private key is required. Without it, the data is useless.

To make online backups easy for customers to use, providers typically will store the private key for you. After all, if you lose the key, you can’t get the data back. But, this means that with a court order, these providers can use your private key (which they store) and gain access to your data. To prevent this, create your own private key and either memorize it (it can be any length you’d like) or save it to another location (don’t save it to your hard drive, as if the hard drive fails & you can’t read the key file, you won’t be able to decrypt your backup set).

Cloud Backup Best Practices

Maintaining your own private key is a good step in securing your cloud backups, but the file structure is still saved in a non-encrypted format. So, if you have a filename or folder name that contains personal or confidential information (such as bank_accounts/5675196254.xls), the filename can be read and data assumed without even decrypting the file. To combat this, look for a service which not only encrypts the data, but also the filename and folder structure.

Local Backup: An Alternative

Keeping a local backup of your data is often cited as an alternative to a cloud backup solution. The argument is that it’s cheaper (buy a 1TB drive for under $100 and add $20 for some backup software) and faster (a full local backup takes a few hours, a full online backup can take weeks). However, if you choose to backup your data to an external hard drive, make sure the data is encrypted. No need to make it easy for a thief to walk into your den and snag all of your data.

When compared to local backups, the online service can be more affordable (it’s easier to pay $5 per month than it is to shell out $120 all at once) and while the initial backup is slower, subsequent backups only transfer the files that change, making them just as fast as the local option.

Summary

In the end, having an online backup with the default encryption choices is still a better bet than no backup at all. Cloud backups give you remote access to your files and protect you when your hard drive fails (all hard drives fail – it’s a matter of “when,” not “if”). Knowing the different encryption options will help you choose the best online backup service.

Eric Nagel is owner of OnlineBackupsReview.com, a site which reviews various online backup services. He’s been covering the online backup industry since 2008.

Progress in technology is occurring faster than ever before in human history. The wealth of information now at our fingertips makes things possible that were unthinkable even a few short years ago. One of these is an interesting new development in law enforcement tactics. The use of digital data, stored on sites like Facebook, or GPS tracking data harvested from your smartphone is being utilized by law enforcement to both track and convict criminals of crime. Utilizing technology as a tool for law enforcement is not a new concept, nor is its effectiveness in dispute. The use of such tactics is not without controversy however, and privacy advocates are expressing concern as to the morality and legality of using someone’s personal webpage against them.

phone

In January of this year, The U.S. Supreme Court for the first time limited police power to track people using GPS devices, setting a general standard for the privacy rights Americans should expect from a new generation of wireless electronics. From now on, law enforcement officers can expect that using GPS information to track and build evidence against a suspect will be scrutinized carefully if it is done without a warrant. Probable cause will need to be established. Essentially, the court ruled that the 4th amendment does extend to electronic surveillance of this kind. However, the divergent opinions expressed by the court leaves in doubt just exactly where the line will be drawn as to what will constitute an invasion worthy of 4th amendment protection. That line will need to be defined by future litigation, but what is already clear is that the court recognized technology’s ability to peek into our personal lives in a way that is new and unprecedented. And the court ruled that the 4th amendment in certain situations can and should provide us some protection from these intrusions.

The use of Social Media sites like Facebook and Twitter by law enforcement is also coming under scrutiny. Following the London riots of last summer, the New York Police Department formed a special unit to monitor gang activity on social media sites, and found it to be an incredibly effective tool. Criminals often post things indicating everything from gang affiliation, to evidence of the commission of a crime. The FBI too, has adopted similar tactics, with similar success. This notable success in preventing crime has been both cheered as groundbreaking, and criticized as an improper invasion of privacy. It’s hard to argue that a criminal boasting of committing crimes on social media pages has much expectation of privacy, but what is unclear up to this point is just how police go about getting information from social media, and what the standard of conduct is or should be related to viewing and extracting information from a potentially personal webpage.

What is clear is that as technology grows ever more advanced, the balancing act between increased connectivity and expectation of privacy will be ever more difficult.

“Phone and Social Media Tech Now Being Utilized by Police: Effective New Tool in the Fight Against Crime, or Invasion of Personal Privacy?” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC Blog.

I am one angry lady right now. My name is Nikki and I am the Social Media Coordinator here at the Identity Theft Resource Center. Something just happened to me that I had read about, but like everyone else had decided it would not happen to me. Yes…my Pinterest was hacked. For those of you who don’t know what Pinterest is, it is a social networking site where you can “pin” pictures to your “boards” so that you may go back later and find them. It is a visual social bookmarking site if you will. While I am not as obsessed as many users, I have thoroughly enjoyed pinning items to my craft board so that I can go back later and look when I have time.

Last month I worked to spread the word to consumers about the scams that were running rampant on Pinterest, but I did not think it would happen to me and the small amount of pins I had acquired. I was wrong. Just now I happened to come across a Facebook post about how to make a very cool iPad case using wallpaper so I thought I would go ahead and pin it so I could check it out later. This is when the trouble began.

I have several different “boards” on my Pinterest to organize what I find online, but the board to which this particular link wanted to post to was called “Make Money Online”. Fairly certain that I had not created that board, I logged into the site and found that several boards had been created and items had been pinned to them. The pinned items, when clicked on, would lead someone to either an online job scam or a malware download.

Now, because of my work experience at the ITRC, I was able to recognize this and delete these boards before clicking on them. I changed my password and looked through my profile to be sure nothing else nefarious was going on. But I wonder how many people would actually know to do that? I also wonder if the Social Media Coordinator at the Identity Theft Resource Center had something that I just wrote about happen to me, then how often is this occurring?

Needless to say, I understand that having some malicious linked pinned onto your Pinterest boards is not as devastating as having your checking account taken over. However, it did really make me feel vulnerable and a bit violated. In the end, the lesson was learned to check my Pinterest more often than once a month. I advise that you do the same.

“My Pinterest Got Hacked” was written by Nikki Junker. Nikki is the Social Media Coordinator at the ITRC.

You may have heard the tech term “patches” thrown around the office or mentioned in news segments, but if you’re not already familiar, you should be. Patches are perhaps one of the single-most important cyber security tools that the everyday tech user needs, right up there with things like anti-virus software and scanning filters.

A patch is a small piece of software that a company issues whenever a security flaw is uncovered. Just like the name implies, the patch covers the hole, keeping hackers from further exploiting the flaw. A number of holes have been exploited with severe consequences before their developers’ could create a patch, including the Heartbleed virus in 2014 and the recent WannaCry ransomware attack that struck just this month.

WannaCry hit more than 200,000 computers and networks before a 22-year-old cyber security whiz identified and activated a kill switch. Some of the hardest hit networks were hospitals, as their systems were locked up by the attack. This resulted in the loss of patient care, and some facilities even had to turn away patients due to the inability to access any of their computers. The only way to unlock the computer and remove the ransomware was to pay the fine in bitcoin to the hackers, at least until the block was discovered.

Microsoft had already issued a patch only a matter of weeks ago for the particular hole that led to WannaCry, but many users had either not installed it or did not have automatic updates activated on their systems.

Whenever cyber security experts, researchers, or even just highly knowledgeable “hobbyists” discover a new flaw, the typical protocol is to alert the software developer immediately so they can issue a patch. They do not usually make the discovery public. This might seem counterproductive since typically the public can’t take action to protect themselves, but experience has shown that informing the public also alerts hackers to the existence of the flaw. By only telling the developers first, hopefully they will close up the hole before anyone else discovers it on their own.

Unfortunately, this kind of secrecy—while necessary to keep hackers from launching new malware attacks—also means that if the developer themselves discovered the hole and patched it in the next regularly scheduled update, you may never know about it. That’s why it’s very important to keep all of your software and handheld devices up-to-date; depending on your comfort level with your own tech you might choose to set your computer to automatically install any new updates from the developer.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Recently, what has been a hot topic in the news is the infection of computers and computer systems in the Middle East. The damage is being attributed to a new threat that is being called “the most sophisticated cyber weapon,” “the most complex threat,” and “a massive, highly sophisticated piece of malware.” This new threat is known as “Flame.”

malwareBefore taking a look at what experts are saying, the dictionary definition of ‘malware’ is “malicious software that is intended to damage or disable computers and computer systems.” In essence, there are different types of malware designed for specific purposes; however, in their simplest of forms they are created to do exactly what the dictionary definition provides – disrupt computers.

Wired.com provides the jest of what malware does by providing their early analysis of ‘Flame:'” …the lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a back door to infected systems to allow the attacks to tweak the toolkit and add new functionality.”

Furthermore, according to NakedSecurity, ‘Flame’ has yet to be dissected to find out the workings of the deeper threats it poses to computer users. NakedScience states that “at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.” As a result, they emphasize on the fact that computer users should not be doing anything other than what they usually do on a daily basis to protect themselves.

In essence, computer users should continue to keep their anti-virus and security patches up-to-date. In addition, as usual – be cautious and fully aware or familiar with the software they install on their computers, the links they click on, the sites they visit, etc. Based on certain reports, ‘Flame’ can now be detected by anti-virus/ anti-spyware software.

I received a text message from my mobile provider the other day stating that as a premium customer I could download a free anti-virus for my Smartphone. Jaded as I am, working in identity theft, I was leery of a few things. First, I wasn’t sure the text had actually come from my mobile provider. The text message sender was only identified as a five digit number so I could not be sure that this was not actually a smishing scam. Second, I was concerned that even if the text was from my mobile provider, the download would not be free in the end or would expose all kinds of data when I accepted to download the application.

phone malware

So, I headed to my mobile providers website to see if this offer for free mobile anti-virus was legit. After finding the application on their website and realizing that what I was being offered was a very basic anti-virus which could be updated for a fee I came to the conclusion that this was indeed a little personal victory. Not only was I getting free basic anti-virus for my Smartphone, I was being validated for my concerns about mobile security.

Many people do not realize that your Smartphone is a mini PC and therefore vulnerable to the same risks as any laptop or PC. Mobile Malware is a growing threat and while Android devices were originally the target of many malware attacks, the risk for iPhone users is growing as MacOS is increasingly threatened. The best way for Smartphone users to protect themselves is to protect their mobile devices with anti-virus, just as they would their desktop.

The generosity of my mobile provider got me to thinking if all mobile providers were doing something similar. Had they finally caught the drift that if their customers were fearful of using the internet it would affect their bottom line? Perhaps they have as all of the major mobile providers I looked at offered some sort of free anti-virus protection for their Smartphone customers. This is exciting news for us here at the ITRC. It is good to know that there is protection available to consumers, protecting them from mobile malware attacks and therefore, one technique thieves use to get personal information to commit identity theft.

If you haven’t yet downloaded anti-virus onto your Smartphone, head on over to your mobile providers website and check to see if they offer free anti-virus for your device. Make sure that you are actually downloading the app from your mobile provider’s website. Cybercriminals will surely begin to create fake anti-virus applications for mobile devices in an attempt to infect devices with malware, so be sure the application is legitimate and not an application made to look similar.

Every year the Internet Crime Complaint Center, known as IC3, releases their report of the complaints they have received throughout the prior year. This information in gathered through the reports made by victims of cybercrime to IC3. It is then analyzed and reported to authorities at all levels in order to help law enforcement fight cybercrime. The information is also used to make important Public Service Announcements, which help make the public aware of new cybercrime scams and other exploits against citizens. This awareness is an incredibly important step in helping prevent individuals from becoming victims.

This year saw a rise in complaints received by the IC3, with the total number reaching 314,246. The Average dollar loss (for those who reported a monetary loss) was $4,187. Believe it or not, scams which purported to be from FBI topped the list of fraud types reported. The other four types of cybercrime that showed up in these results were identity theft, advance fee fraud, merchandise not delivered, and overpayment fraud. Auto fraud scams alone cost complainants $8.2 million dollars in loss. Romance scam losses amounted to $5700 per hour or $50 million overall. In these romance scams, women aged 50-59 had triple the rate of complaints and nearly 6 times the amount of loss as men in the same age bracket. There was also a rise in something IC3 calls “double dipping” which is where a criminal goes back to the victim and attempts to rectify the situation only to scam them again.

Scams which promised individuals “work from home” jobs were one of the main characteristics of those scams reported. There were over 17, 000 of these complaints and victims are not only conned out of money and time in these scams, but often can be charged with money laundering due to the nature of the “work” they are asked to perform. The total loss for this type of scam was over $20 million and females aged 20-29 seemed to be the largest group of individuals to report becoming a victim.

The information in the 2011 IC3 report mirrors what we see on a daily basis here at the ITRC and we are glad to be able to see the trends and predictions of what we may be dealing with next. One thing is for sure, with new ways to defraud individuals via computers every day, the IC3 report will continue to grow and hopefully help consumers avoid some of these terrible fates.