These days we hear a lot about “the cloud.” There are services encouraging you to upload your data to the cloud, and you can access it from anywhere and easily share files with others. But the flip side is the fact that you’re pushing your personal information from your own computer to data centers where you no longer have control over it. If you backup your computer to an online, or cloud, backup service, how do you know your data is safe?

What Is Cloud Backup?

Let’s first define what a cloud backup provider is: a cloud (or online) backup service consists of an application that runs on your local computer which copies files to an online data center. In the event of a hard drive failure, theft, fire or flood, you can then restore (or copy) your data to your replacement drive and not lose any files.

Cloud Backup Encryption

Many files contain personal information, which should remain confidential. In order to do this, cloud backup services encrypt the data before transmitting it. Most services use at least 128-bit encryption (the same as banks use) and will transmit the data via a secure connection. To decrypt the data, your private key is required. Without it, the data is useless.

To make online backups easy for customers to use, providers typically will store the private key for you. After all, if you lose the key, you can’t get the data back. But, this means that with a court order, these providers can use your private key (which they store) and gain access to your data. To prevent this, create your own private key and either memorize it (it can be any length you’d like) or save it to another location (don’t save it to your hard drive, as if the hard drive fails & you can’t read the key file, you won’t be able to decrypt your backup set).

Cloud Backup Best Practices

Maintaining your own private key is a good step in securing your cloud backups, but the file structure is still saved in a non-encrypted format. So, if you have a filename or folder name that contains personal or confidential information (such as bank_accounts/5675196254.xls), the filename can be read and data assumed without even decrypting the file. To combat this, look for a service which not only encrypts the data, but also the filename and folder structure.

Local Backup: An Alternative

Keeping a local backup of your data is often cited as an alternative to a cloud backup solution. The argument is that it’s cheaper (buy a 1TB drive for under $100 and add $20 for some backup software) and faster (a full local backup takes a few hours, a full online backup can take weeks). However, if you choose to backup your data to an external hard drive, make sure the data is encrypted. No need to make it easy for a thief to walk into your den and snag all of your data.

When compared to local backups, the online service can be more affordable (it’s easier to pay $5 per month than it is to shell out $120 all at once) and while the initial backup is slower, subsequent backups only transfer the files that change, making them just as fast as the local option.

Summary

In the end, having an online backup with the default encryption choices is still a better bet than no backup at all. Cloud backups give you remote access to your files and protect you when your hard drive fails (all hard drives fail – it’s a matter of “when,” not “if”). Knowing the different encryption options will help you choose the best online backup service.

Eric Nagel is owner of OnlineBackupsReview.com, a site which reviews various online backup services. He’s been covering the online backup industry since 2008.

Progress in technology is occurring faster than ever before in human history. The wealth of information now at our fingertips makes things possible that were unthinkable even a few short years ago. One of these is an interesting new development in law enforcement tactics. The use of digital data, stored on sites like Facebook, or GPS tracking data harvested from your smartphone is being utilized by law enforcement to both track and convict criminals of crime. Utilizing technology as a tool for law enforcement is not a new concept, nor is its effectiveness in dispute. The use of such tactics is not without controversy however, and privacy advocates are expressing concern as to the morality and legality of using someone’s personal webpage against them.

phone

In January of this year, The U.S. Supreme Court for the first time limited police power to track people using GPS devices, setting a general standard for the privacy rights Americans should expect from a new generation of wireless electronics. From now on, law enforcement officers can expect that using GPS information to track and build evidence against a suspect will be scrutinized carefully if it is done without a warrant. Probable cause will need to be established. Essentially, the court ruled that the 4th amendment does extend to electronic surveillance of this kind. However, the divergent opinions expressed by the court leaves in doubt just exactly where the line will be drawn as to what will constitute an invasion worthy of 4th amendment protection. That line will need to be defined by future litigation, but what is already clear is that the court recognized technology’s ability to peek into our personal lives in a way that is new and unprecedented. And the court ruled that the 4th amendment in certain situations can and should provide us some protection from these intrusions.

The use of Social Media sites like Facebook and Twitter by law enforcement is also coming under scrutiny. Following the London riots of last summer, the New York Police Department formed a special unit to monitor gang activity on social media sites, and found it to be an incredibly effective tool. Criminals often post things indicating everything from gang affiliation, to evidence of the commission of a crime. The FBI too, has adopted similar tactics, with similar success. This notable success in preventing crime has been both cheered as groundbreaking, and criticized as an improper invasion of privacy. It’s hard to argue that a criminal boasting of committing crimes on social media pages has much expectation of privacy, but what is unclear up to this point is just how police go about getting information from social media, and what the standard of conduct is or should be related to viewing and extracting information from a potentially personal webpage.

What is clear is that as technology grows ever more advanced, the balancing act between increased connectivity and expectation of privacy will be ever more difficult.

“Phone and Social Media Tech Now Being Utilized by Police: Effective New Tool in the Fight Against Crime, or Invasion of Personal Privacy?” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC Blog.

I am one angry lady right now. My name is Nikki and I am the Social Media Coordinator here at the Identity Theft Resource Center. Something just happened to me that I had read about, but like everyone else had decided it would not happen to me. Yes…my Pinterest was hacked. For those of you who don’t know what Pinterest is, it is a social networking site where you can “pin” pictures to your “boards” so that you may go back later and find them. It is a visual social bookmarking site if you will. While I am not as obsessed as many users, I have thoroughly enjoyed pinning items to my craft board so that I can go back later and look when I have time.

Last month I worked to spread the word to consumers about the scams that were running rampant on Pinterest, but I did not think it would happen to me and the small amount of pins I had acquired. I was wrong. Just now I happened to come across a Facebook post about how to make a very cool iPad case using wallpaper so I thought I would go ahead and pin it so I could check it out later. This is when the trouble began.

I have several different “boards” on my Pinterest to organize what I find online, but the board to which this particular link wanted to post to was called “Make Money Online”. Fairly certain that I had not created that board, I logged into the site and found that several boards had been created and items had been pinned to them. The pinned items, when clicked on, would lead someone to either an online job scam or a malware download.

Now, because of my work experience at the ITRC, I was able to recognize this and delete these boards before clicking on them. I changed my password and looked through my profile to be sure nothing else nefarious was going on. But I wonder how many people would actually know to do that? I also wonder if the Social Media Coordinator at the Identity Theft Resource Center had something that I just wrote about happen to me, then how often is this occurring?

Needless to say, I understand that having some malicious linked pinned onto your Pinterest boards is not as devastating as having your checking account taken over. However, it did really make me feel vulnerable and a bit violated. In the end, the lesson was learned to check my Pinterest more often than once a month. I advise that you do the same.

“My Pinterest Got Hacked” was written by Nikki Junker. Nikki is the Social Media Coordinator at the ITRC.

You may have heard the tech term “patches” thrown around the office or mentioned in news segments, but if you’re not already familiar, you should be. Patches are perhaps one of the single-most important cyber security tools that the everyday tech user needs, right up there with things like anti-virus software and scanning filters.

A patch is a small piece of software that a company issues whenever a security flaw is uncovered. Just like the name implies, the patch covers the hole, keeping hackers from further exploiting the flaw. A number of holes have been exploited with severe consequences before their developers’ could create a patch, including the Heartbleed virus in 2014 and the recent WannaCry ransomware attack that struck just this month.

WannaCry hit more than 200,000 computers and networks before a 22-year-old cyber security whiz identified and activated a kill switch. Some of the hardest hit networks were hospitals, as their systems were locked up by the attack. This resulted in the loss of patient care, and some facilities even had to turn away patients due to the inability to access any of their computers. The only way to unlock the computer and remove the ransomware was to pay the fine in bitcoin to the hackers, at least until the block was discovered.

Microsoft had already issued a patch only a matter of weeks ago for the particular hole that led to WannaCry, but many users had either not installed it or did not have automatic updates activated on their systems.

Whenever cyber security experts, researchers, or even just highly knowledgeable “hobbyists” discover a new flaw, the typical protocol is to alert the software developer immediately so they can issue a patch. They do not usually make the discovery public. This might seem counterproductive since typically the public can’t take action to protect themselves, but experience has shown that informing the public also alerts hackers to the existence of the flaw. By only telling the developers first, hopefully they will close up the hole before anyone else discovers it on their own.

Unfortunately, this kind of secrecy—while necessary to keep hackers from launching new malware attacks—also means that if the developer themselves discovered the hole and patched it in the next regularly scheduled update, you may never know about it. That’s why it’s very important to keep all of your software and handheld devices up-to-date; depending on your comfort level with your own tech you might choose to set your computer to automatically install any new updates from the developer.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Recently, what has been a hot topic in the news is the infection of computers and computer systems in the Middle East. The damage is being attributed to a new threat that is being called “the most sophisticated cyber weapon,” “the most complex threat,” and “a massive, highly sophisticated piece of malware.” This new threat is known as “Flame.”

malwareBefore taking a look at what experts are saying, the dictionary definition of ‘malware’ is “malicious software that is intended to damage or disable computers and computer systems.” In essence, there are different types of malware designed for specific purposes; however, in their simplest of forms they are created to do exactly what the dictionary definition provides – disrupt computers.

Wired.com provides the jest of what malware does by providing their early analysis of ‘Flame:'” …the lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a back door to infected systems to allow the attacks to tweak the toolkit and add new functionality.”

Furthermore, according to NakedSecurity, ‘Flame’ has yet to be dissected to find out the workings of the deeper threats it poses to computer users. NakedScience states that “at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.” As a result, they emphasize on the fact that computer users should not be doing anything other than what they usually do on a daily basis to protect themselves.

In essence, computer users should continue to keep their anti-virus and security patches up-to-date. In addition, as usual – be cautious and fully aware or familiar with the software they install on their computers, the links they click on, the sites they visit, etc. Based on certain reports, ‘Flame’ can now be detected by anti-virus/ anti-spyware software.

I received a text message from my mobile provider the other day stating that as a premium customer I could download a free anti-virus for my Smartphone. Jaded as I am, working in identity theft, I was leery of a few things. First, I wasn’t sure the text had actually come from my mobile provider. The text message sender was only identified as a five digit number so I could not be sure that this was not actually a smishing scam. Second, I was concerned that even if the text was from my mobile provider, the download would not be free in the end or would expose all kinds of data when I accepted to download the application.

phone malware

So, I headed to my mobile providers website to see if this offer for free mobile anti-virus was legit. After finding the application on their website and realizing that what I was being offered was a very basic anti-virus which could be updated for a fee I came to the conclusion that this was indeed a little personal victory. Not only was I getting free basic anti-virus for my Smartphone, I was being validated for my concerns about mobile security.

Many people do not realize that your Smartphone is a mini PC and therefore vulnerable to the same risks as any laptop or PC. Mobile Malware is a growing threat and while Android devices were originally the target of many malware attacks, the risk for iPhone users is growing as MacOS is increasingly threatened. The best way for Smartphone users to protect themselves is to protect their mobile devices with anti-virus, just as they would their desktop.

The generosity of my mobile provider got me to thinking if all mobile providers were doing something similar. Had they finally caught the drift that if their customers were fearful of using the internet it would affect their bottom line? Perhaps they have as all of the major mobile providers I looked at offered some sort of free anti-virus protection for their Smartphone customers. This is exciting news for us here at the ITRC. It is good to know that there is protection available to consumers, protecting them from mobile malware attacks and therefore, one technique thieves use to get personal information to commit identity theft.

If you haven’t yet downloaded anti-virus onto your Smartphone, head on over to your mobile providers website and check to see if they offer free anti-virus for your device. Make sure that you are actually downloading the app from your mobile provider’s website. Cybercriminals will surely begin to create fake anti-virus applications for mobile devices in an attempt to infect devices with malware, so be sure the application is legitimate and not an application made to look similar.

Every year the Internet Crime Complaint Center, known as IC3, releases their report of the complaints they have received throughout the prior year. This information in gathered through the reports made by victims of cybercrime to IC3. It is then analyzed and reported to authorities at all levels in order to help law enforcement fight cybercrime. The information is also used to make important Public Service Announcements, which help make the public aware of new cybercrime scams and other exploits against citizens. This awareness is an incredibly important step in helping prevent individuals from becoming victims.

This year saw a rise in complaints received by the IC3, with the total number reaching 314,246. The Average dollar loss (for those who reported a monetary loss) was $4,187. Believe it or not, scams which purported to be from FBI topped the list of fraud types reported. The other four types of cybercrime that showed up in these results were identity theft, advance fee fraud, merchandise not delivered, and overpayment fraud. Auto fraud scams alone cost complainants $8.2 million dollars in loss. Romance scam losses amounted to $5700 per hour or $50 million overall. In these romance scams, women aged 50-59 had triple the rate of complaints and nearly 6 times the amount of loss as men in the same age bracket. There was also a rise in something IC3 calls “double dipping” which is where a criminal goes back to the victim and attempts to rectify the situation only to scam them again.

Scams which promised individuals “work from home” jobs were one of the main characteristics of those scams reported. There were over 17, 000 of these complaints and victims are not only conned out of money and time in these scams, but often can be charged with money laundering due to the nature of the “work” they are asked to perform. The total loss for this type of scam was over $20 million and females aged 20-29 seemed to be the largest group of individuals to report becoming a victim.

The information in the 2011 IC3 report mirrors what we see on a daily basis here at the ITRC and we are glad to be able to see the trends and predictions of what we may be dealing with next. One thing is for sure, with new ways to defraud individuals via computers every day, the IC3 report will continue to grow and hopefully help consumers avoid some of these terrible fates.

The Federal Trade Commission charged social network MySpace LLC with falsely representing the protection of its millions of users’ personal information. On May 8, 2012, the FTC made public its press release noting the conditions of the agreed settlement between the FTC and MySpace LLC.

So, what did MySpace do? According to the FTC, MySpace LLC led millions of users in the wrong direction about how the social network shared and protected their personal information that was collected via their personal profiles. The FTC said that MySpace provided its advertisers with its users’ Friend IDs; the unique identifier for each profile created on MySpace. The problem was not only that advertisers were able to use the Friend ID to find a user’s profile, but they were also able obtain the personal information that was made public by the user on his or her profile (age, gender, display name, user’s full name, profile picture – if provided, hobbies, list of user’s friends, and possible interests). This information was used to link web-browsing activity to the user.

MySpace LLC provides their privacy policy statements, which have not been revised since December 7th, 2010. Per their site, MySpace’s privacy policy is divided into different sections: Privacy Policy, Collection and Submission of PII and non-PII on MySpace, Notice: MySpace will provide you with notice about its PII collection practices, Choice: MySpace will provide you with choices about the use of your PII, Use: MySpace’s use of PII, Security: MySpace protects the security of PII, and Safe Harbor. These sections, in essence, advised its users that MySpace LLC would not share information for purposes other than those noted under each section, and that prior to use a user would be notified. Furthermore, another section promised that individual users would not be personally identified to third-parties, especially when it came to sharing web-browsing activity that was not anonymous. The privacy page further explains that MySpace is in compliance with the U.S. – EU Safe Harbor Framework and the U.S. – Swiss Safe Harbor Framework – framework which is set forth by the U.S. Department of Commerce. However, the FTC noted that MySpace’s privacy statements were deceptive in addition to violating federal law. In other words, MySpace was not practicing what they preached.

In the end, the social network agreed to settle. The FTC’s proposed settlement comes with several requests:

  1. Requires that MySpace LLC establish a “comprehensive” privacy program specifically designed to protect consumer information.
  2. MySpace is to engage and be subject to continued privacy assessments for the next 20 years by independent, third-party auditors. \
  3. The agreement “bars MySpace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S. – EU Safe Harbor Framework.”

In a 4-0-1 decision, the Federal Trade Commission accepted the consent agreement. However, this agreement is now open for public comment – closing June 8th, 2012. Then, the FTC will come to an accord whether it will make the consent order final.

“Shame on you MySpace” was written by Gabby Beltran. Gabby is the Public Information Officer and a Bilingual Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Last August, Facebook released their Facebook Messenger app for smart phones. This app is great for communicating with large groups of people (like party planning) so that everybody is involved, and also for allowing a friend to locate you in case you are lost or are meeting up at an unfamiliar location. In many ways, this app is a great convenience to many people and does make communication easier, but like with all social networking, users need to know about the privacy concerns and what they need to keep in mind to protect themselves.

The number one thing that consumers have shown concern for is the GPS tracking. When messaging somebody you can have it show everybody in the conversation your location via GPS. They all can see where you are messaging from and use GPS to get directions to you. Though is very useful in some situations, it is important to only use this function when necessary. You might not know everybody who is participating on messenger, nor do the people viewing your conversation have to be on your friends list to see your texts. Be sure you know who you are giving your location to and turn the function off if you aren’t sure.

This situation dovetails into another concern many consumers have. This new app does show everybody invited to the conversation. However, until they make their first post, it only shows their first name. This means, if you know 3 people named “Dave” you don’t know which one could be invited to chat until they say something. This can cause some awkward and embarrassing moments to those who aren’t careful. It also means that people you don’t know could be invited to the conversation and you might think it was actually a friend. Be careful with what you post. Make sure you know everybody before stating things or giving away your location.

The last item that has consumers concerned is that you can tell if a message you have sent has been read or not. For general purposes this is useful, but somebody could use this information to spy on you. It is also a way for spammers to know if your Facebook profile is active and if you have connected your phone to it. By knowing if you have read a message, they could then send you more messages in an attempt to trick you and steal your identity. You cannot turn this function off. The best thing you can do is delete anything that looks suspicious.

“Is Facebook’s New Messenger App a Privacy Risk?” was written by Kat Rocha. Kat is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Chances are you have a lot of accounts. Personally I have accounts (and passwords) for sites that I don’t even remember. And while I have more accounts than most due to my profession, I would bet many people deal with the same problem I do: Password Overload. Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out. Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that you are not indeed a thief. Maybe you haven’t experienced such an ordeal, but everyone has experienced something similar.

The problem seems like it could be easily solved by using the same password for everything. One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app. The problem with this approach is that if you are using the same passwords for all of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks…. This could all happen because you logged into Facebook at the internet café and re-use the same password for multiple accounts.

So, what do you do if you don’t want to tattoo 25 passwords on your arm (P.S. You would probably now have a MySpace log-in that would need to be covered up) and you don’t want to end up cuffed for felony check fraud? The answer is a password manager. This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service.

A few things you should look for when finding a password manager are:

  1. Is it cross platform? Will it work on your iPhone and your PC?
  2. How is the information (your passwords) encrypted?
  3. Does the service sync or will the user need to update the database every time they sign up for a new account?
  4. What is the initial authentication process and how strong is it?
  5. How reputable is the company who created the product and what is reported about the product itself?

By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

“Too Many Passwords? Handle It…” was written by Nikki Junker. Nikki is the Social Media Coordinator at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.