It has been a particularly disturbing couple of weeks as headlines throughout America highlight how some of our most powerful financial institutions were being hacked by alleged foreign powers. It all began on September 17 when the FBI issued a joint Bank Fraud Alert with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center.

whitehouse hackedThe Bank Fraud Alert warned banks and financial institutions that hackers were using Distributed Denial of Service (DDoS) attacks to take down their consumer websites to distract both the consumers and bank cybersecurity while millions of dollars were fraudulently wired out of peoples’ accounts. The very next day, Bank of America was reported to have website problems and consumers were having trouble accessing the website and their bank accounts.

On September 19, J.P. Morgan Chase Bank was reported to have similar problems as their website went down and consumers could not access their bank accounts. That same day, FS-ISAC raised its Current Financial Services Cyber Threat Advisory from “elevated” to “high” for the first time in its history. A few days later on September 25, Wells Fargo suffered website outages followed by website problems for U.S. Bank and PNC Bank the next day.

A hacker group by the name of Izz ad-din Al qassam Cyber Fighters has been claiming responsibility for these DDoS attacks, but experts warn that it is more likely that an organization with far more money and capabilities is responsible for these attacks. Senator Joseph Lieberman, Chairman of the Homeland Security Committee, stated in a C-SPAN interview that he believed Iran’s government sponsored the cyber-attacks.

Now, the Washington Free Beacon reported on Sunday that alleged Chinese government hackers had breached a computer system associated with the White House Military Office. A White House official confirmed that hackers had breached an unclassified computer network, but emphasized that the network had no unclassified information and no data appeared to have been stolen.

Apparently, the breach was made possible by a spear phishing attack, which involves the use of a message that appears to be authentic and contains a file or link to be clicked on which then installs malicious software onto the computer. The Senate blocked the Cybersecurity Act of 2012 in August which was designed to help bolster cybersecurity in critical infrastructures in the United States, leaving the Obama administration to consider issuing an executive order to improve cybersecurity instead.

“First the Banks, Now the White House” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC_Blog.

Last week someone in my family asked me if I could help them with their computer. I asked them what was seemed to be wrong with the machine. They told me that it would start normally at first, but as soon as Windows was done loading they would get a pop-up that they had been infected with a virus that was above the level of what their normal anti-virus could handle. They were told that they needed to pay for this additional coverage to remove the problem. Unfortunately, they continued, and paid for the “extra service.”

This person, like so many of us, is not stupid. In fact, they are very intelligent. However, what is taken for granted as basic computer safety knowledge by theransomware younger generations is may be an unknown area of knowledge to those who never created a Word document for a paper in High School, never had a Facebook account that their parents monitored, and were never taught even the fundamentals about Cybersecurity. Today, when the Internet is no longer an option but a necessity for most of us, cyber criminals are finding an easy target in people who may be using the Internet and a personal computer for the first time.

I asked this family member if they had current updated anti-virus security on the computer, and they were not quite sure what I was talking about. This I could believe, as many people who were raised in the age of Internet still don’t know the importance of having an anti-virus with updated virus definitions installed on their computers. Good antivirus programs are perhaps the best way to protect yourself (and computer) from many of the threats, including viruses, malware, and cybercrime exploits. This ounce of prevention can save people from spending a pound on a cure.

Unfortunately for my family member, it was “too little, too late” for the prevention approach, and they had to take their computer in to have it fixed. This one event cost much more than an anti-virus program would have cost, not to mention the money paid to the Cybercriminals behind the Ransomware, and the time and frustration of the related computer problems. While it comes as little comfort to my family member now, this story has taught a lesson; use an anti-virus, and keep it up to date, always.

This experience also shows how easy it is to fall for the Ransomware scams, and how important it is to educate people about the current Cybercrime trends. Perhaps the next family night we will not be breaking out the Scrabble, but instead a Power Point presentation on Cybersecurity.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Two days ago, the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center jointly issued a Fraud Alert to financial institutions warning them of alarming trends in unauthorized wire transfers overseas in amounts ranging from $400,000 to $900,000. The Fraud Alert explains that after targeting financial institution employees with spam and phishing e-mails, the cyber criminals installed keystroke loggers and Remote Access Trojans to be able to completely access internal networks and logins to third party systems. In other cases, the cyber criminals stole employee and administrative credentials allowing them to avoid verification methods used by the financial institutions to prevent fraudulent activity.

This enabled them to peruse through multiple accounts, selecting those accounts with the highest balances to conduct wire transfers from. According to the Fraud Alert, the cyber criminals were able to “handle all aspects of a wire transaction, including the approval… obtain account transaction histories, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payment systems.” The Fraud Alert theorized that the cyber criminals used distributed denial of service (DDOS) attacks against the financial institutions’ public websites as a distraction to keep them occupied and distracted while fraudulent wire transfers were being conducted.

Yesterday, the Financial Services Information Sharing and Analysis Center raised their Current Financial Services Sector Cyber Threat Advisory from “elevated” to “high,” leaving the Physical Threat Advisory at “elevated.” Soon after, Reuters reported, “the consumer banking website of JPMorgan Chase & Co was intermittently unavailable to some customers. The problems followed issues with the website of Bank of America Corp on Tuesday amid threats on the Internet that a group was planning to launch cyber attacks on a U.S. bank.”

This incident occurs amid the heated debate in Washington over how to bolster the cybersecurity in the United States and reminds us just how important cybersecurity is in this new digital age. We must consider as a nation, the impact cyber attacks from criminals, terrorists, or other countries can have on us as a whole. Imagine what could happen next time financial institutions were attacked if the main goal was not to steal millions of dollars but to take the whole banking system down? In order to improve, there has to be change on a national level. The challenge now facing us is how best to balance the competing interests of privacy protection, avoiding over-regulation, and providing room for effective individual cybersecurity protocols.

Senator McCain’s SECURE IT Act has yet to reach the Senate floor, but will likely face intense scrutiny over the potential lack of government regulation and concern over privacy protections. Even modest improvements to our national security picture will require that we put aside the contentiousness and work together in earnest. Unfortunately, it seems that Congress may not be up to that task and President Obama might have to resort to issuing an Executive Order. This action, by its nature, will create more strife and disagreement in an already gridlocked Congress.

“Banks Warned of Heightened Cyber Threat by FBI” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

A report released by Norton (Symantec), a leader in cybersecurity that develops antivirus, anti-malware, and other related products and software, demonstrates just how pervasive cybercrime is in today’s digital age. The report was the final product of 19,636 interviews of adults, parents, children, and teachers from 24 developed and emerging countries.

cybercrimeThe report confirms that cybercrimes are becoming more common than normal “offline” crimes. This may be due to the fact that cybercriminals are very difficult to find, even as they continue to commit more criminal acts. Norton found that there are approximately 1,000,000 cybercrime victims every single day of the year. This amounts to a cost to society in the amount of $388,000,000,000 ($388 Billion) in just 2011. Of that amount, $114 billion accounts for money actually stolen or money spent to resolve cybercrimes. The remaining $274 billion of that money is in the form of time and costs to victims dealing with cybercrimes. To give a better idea of the staggering size of cybercrime’s financial costs, Norton compares the $388 billion cybercrime cost to the global black market of marijuana, cocaine, and heroin combined at $288 billion. In fact, the sum of all global drug trafficking is valued at $411 billion, only $23 billion more than cybercrime costs.

Unfortunately, the spread of cybercrime is unlikely to slow down as the number of people using the Internet, computers, and especially mobile devices increases. Of those surveyed, 69% of all adults have been a victim of cybercrime, and of those, 65% were victims in 2011 alone. The report shows that the more time one spends online, the more likely they are to become a victim of cybercrime. This is supported by their results which show that 75% of “millennials” (aged 18-31) have been victimized at some point compared to only 61% from the boomer generation. Usage of mobile devices to peruse the Internet is widespread and growing, with 44% of mobile device owners using their device to surf the Internet, and nearly 60% of millennials doing the same.

Even more disturbing is that the spread of cybercrime to these mobile users is just beginning. In 2011, 10% of all mobile device users online had fallen victim to cybercrime. Considering that the number of mobile users surfing the Internet is already large, and that the number will certainly go up as time goes on, it is safe to assume that mobile device related cybercrime is inevitably going to increase. In this society, even a minor increase in percentage of victimized users, will be a very large number of individuals affected.

Despite the staggering number of cybercrimes being committed on a yearly basis, the public perception of these crimes continues to underestimate how severe and common they are. Of the people interviewed, 44% had been a victim of cybercrime in the last year while only 15% had been a victim of some form of offline crime. That mean that cybercrime is nearly three times more common than “off-line” crimes. The perception problem is that, of the people surveyed, only 31% thought that they were more likely to become a victim of cybercrime than offline crime.

This misconception helps explain why 40% of adults surveyed did not have an up to date security suite to protect their personal data. Not only are consumers not adequately protecting themselves online, but only 21% of actual victims reported the cybercrime to the police after becoming a victim. This perception that cybercrimes aren’t quite the same as offline crimes might be reinforced by the lack of avenues to get help after becoming a cybercrime victim. Of those who reported suffering both cybercrime and offline crime, 59% felt there were fewer ways to get help after the cybercrime.

It is clear from Norton’s Cybercrime Report that cybercrime is here to stay and should be considered a high priority by law enforcement and consumers who use the Internet. People must be educated about the risks associated with Internet use and encouraged to protect their personal information in this digital world. The next time you are about to log onto the Internet from your desktop or mobile device, take a moment to consider whether you have taken enough steps to protect yourself from cybercrime.

“Norton Cybercrime Report 2011: Painting a Dismal Picture” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC_Blog.

If you have scratched below the surface of the avalanche of articles on identity theft, scams, cyber-security, or related topics, you have probably run across the term “spoofing.” However, even many of us that work in the field are not very good at explaining to others what the term means, and the various ways the term might be used. So, here goes….

From www.dictionary.com:

spoof; noun

  1. a mocking imitation of someone or something, usually light and good-humored; lampoon or parody: The show was a spoof of college life.
  2. a hoax; prank.

In the context of cyber-security and related subjects, “spoofing” means providing false information in order to make the intended victim think the communications has come from either someone they know, or a business or entity that they would tend to trust. However, there are a number of types of “spoofing”, some more technical than others:

  • IP spoofing is a technique used to make a computer user think that a particular Internet IP being presented is a safe computer/server, and should be trusted. Most of us don’t directly confront this type of spoofing, and probably are unaware of how it works. Just like phone numbers, IP addresses are supposed to signal a unique address or location across the Internet, so faking an IP address can be used by criminals as a method of becoming part of a trusted network. A consumer is unlikely to be directly confronted with IP spoofing, unless they are working in a technical field.
  • Caller ID Spoofing is used to make an incoming call present a phone number that the intended victim might know or trust. However, the number appearing on the Caller ID is not the real calling number, and “spoofing” the number is used for exactly that purpose, to gain trust in a situation when none should be given. With the advent of VOIP or Internet-based phones, the ability to make an incoming call look like it was from San Diego, when the caller is in Russia, is a fact. Caller ID cannot be trusted to determine anything about the caller. Caller ID Spoofing is done quite often, and the average consumer is often in the dark as far as knowing who is really making the call. If in doubt, the best policy is to disengage from the call, then look up the company by name, and call a listed number for the company to inquire about the contact. It should be remembered that people who do business with you already have the information about you, your account number, etc. It is an entirely different situation if you call the company, and are asked for credentials before they will discuss your business with them. However, if the call is coming from them to you, they are the ones that need to prove who they are before you give them any information. Be warned!
  • Email Address Spoofing is probably the most common type of spoofing. Most of us have seen this many times on incoming email, although we may not have recognized it. All of us observe the senders name/address on incoming emails to see who the sender might be, and whether we think about it or not, we tend to give credibility to that email based upon any previous knowledge we may have of the purported sender. Spoofing the “From:” address is often done as part of a fraudulent scheme. If the “From:” address makes you think the email should be trusted, then you are much more likely to click on a link or take other action, or otherwise give some credibility to an email that is coming from a complete stranger, and possibly a thief. Many of the emails used in “Phishing” schemes will have spoofed sending addresses. In fact, a more deadly form of this attack, called “Spear Phishing” uses email addresses from someone recognized as an authority, such as a highly placed executive of your company, to make your response even more likely. You are not going to turn down a request from your Vice President are you? And, it’s a given that website links in these spoofed emails cannot be trusted: they are spoofed also, and will very rarely point your web browser to the address that the link purports to be. Altogether, it is wise for all of us to be wary of incoming email, unless we are very sure of the sender and the authenticity of the message.
  • SMS or Text Spoofing: In a similar fashion to Caller ID and email spoofing, it is also possible for a text message (SMS) to appear to be from a trusted source, while it really is from a quite different sender. In a manner similar to other types of spoofing, be very aware when a text message invites you to take actions, or strongly implies a course of action that you had not anticipated. Like other forms of spoofing, the best answer is to be suspicious and fact check, before you act.

Spoofing is a part of the world we live in now, and it is a key element of the “social engineering” used against consumers in attempts to commit fraud and identity theft. Being skeptical and checking information by other means is really the key to avoid becoming a victim.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

These days we hear a lot about “the cloud.” There are services encouraging you to upload your data to the cloud, and you can access it from anywhere and easily share files with others. But the flip side is the fact that you’re pushing your personal information from your own computer to data centers where you no longer have control over it. If you backup your computer to an online, or cloud, backup service, how do you know your data is safe?

What Is Cloud Backup?

Let’s first define what a cloud backup provider is: a cloud (or online) backup service consists of an application that runs on your local computer which copies files to an online data center. In the event of a hard drive failure, theft, fire or flood, you can then restore (or copy) your data to your replacement drive and not lose any files.

Cloud Backup Encryption

Many files contain personal information, which should remain confidential. In order to do this, cloud backup services encrypt the data before transmitting it. Most services use at least 128-bit encryption (the same as banks use) and will transmit the data via a secure connection. To decrypt the data, your private key is required. Without it, the data is useless.

To make online backups easy for customers to use, providers typically will store the private key for you. After all, if you lose the key, you can’t get the data back. But, this means that with a court order, these providers can use your private key (which they store) and gain access to your data. To prevent this, create your own private key and either memorize it (it can be any length you’d like) or save it to another location (don’t save it to your hard drive, as if the hard drive fails & you can’t read the key file, you won’t be able to decrypt your backup set).

Cloud Backup Best Practices

Maintaining your own private key is a good step in securing your cloud backups, but the file structure is still saved in a non-encrypted format. So, if you have a filename or folder name that contains personal or confidential information (such as bank_accounts/5675196254.xls), the filename can be read and data assumed without even decrypting the file. To combat this, look for a service which not only encrypts the data, but also the filename and folder structure.

Local Backup: An Alternative

Keeping a local backup of your data is often cited as an alternative to a cloud backup solution. The argument is that it’s cheaper (buy a 1TB drive for under $100 and add $20 for some backup software) and faster (a full local backup takes a few hours, a full online backup can take weeks). However, if you choose to backup your data to an external hard drive, make sure the data is encrypted. No need to make it easy for a thief to walk into your den and snag all of your data.

When compared to local backups, the online service can be more affordable (it’s easier to pay $5 per month than it is to shell out $120 all at once) and while the initial backup is slower, subsequent backups only transfer the files that change, making them just as fast as the local option.

Summary

In the end, having an online backup with the default encryption choices is still a better bet than no backup at all. Cloud backups give you remote access to your files and protect you when your hard drive fails (all hard drives fail – it’s a matter of “when,” not “if”). Knowing the different encryption options will help you choose the best online backup service.

Eric Nagel is owner of OnlineBackupsReview.com, a site which reviews various online backup services. He’s been covering the online backup industry since 2008.

Progress in technology is occurring faster than ever before in human history. The wealth of information now at our fingertips makes things possible that were unthinkable even a few short years ago. One of these is an interesting new development in law enforcement tactics. The use of digital data, stored on sites like Facebook, or GPS tracking data harvested from your smartphone is being utilized by law enforcement to both track and convict criminals of crime. Utilizing technology as a tool for law enforcement is not a new concept, nor is its effectiveness in dispute. The use of such tactics is not without controversy however, and privacy advocates are expressing concern as to the morality and legality of using someone’s personal webpage against them.

phone

In January of this year, The U.S. Supreme Court for the first time limited police power to track people using GPS devices, setting a general standard for the privacy rights Americans should expect from a new generation of wireless electronics. From now on, law enforcement officers can expect that using GPS information to track and build evidence against a suspect will be scrutinized carefully if it is done without a warrant. Probable cause will need to be established. Essentially, the court ruled that the 4th amendment does extend to electronic surveillance of this kind. However, the divergent opinions expressed by the court leaves in doubt just exactly where the line will be drawn as to what will constitute an invasion worthy of 4th amendment protection. That line will need to be defined by future litigation, but what is already clear is that the court recognized technology’s ability to peek into our personal lives in a way that is new and unprecedented. And the court ruled that the 4th amendment in certain situations can and should provide us some protection from these intrusions.

The use of Social Media sites like Facebook and Twitter by law enforcement is also coming under scrutiny. Following the London riots of last summer, the New York Police Department formed a special unit to monitor gang activity on social media sites, and found it to be an incredibly effective tool. Criminals often post things indicating everything from gang affiliation, to evidence of the commission of a crime. The FBI too, has adopted similar tactics, with similar success. This notable success in preventing crime has been both cheered as groundbreaking, and criticized as an improper invasion of privacy. It’s hard to argue that a criminal boasting of committing crimes on social media pages has much expectation of privacy, but what is unclear up to this point is just how police go about getting information from social media, and what the standard of conduct is or should be related to viewing and extracting information from a potentially personal webpage.

What is clear is that as technology grows ever more advanced, the balancing act between increased connectivity and expectation of privacy will be ever more difficult.

“Phone and Social Media Tech Now Being Utilized by Police: Effective New Tool in the Fight Against Crime, or Invasion of Personal Privacy?” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC Blog.

I am one angry lady right now. My name is Nikki and I am the Social Media Coordinator here at the Identity Theft Resource Center. Something just happened to me that I had read about, but like everyone else had decided it would not happen to me. Yes…my Pinterest was hacked. For those of you who don’t know what Pinterest is, it is a social networking site where you can “pin” pictures to your “boards” so that you may go back later and find them. It is a visual social bookmarking site if you will. While I am not as obsessed as many users, I have thoroughly enjoyed pinning items to my craft board so that I can go back later and look when I have time.

Last month I worked to spread the word to consumers about the scams that were running rampant on Pinterest, but I did not think it would happen to me and the small amount of pins I had acquired. I was wrong. Just now I happened to come across a Facebook post about how to make a very cool iPad case using wallpaper so I thought I would go ahead and pin it so I could check it out later. This is when the trouble began.

I have several different “boards” on my Pinterest to organize what I find online, but the board to which this particular link wanted to post to was called “Make Money Online”. Fairly certain that I had not created that board, I logged into the site and found that several boards had been created and items had been pinned to them. The pinned items, when clicked on, would lead someone to either an online job scam or a malware download.

Now, because of my work experience at the ITRC, I was able to recognize this and delete these boards before clicking on them. I changed my password and looked through my profile to be sure nothing else nefarious was going on. But I wonder how many people would actually know to do that? I also wonder if the Social Media Coordinator at the Identity Theft Resource Center had something that I just wrote about happen to me, then how often is this occurring?

Needless to say, I understand that having some malicious linked pinned onto your Pinterest boards is not as devastating as having your checking account taken over. However, it did really make me feel vulnerable and a bit violated. In the end, the lesson was learned to check my Pinterest more often than once a month. I advise that you do the same.

“My Pinterest Got Hacked” was written by Nikki Junker. Nikki is the Social Media Coordinator at the ITRC.

You may have heard the tech term “patches” thrown around the office or mentioned in news segments, but if you’re not already familiar, you should be. Patches are perhaps one of the single-most important cyber security tools that the everyday tech user needs, right up there with things like anti-virus software and scanning filters.

A patch is a small piece of software that a company issues whenever a security flaw is uncovered. Just like the name implies, the patch covers the hole, keeping hackers from further exploiting the flaw. A number of holes have been exploited with severe consequences before their developers’ could create a patch, including the Heartbleed virus in 2014 and the recent WannaCry ransomware attack that struck just this month.

WannaCry hit more than 200,000 computers and networks before a 22-year-old cyber security whiz identified and activated a kill switch. Some of the hardest hit networks were hospitals, as their systems were locked up by the attack. This resulted in the loss of patient care, and some facilities even had to turn away patients due to the inability to access any of their computers. The only way to unlock the computer and remove the ransomware was to pay the fine in bitcoin to the hackers, at least until the block was discovered.

Microsoft had already issued a patch only a matter of weeks ago for the particular hole that led to WannaCry, but many users had either not installed it or did not have automatic updates activated on their systems.

Whenever cyber security experts, researchers, or even just highly knowledgeable “hobbyists” discover a new flaw, the typical protocol is to alert the software developer immediately so they can issue a patch. They do not usually make the discovery public. This might seem counterproductive since typically the public can’t take action to protect themselves, but experience has shown that informing the public also alerts hackers to the existence of the flaw. By only telling the developers first, hopefully they will close up the hole before anyone else discovers it on their own.

Unfortunately, this kind of secrecy—while necessary to keep hackers from launching new malware attacks—also means that if the developer themselves discovered the hole and patched it in the next regularly scheduled update, you may never know about it. That’s why it’s very important to keep all of your software and handheld devices up-to-date; depending on your comfort level with your own tech you might choose to set your computer to automatically install any new updates from the developer.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Recently, what has been a hot topic in the news is the infection of computers and computer systems in the Middle East. The damage is being attributed to a new threat that is being called “the most sophisticated cyber weapon,” “the most complex threat,” and “a massive, highly sophisticated piece of malware.” This new threat is known as “Flame.”

malwareBefore taking a look at what experts are saying, the dictionary definition of ‘malware’ is “malicious software that is intended to damage or disable computers and computer systems.” In essence, there are different types of malware designed for specific purposes; however, in their simplest of forms they are created to do exactly what the dictionary definition provides – disrupt computers.

Wired.com provides the jest of what malware does by providing their early analysis of ‘Flame:'” …the lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a back door to infected systems to allow the attacks to tweak the toolkit and add new functionality.”

Furthermore, according to NakedSecurity, ‘Flame’ has yet to be dissected to find out the workings of the deeper threats it poses to computer users. NakedScience states that “at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.” As a result, they emphasize on the fact that computer users should not be doing anything other than what they usually do on a daily basis to protect themselves.

In essence, computer users should continue to keep their anti-virus and security patches up-to-date. In addition, as usual – be cautious and fully aware or familiar with the software they install on their computers, the links they click on, the sites they visit, etc. Based on certain reports, ‘Flame’ can now be detected by anti-virus/ anti-spyware software.