Social networking sites are a great way for families and friends to stay in contact with each other. They also provide an open forum for people to speak their mind, talk about issues that are important to them, and share photos and memories with the world. Kids and teens have especially taken to this new way of connecting with people. In 2009, 38% of 12 year olds in the United States were members of at least one social network according to the Pew Research Center’s Internet and American Life Project. Kids love chatting, sharing real time photos, and instant messaging each other.

This is a wonderful tool for kids and teens to use, but there are certain things that must be taken into consideration, the first being the mental and emotional maturity of the user. Most young people don’t understand that what you post online can be seen by everyone, and is online forever. Pictures, comments, etc. can be viewed by anybody you allow access to. The biggest concern most parents have is stalkers and pedophiles who can use the information posted by kids to pinpoint what school they go to, the rout they take to walk home, if they have after school jobs, or if they will be at a particular location unsupervised like at the mall.

The second concern is that most kids don’t understand the long term consequences of what they post. Some users have found their posts used against them years later when they are applying for college and jobs. Comments about a particular college could result in an application to attend being denied. Pictures and comments at parties and social gatherings could cost you a job. Even pictures that a minor child may think are safe to post or share online could result in criminal charges of child pornography and a permanent record as a sex offender.

The last thing kids and teens need to keep in mind is that anything they post online can be accessed and manipulated by others. Cyberbullies have been known to take pictures from legitimate social networking profiles and create a dummy profile. They may doctorthe pictures to depict the original person in compromising and embarrassing situations.

When teaching your children safety online it is always important to stress that nothing they post is 100% guaranteed to be private. Parents should be proactive in monitoring what their children post and talk with them if they see anything they deem inappropriate.

Most iPhone users store a considerable amount of personal data on their phone that would be devastating to lose. This can be in the form of pictures, saved PDFs, passwords, banking information, credit card information, and personal text messages. Therefore, it is extremely important to keep your iPhone as secure as possible. Luckily, there are a few simple things that you can do to help ensure the safety of the personal information on your iPhone.

  • Enable the Auto-Lock and Passcode Lock features under the general settings. The Auto-Lock feature will automatically lock your phone after it has been sitting idle for an amount of time that you pre-determine. The Passcode Lock feature will require a 4 digit password anytime someone attempts to access the phone when it is locked. These two simple features provide significant deterrence to the random individual who may try to steal your phone when you leave it sitting about.
  • Siri is incredibly useful and is capable of accessing and providing personal information to whoever is using the iPhone. Unfortunately, a user is allowed to communicate with Siri even if the phone is locked. Thus, Siri can be used as a workaround to the passcode feature, giving access to personal data when the iPhone owner thinks that the phone is locked down. In the Passcode Lock menu, you can opt to turn off Siri while the phone is locked.
  • Use a Virtual Private Network (VPN) when using the iPhone to access the internet from public WiFi locations. Public WiFi poses a danger to your iPhone and personal data because hackers can use public WiFi hotspots to monitor what you are doing on your iPhone as well as what information you may be inputting into it as well. A Virtual Private Network encrypts the signals from your iPhone making it impossible for hackers to decipher what you are doing on the internet.
  • Always have an updated antivirus program installed on your iPhone to help prevent virus or other malware from infecting your phone.
  • Enable Find my iPhone under the iCloud settings which will allow you to determine where your iPhone is at any given time in addition to giving you the ability to remotely wipe your phone of all its information. This is extremely useful because the 4 digit passcode can easily be decoded by a determined hacker. With this feature enabled, if you lose your iPhone all you have to do is sign onto any computer and elect to remotely wipe your iPhone of all its information.

“How to Protect Data on Your iPhone” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post.

Most of us who own smart phones store a considerable amount of personal data on them which could be very damaging if the phone was lost or stolen. Everything from valuable documents, passwords, personal pictures, banking or credit information, and personal text messages could be compromised. Fortunately, there are several steps one can take to protect the data stored on their phone. What follows are some best practices for protecting the data on your Android Smart phone.

  • Enable the Auto-Lock and Passcode Lock features under the general settings. Go to your settings, and then select “security.” The Auto-Lock feature will automatically lock your phone after it has been sitting idle for an amount of time that you pre-determine. The Passcode Lock feature will require a password, or a trace design anytime someone attempts to access the phone when it is locked. These two simple features provide significant deterrence to the random individual who may try to steal your phone if it’s left unattended.
  • Use a Virtual Private Network (VPN) when using your phone to access the internet via public WiFi. Public WiFi poses a danger to your personal data because hackers can use public WiFi hotspots to monitor what you are doing as well as what information you may be sending over the internet. A Virtual Private Network encrypts the signals from your Android making it impossible for hackers to decipher what you are doing on the internet.
  • Always have an updated antivirus program installed on your Android to help prevent virus or other malware from infecting your phone. Monitoring apps such as Lookout Security can gauge the risk levels of various apps or programs you might be inclined to install on your phone.
  • Always pay attention to what apps you’re downloading. What access rights to your data does it ask for? Is it produced by a reliable/trustworthy entity? Never download an app you’re not 100% sure about, and always pay attention to what rights they require to install their app in your phone.
  • Install a wiping program on your phone so that in the event of a theft or a loss, you will be able to remotely wipe all your sensitive data from the phone so the thief cannot benefit from it.
  • Never pre-store banking passwords or other sensitive passwords on your phone. If someone were to gain access to your Android, there’s no reason that event needs to preclude a thief gaining access to your email or your mobile banking apps.

“Keeping your Information Safe on an Android Device” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original article.

Like millions of other people, I got my first smartphone for work, not personal use. And, just like most other digital device users, my personal life soon became a part of whatever smart phone I was using, and the tasks I expect it to do have broadened greatly since the days of my Kyocera 6035. Without even taking into account iPads, Kindles, and other larger platforms, the activities we now accomplish on a typical smartphone platform are pretty amazing.

wipe or notOf course, many still have corporate email on the device, but almost everyone will also have a couple of personal email accounts that are also installed on the phone, along with Facebook, LinkedIn, GPS navigation information, a raft of pictures and movies that have been taken with the device, probably some downloaded Internet movies, and so on. And, just like the car you have driven the past few years, quite a bit of this stuff will find its way under the seats, into the side pockets, and in the glove box (who the heck ever used a glove box for gloves?). In other words, there may be quite a bit of information stored in places you don’t normally look (until it’s gone). We also tend to make online transactions, including purchases, banking, and other secure sites, which probably stores some fairly important credentials and other information on our smartphones.

I remember the adrenaline rush of getting up one morning and finding that my Blackberry of the moment had just died… All the email, account info, etc. was gone, except for some stuff that was stored on the removable memory card. A similar situation, even worse, is when someone realizes that their phone has been stolen or lost. It is worse, because now any information on the phone, including email, account info, pictures, etc. may be in the hands of someone who has a penchant for taking your money, rather than a job. Two of my family members have managed to “Drown a Droid” in the past couple months. Sooner or later, these events will happen to you.

When loss of a smartphone or the data on it occurs, there are several key concerns:

  • Was the device protected by a PIN, password, or other method to prevent unauthorized access? While not perfect, having a phone protected does a lot to slow down access to your information. You just won’t believe how much information is typically available in a couple years of email!
  • Do I have a method to remotely erase all the information on the device, to prevent its use for identity theft and fraud? Is there a way to track/find the missing phone?
  • How can I recover the majority of the information, contacts, pictures, movies, emails, etcetera?

First, have your phone protected by at least a simple PIN or swipe pattern. Just DO IT. You don’t want the guy who lifted your phone at a party to be able to instantly start sending email and posting on your phone. If you happen to lose the phone, the same situation applies. Some phones have facial recognition now, which is pretty convenient, and reasonably secure. Whatever security method you choose, make sure your phone is locked within a minute or so of when you set it down.

Second, you may want to use one of the available programs that will allow you to remotely wipe all the personal information from the smartphone in the event of a lost or stolen device. Depending upon the type of phone, iPhone, Android, Blackberry, etc., there are different methods to remotely wipe the phone, and possibly detect its location. For Android phones, Android Lost has been recommended as an app that will allow remotely finding and wiping an Android phone. Microsoft Windows phones can be located and remotely wiped from your user account on a website, www.windowphone.com. Blackberry has always had the remote wipe capability in their administrative software, but it is managed by the system administrator. Apple has a service to find your phone, and remotely lock the phone by using a web based service. Regardless of the type of device you use, you should activate one of the methods before you lose the phone.

Third, recovery of all the data that you have on the phone will also depend upon what steps you have made while you have possession of the phone. You should note that if your main email is provided by a corporate account (Exchange Server), that email can be recreated on a new phone without anything more than setting up your email account on the new device. However, many other types of email, and documents, pictures, videos, etc. will probably require that you set up or activate a backup system for your mobile device. There are many backup systems available for each type of smartphone, and you will have to compare features to choose the one that is best for your protection. Carriers like Verizon offer backup utilities as a part of their service, and Apple offers iCloud Storage.

Mobile device backup has become a growing market, and you will need to choose the system that meets your personal needs. A good place to start is to think “If my phone was ripped out of my hand right now, and would never reappear, what would I need to have on a new phone to be ok?” A second vital question is “What’s on my current phone that could put me at risk if the phone is stolen?” These are questions best answered before your data goes missing.

Now, back to Sudoku. You know, I’d hate to lose my year-long aggregate score….

“Wiped Out? Or Not?” was written by Rex Davis. Rex is the Director of Operations at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post.

Recently here at ITRC, we’ve received several queries about the effectiveness and use of mobile VPNs. What are they? How do they work? Do I need one for my phone if I send and receive a lot of data? Well, we aim to please…

VPN stands for “virtual private network.” A mobile VPN provides mobile devices with access to network resources and software applications on their home network when they connect via other wireless or wired networks. A VPN maintains an authenticated, encrypted tunnel for securely passing data traffic over public networks. This is important because public wireless internet connections (public wi-fi) are one of the easiest and most common ways for identity thieves and hackers to harvest personal information from their victims.

The increased use of mobile devices and a related rise in employee desire to use their own personal devices for work purposes means it is more important than ever that organizations take appropriate steps to protect corporate information and provide access in a safe and effective way. A mobile VPN makes it possible for users to access the internet via public wireless access in a McDonalds or Starbucks, while still staying safe behind a firewall to keep prying eyes from accessing privileged information. When considering whether or not a mobile VPN is a worthwhile tool to have, there are several issues to consider.

1. The need for privacy

It’s always a good idea in personal practice to exercise sound judgment when accessing the internet in public areas. For work purposes, the need for privacy becomes even more paramount. Not only could you compromise your personal information, you could expose company secrets as well. If your job is the type that requires continuous access to shared information, a mobile VPN should be viewed as a near necessity.

2. Connectivity and Convenience

A mobile VPN functions essentially like a portal to your home or office server. The cost of this convenience and safety should be considered necessary only if one is regularly accessing secure or sensitive information (either for personal or professional use) while on the go. If you don’t have access to your office server and/or don’t use your personal phone to send or receive sensitive information, a mobile VPN may be an unnecessary expenditure. A VPN is likely to come attached to a monthly subscription fee, and will also very likely make the speed of data exchange on your phone somewhat slower than it would be otherwise.

3. Frequenting Foreign Websites?

The secure nature of a mobile VPN allows you to usually access foreign hosted sites faster than otherwise possible.

4. Flexibility

VPN’s function on virtually any type of internet connection (wi-fi, 4g/LTE, broadband, etc.)

5. Voice vs. Data Security

It’s important to note that smartphones have both data and voice channels. Mobile VPN ONLY encrypts the data channel i.e., your phone access to a browser, email, and internet resources are encrypted. However, your voice calls are not encrypted through use of a mobile VPN. If you use internet based phone service (Skype for example) that uses the data channel to make phone calls, your voice calls may be encrypted when using your mobile VPN.

 

Anyone can be a victim of identity theft, anyone can use our services, and anyone can help us help others. If you found this information useful, please consider donating to the Identity Theft Resource Center to help us keep our services free to the public.

Bring Your Own Device (BYOD), is a growing trend in the business world where employees use their own personal mobile devices for work. This means that sensitive company information including customers’ personal identifying information (PII) and company trade secrets may be accessible from, or might be stored on the employee’s personal phone or other digital device. While there are many benefits from implementing BYOD for businesses, it also creates a new set of security challenges as employees’ personal phones are more difficult to monitor and protect than a company computer that never leaves the office. Below is a comprehensive but not exhaustive list of security measures that companies implementing BYOD should consider:

security tipsPassword Protection: A strong password should be at least 8 characters in length and include case sensitive letters, numbers, and special characters. This password should be required to access any company data on an employee’s mobile device. It is also a good idea for the employee to have a 4 digit pin passcode to be able to turn on the phone at all. Encryption of Company Data: Any company data, or even all data on the phone, should be encrypted using industry standards. Encryption will help protect any company data from being accessed even if a thief has stolen an employee’s mobile device and attempts to hack into it.

Limit use of Apps: Apps pose a security vulnerability, as they are programs that are downloaded by the user, and installed onto the phone. Use of apps on user devices is a hotly argued topic at the moment. These apps can contain malicious software in them, or may simply request and get permissions to access a wide variety of data on the device, in order to complete the install. The possibility that BYOD users might install an app that breaches company data is raising serious concerns in the IT community. This makes it a priority that employees be informed as to what apps are safe and acceptable, and which ones are not. Even with those types of guidelines, it is important for employees to read the reviews of apps to help determine whether it is malicious or not. It is also a smart guideline not to install any app that does not have a significant number of positive reviews. Even with that, it is important that when installing the app that the user be very aware of the permissions the app is requesting, and that they fit the purpose appropriate for the function of the app.

Remote Data Wipe Ability: Employers that allow company data to be stored on a BYOD platform must be able to remotely wipe the device in case the employee either loses the phone or has it stolen from them. Additionally, the employer must also be able to wipe the device upon the employee leaving the company.

Antivirus Software: At a minimum, employees’ devices should have updated antivirus programs installed to help mitigate malicious attacks. In addition to antivirus software, providing VPN connections for employee devices, where appropriate, would greatly reduce risk of breach into the phone’s data.

“Bring Your Own Device Security Tips” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original posting.

There was a time when every parent knew what to tell their children to be safe. Children knew not to take candy from strangers, or go swimming right after eating. These days the rules have all changed and children have a new playground on which they must be trained in order to stay safe.

cyber securityThe cyberworld takes up a huge amount of children’s time and, unfortunately, is very dangerous. Sitting a child down and explaining to them about protecting their private information online or staying away from child predators is not easy. Here are some fun ways to teach your child cybersecurity.

  • Stay Safe Online: Stay Safe Online is a wonderful program put together by the National Cyber Security Alliance. Thier website (www.staysafeonline.org) provides a wealth of information for teachers and parents to use in order to teach children about cyber security. The site is even broken down into grade level so that children will not feel like something is too immature or way over their heads.
  • iKeepSafe: Within iKeepSafe’s website (www.ikeepsafe.org) there are areas for educators, communities and parents. There is also a section for children themselves to peruse and learn as they go. One of iKeepSafe’s programs is called “Prevent & Detect”. It teaches parents how they can use technology to prevent and detect everything from eating disorders to alcohol abuse. This is a great way for parents to learn how to use the cyberworld to help protect their children rather than simply fearing it.

Armed with these wonderful resources, it shouldn’t be such a hassle to help children understand the dangers of the Internet. Parents will be able to spend less time on explaining the intricacies of online identity theft and more time making sure their children look both ways before crossing the street.

“How to Teach Your Child About Cybersecurity” was written by Nikki Junker.  Nikki is the Social Media Manager at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the original post on the ITRC Blog.

It has been a particularly disturbing couple of weeks as headlines throughout America highlight how some of our most powerful financial institutions were being hacked by alleged foreign powers. It all began on September 17 when the FBI issued a joint Bank Fraud Alert with the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center.

whitehouse hackedThe Bank Fraud Alert warned banks and financial institutions that hackers were using Distributed Denial of Service (DDoS) attacks to take down their consumer websites to distract both the consumers and bank cybersecurity while millions of dollars were fraudulently wired out of peoples’ accounts. The very next day, Bank of America was reported to have website problems and consumers were having trouble accessing the website and their bank accounts.

On September 19, J.P. Morgan Chase Bank was reported to have similar problems as their website went down and consumers could not access their bank accounts. That same day, FS-ISAC raised its Current Financial Services Cyber Threat Advisory from “elevated” to “high” for the first time in its history. A few days later on September 25, Wells Fargo suffered website outages followed by website problems for U.S. Bank and PNC Bank the next day.

A hacker group by the name of Izz ad-din Al qassam Cyber Fighters has been claiming responsibility for these DDoS attacks, but experts warn that it is more likely that an organization with far more money and capabilities is responsible for these attacks. Senator Joseph Lieberman, Chairman of the Homeland Security Committee, stated in a C-SPAN interview that he believed Iran’s government sponsored the cyber-attacks.

Now, the Washington Free Beacon reported on Sunday that alleged Chinese government hackers had breached a computer system associated with the White House Military Office. A White House official confirmed that hackers had breached an unclassified computer network, but emphasized that the network had no unclassified information and no data appeared to have been stolen.

Apparently, the breach was made possible by a spear phishing attack, which involves the use of a message that appears to be authentic and contains a file or link to be clicked on which then installs malicious software onto the computer. The Senate blocked the Cybersecurity Act of 2012 in August which was designed to help bolster cybersecurity in critical infrastructures in the United States, leaving the Obama administration to consider issuing an executive order to improve cybersecurity instead.

“First the Banks, Now the White House” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to the ITRC_Blog.

Last week someone in my family asked me if I could help them with their computer. I asked them what was seemed to be wrong with the machine. They told me that it would start normally at first, but as soon as Windows was done loading they would get a pop-up that they had been infected with a virus that was above the level of what their normal anti-virus could handle. They were told that they needed to pay for this additional coverage to remove the problem. Unfortunately, they continued, and paid for the “extra service.”

This person, like so many of us, is not stupid. In fact, they are very intelligent. However, what is taken for granted as basic computer safety knowledge by theransomware younger generations is may be an unknown area of knowledge to those who never created a Word document for a paper in High School, never had a Facebook account that their parents monitored, and were never taught even the fundamentals about Cybersecurity. Today, when the Internet is no longer an option but a necessity for most of us, cyber criminals are finding an easy target in people who may be using the Internet and a personal computer for the first time.

I asked this family member if they had current updated anti-virus security on the computer, and they were not quite sure what I was talking about. This I could believe, as many people who were raised in the age of Internet still don’t know the importance of having an anti-virus with updated virus definitions installed on their computers. Good antivirus programs are perhaps the best way to protect yourself (and computer) from many of the threats, including viruses, malware, and cybercrime exploits. This ounce of prevention can save people from spending a pound on a cure.

Unfortunately for my family member, it was “too little, too late” for the prevention approach, and they had to take their computer in to have it fixed. This one event cost much more than an anti-virus program would have cost, not to mention the money paid to the Cybercriminals behind the Ransomware, and the time and frustration of the related computer problems. While it comes as little comfort to my family member now, this story has taught a lesson; use an anti-virus, and keep it up to date, always.

This experience also shows how easy it is to fall for the Ransomware scams, and how important it is to educate people about the current Cybercrime trends. Perhaps the next family night we will not be breaking out the Scrabble, but instead a Power Point presentation on Cybersecurity.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

Two days ago, the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center, and the Internet Crime Complaint Center jointly issued a Fraud Alert to financial institutions warning them of alarming trends in unauthorized wire transfers overseas in amounts ranging from $400,000 to $900,000. The Fraud Alert explains that after targeting financial institution employees with spam and phishing e-mails, the cyber criminals installed keystroke loggers and Remote Access Trojans to be able to completely access internal networks and logins to third party systems. In other cases, the cyber criminals stole employee and administrative credentials allowing them to avoid verification methods used by the financial institutions to prevent fraudulent activity.

This enabled them to peruse through multiple accounts, selecting those accounts with the highest balances to conduct wire transfers from. According to the Fraud Alert, the cyber criminals were able to “handle all aspects of a wire transaction, including the approval… obtain account transaction histories, modify or learn institution specific wire transfer settings, and read manuals providing information and training on the use of US payment systems.” The Fraud Alert theorized that the cyber criminals used distributed denial of service (DDOS) attacks against the financial institutions’ public websites as a distraction to keep them occupied and distracted while fraudulent wire transfers were being conducted.

Yesterday, the Financial Services Information Sharing and Analysis Center raised their Current Financial Services Sector Cyber Threat Advisory from “elevated” to “high,” leaving the Physical Threat Advisory at “elevated.” Soon after, Reuters reported, “the consumer banking website of JPMorgan Chase & Co was intermittently unavailable to some customers. The problems followed issues with the website of Bank of America Corp on Tuesday amid threats on the Internet that a group was planning to launch cyber attacks on a U.S. bank.”

This incident occurs amid the heated debate in Washington over how to bolster the cybersecurity in the United States and reminds us just how important cybersecurity is in this new digital age. We must consider as a nation, the impact cyber attacks from criminals, terrorists, or other countries can have on us as a whole. Imagine what could happen next time financial institutions were attacked if the main goal was not to steal millions of dollars but to take the whole banking system down? In order to improve, there has to be change on a national level. The challenge now facing us is how best to balance the competing interests of privacy protection, avoiding over-regulation, and providing room for effective individual cybersecurity protocols.

Senator McCain’s SECURE IT Act has yet to reach the Senate floor, but will likely face intense scrutiny over the potential lack of government regulation and concern over privacy protections. Even modest improvements to our national security picture will require that we put aside the contentiousness and work together in earnest. Unfortunately, it seems that Congress may not be up to that task and President Obama might have to resort to issuing an Executive Order. This action, by its nature, will create more strife and disagreement in an already gridlocked Congress.

“Banks Warned of Heightened Cyber Threat by FBI” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.