You may have heard the tech term “patches” thrown around the office or mentioned in news segments, but if you’re not already familiar, you should be. Patches are perhaps one of the single-most important cyber security tools that the everyday tech user needs, right up there with things like anti-virus software and scanning filters.

A patch is a small piece of software that a company issues whenever a security flaw is uncovered. Just like the name implies, the patch covers the hole, keeping hackers from further exploiting the flaw. A number of holes have been exploited with severe consequences before their developers’ could create a patch, including the Heartbleed virus in 2014 and the recent WannaCry ransomware attack that struck just this month.

WannaCry hit more than 200,000 computers and networks before a 22-year-old cyber security whiz identified and activated a kill switch. Some of the hardest hit networks were hospitals, as their systems were locked up by the attack. This resulted in the loss of patient care, and some facilities even had to turn away patients due to the inability to access any of their computers. The only way to unlock the computer and remove the ransomware was to pay the fine in bitcoin to the hackers, at least until the block was discovered.

Microsoft had already issued a patch only a matter of weeks ago for the particular hole that led to WannaCry, but many users had either not installed it or did not have automatic updates activated on their systems.

Whenever cyber security experts, researchers, or even just highly knowledgeable “hobbyists” discover a new flaw, the typical protocol is to alert the software developer immediately so they can issue a patch. They do not usually make the discovery public. This might seem counterproductive since typically the public can’t take action to protect themselves, but experience has shown that informing the public also alerts hackers to the existence of the flaw. By only telling the developers first, hopefully they will close up the hole before anyone else discovers it on their own.

Unfortunately, this kind of secrecy—while necessary to keep hackers from launching new malware attacks—also means that if the developer themselves discovered the hole and patched it in the next regularly scheduled update, you may never know about it. That’s why it’s very important to keep all of your software and handheld devices up-to-date; depending on your comfort level with your own tech you might choose to set your computer to automatically install any new updates from the developer.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Recently, what has been a hot topic in the news is the infection of computers and computer systems in the Middle East. The damage is being attributed to a new threat that is being called “the most sophisticated cyber weapon,” “the most complex threat,” and “a massive, highly sophisticated piece of malware.” This new threat is known as “Flame.”

malwareBefore taking a look at what experts are saying, the dictionary definition of ‘malware’ is “malicious software that is intended to damage or disable computers and computer systems.” In essence, there are different types of malware designed for specific purposes; however, in their simplest of forms they are created to do exactly what the dictionary definition provides – disrupt computers.

Wired.com provides the jest of what malware does by providing their early analysis of ‘Flame:'” …the lab indicates that it’s designed primarily to spy on the users of infected computers and steal data from them, including documents, recorded conversations and keystrokes. It also opens a back door to infected systems to allow the attacks to tweak the toolkit and add new functionality.”

Furthermore, according to NakedSecurity, ‘Flame’ has yet to be dissected to find out the workings of the deeper threats it poses to computer users. NakedScience states that “at its simplest level, Flame isn’t doing anything different from the vast majority of other malware we see on a typical day.” As a result, they emphasize on the fact that computer users should not be doing anything other than what they usually do on a daily basis to protect themselves.

In essence, computer users should continue to keep their anti-virus and security patches up-to-date. In addition, as usual – be cautious and fully aware or familiar with the software they install on their computers, the links they click on, the sites they visit, etc. Based on certain reports, ‘Flame’ can now be detected by anti-virus/ anti-spyware software.

I received a text message from my mobile provider the other day stating that as a premium customer I could download a free anti-virus for my Smartphone. Jaded as I am, working in identity theft, I was leery of a few things. First, I wasn’t sure the text had actually come from my mobile provider. The text message sender was only identified as a five digit number so I could not be sure that this was not actually a smishing scam. Second, I was concerned that even if the text was from my mobile provider, the download would not be free in the end or would expose all kinds of data when I accepted to download the application.

phone malware

So, I headed to my mobile providers website to see if this offer for free mobile anti-virus was legit. After finding the application on their website and realizing that what I was being offered was a very basic anti-virus which could be updated for a fee I came to the conclusion that this was indeed a little personal victory. Not only was I getting free basic anti-virus for my Smartphone, I was being validated for my concerns about mobile security.

Many people do not realize that your Smartphone is a mini PC and therefore vulnerable to the same risks as any laptop or PC. Mobile Malware is a growing threat and while Android devices were originally the target of many malware attacks, the risk for iPhone users is growing as MacOS is increasingly threatened. The best way for Smartphone users to protect themselves is to protect their mobile devices with anti-virus, just as they would their desktop.

The generosity of my mobile provider got me to thinking if all mobile providers were doing something similar. Had they finally caught the drift that if their customers were fearful of using the internet it would affect their bottom line? Perhaps they have as all of the major mobile providers I looked at offered some sort of free anti-virus protection for their Smartphone customers. This is exciting news for us here at the ITRC. It is good to know that there is protection available to consumers, protecting them from mobile malware attacks and therefore, one technique thieves use to get personal information to commit identity theft.

If you haven’t yet downloaded anti-virus onto your Smartphone, head on over to your mobile providers website and check to see if they offer free anti-virus for your device. Make sure that you are actually downloading the app from your mobile provider’s website. Cybercriminals will surely begin to create fake anti-virus applications for mobile devices in an attempt to infect devices with malware, so be sure the application is legitimate and not an application made to look similar.

Every year the Internet Crime Complaint Center, known as IC3, releases their report of the complaints they have received throughout the prior year. This information in gathered through the reports made by victims of cybercrime to IC3. It is then analyzed and reported to authorities at all levels in order to help law enforcement fight cybercrime. The information is also used to make important Public Service Announcements, which help make the public aware of new cybercrime scams and other exploits against citizens. This awareness is an incredibly important step in helping prevent individuals from becoming victims.

This year saw a rise in complaints received by the IC3, with the total number reaching 314,246. The Average dollar loss (for those who reported a monetary loss) was $4,187. Believe it or not, scams which purported to be from FBI topped the list of fraud types reported. The other four types of cybercrime that showed up in these results were identity theft, advance fee fraud, merchandise not delivered, and overpayment fraud. Auto fraud scams alone cost complainants $8.2 million dollars in loss. Romance scam losses amounted to $5700 per hour or $50 million overall. In these romance scams, women aged 50-59 had triple the rate of complaints and nearly 6 times the amount of loss as men in the same age bracket. There was also a rise in something IC3 calls “double dipping” which is where a criminal goes back to the victim and attempts to rectify the situation only to scam them again.

Scams which promised individuals “work from home” jobs were one of the main characteristics of those scams reported. There were over 17, 000 of these complaints and victims are not only conned out of money and time in these scams, but often can be charged with money laundering due to the nature of the “work” they are asked to perform. The total loss for this type of scam was over $20 million and females aged 20-29 seemed to be the largest group of individuals to report becoming a victim.

The information in the 2011 IC3 report mirrors what we see on a daily basis here at the ITRC and we are glad to be able to see the trends and predictions of what we may be dealing with next. One thing is for sure, with new ways to defraud individuals via computers every day, the IC3 report will continue to grow and hopefully help consumers avoid some of these terrible fates.

The Federal Trade Commission charged social network MySpace LLC with falsely representing the protection of its millions of users’ personal information. On May 8, 2012, the FTC made public its press release noting the conditions of the agreed settlement between the FTC and MySpace LLC.

So, what did MySpace do? According to the FTC, MySpace LLC led millions of users in the wrong direction about how the social network shared and protected their personal information that was collected via their personal profiles. The FTC said that MySpace provided its advertisers with its users’ Friend IDs; the unique identifier for each profile created on MySpace. The problem was not only that advertisers were able to use the Friend ID to find a user’s profile, but they were also able obtain the personal information that was made public by the user on his or her profile (age, gender, display name, user’s full name, profile picture – if provided, hobbies, list of user’s friends, and possible interests). This information was used to link web-browsing activity to the user.

MySpace LLC provides their privacy policy statements, which have not been revised since December 7th, 2010. Per their site, MySpace’s privacy policy is divided into different sections: Privacy Policy, Collection and Submission of PII and non-PII on MySpace, Notice: MySpace will provide you with notice about its PII collection practices, Choice: MySpace will provide you with choices about the use of your PII, Use: MySpace’s use of PII, Security: MySpace protects the security of PII, and Safe Harbor. These sections, in essence, advised its users that MySpace LLC would not share information for purposes other than those noted under each section, and that prior to use a user would be notified. Furthermore, another section promised that individual users would not be personally identified to third-parties, especially when it came to sharing web-browsing activity that was not anonymous. The privacy page further explains that MySpace is in compliance with the U.S. – EU Safe Harbor Framework and the U.S. – Swiss Safe Harbor Framework – framework which is set forth by the U.S. Department of Commerce. However, the FTC noted that MySpace’s privacy statements were deceptive in addition to violating federal law. In other words, MySpace was not practicing what they preached.

In the end, the social network agreed to settle. The FTC’s proposed settlement comes with several requests:

  1. Requires that MySpace LLC establish a “comprehensive” privacy program specifically designed to protect consumer information.
  2. MySpace is to engage and be subject to continued privacy assessments for the next 20 years by independent, third-party auditors. \
  3. The agreement “bars MySpace from misrepresenting the extent to which it protects the privacy of users’ personal information or the extent to which it belongs to or complies with any privacy, security, or other compliance program, including the U.S. – EU Safe Harbor Framework.”

In a 4-0-1 decision, the Federal Trade Commission accepted the consent agreement. However, this agreement is now open for public comment – closing June 8th, 2012. Then, the FTC will come to an accord whether it will make the consent order final.

“Shame on you MySpace” was written by Gabby Beltran. Gabby is the Public Information Officer and a Bilingual Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Last August, Facebook released their Facebook Messenger app for smart phones. This app is great for communicating with large groups of people (like party planning) so that everybody is involved, and also for allowing a friend to locate you in case you are lost or are meeting up at an unfamiliar location. In many ways, this app is a great convenience to many people and does make communication easier, but like with all social networking, users need to know about the privacy concerns and what they need to keep in mind to protect themselves.

The number one thing that consumers have shown concern for is the GPS tracking. When messaging somebody you can have it show everybody in the conversation your location via GPS. They all can see where you are messaging from and use GPS to get directions to you. Though is very useful in some situations, it is important to only use this function when necessary. You might not know everybody who is participating on messenger, nor do the people viewing your conversation have to be on your friends list to see your texts. Be sure you know who you are giving your location to and turn the function off if you aren’t sure.

This situation dovetails into another concern many consumers have. This new app does show everybody invited to the conversation. However, until they make their first post, it only shows their first name. This means, if you know 3 people named “Dave” you don’t know which one could be invited to chat until they say something. This can cause some awkward and embarrassing moments to those who aren’t careful. It also means that people you don’t know could be invited to the conversation and you might think it was actually a friend. Be careful with what you post. Make sure you know everybody before stating things or giving away your location.

The last item that has consumers concerned is that you can tell if a message you have sent has been read or not. For general purposes this is useful, but somebody could use this information to spy on you. It is also a way for spammers to know if your Facebook profile is active and if you have connected your phone to it. By knowing if you have read a message, they could then send you more messages in an attempt to trick you and steal your identity. You cannot turn this function off. The best thing you can do is delete anything that looks suspicious.

“Is Facebook’s New Messenger App a Privacy Risk?” was written by Kat Rocha. Kat is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Chances are you have a lot of accounts. Personally I have accounts (and passwords) for sites that I don’t even remember. And while I have more accounts than most due to my profession, I would bet many people deal with the same problem I do: Password Overload. Password overload is when you attempt to use your Pinterest, Twitter, work email and university login passwords (one after another) to get into your Money Market Account only to be locked out. Now you have to go into the branch with photo ID, or endure the dreaded “customer service hotline” (not-line) to prove that you are not indeed a thief. Maybe you haven’t experienced such an ordeal, but everyone has experienced something similar.

The problem seems like it could be easily solved by using the same password for everything. One password to remember, and no more jumbling through your notebook trying to find what password you used for your newest account creation or Facebook app. The problem with this approach is that if you are using the same passwords for all of your accounts, then if someone manages to get the password for say, your Instagram account, they would probably be able to drain your savings account, phish your family for personal information (such as your Social Security Number), or rack up a warrant in your name for writing bad checks…. This could all happen because you logged into Facebook at the internet café and re-use the same password for multiple accounts.

So, what do you do if you don’t want to tattoo 25 passwords on your arm (P.S. You would probably now have a MySpace log-in that would need to be covered up) and you don’t want to end up cuffed for felony check fraud? The answer is a password manager. This new service was created so that users can remember just one password, yet have access to all other passwords. The best part is that you can have access to these passwords from anywhere as most of the new password managers are internet based. As the need for password management increases, the options consumers have grown leaving even the strictest cybersecurity aficionado pleased with the service.

A few things you should look for when finding a password manager are:

  1. Is it cross platform? Will it work on your iPhone and your PC?
  2. How is the information (your passwords) encrypted?
  3. Does the service sync or will the user need to update the database every time they sign up for a new account?
  4. What is the initial authentication process and how strong is it?
  5. How reputable is the company who created the product and what is reported about the product itself?

By asking yourself these questions you should be on your way to making sure that your passwords are protected and you won’t lose your mind trying to keep track of them all. Just make sure you protect your login credentials for your password manager…. like really, really well…

“Too Many Passwords? Handle It…” was written by Nikki Junker. Nikki is the Social Media Coordinator at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

Are you considering selling your old laptop or smartphone? As some of us may be aware, deleting files or data from these mobile devices is not enough. The truth is that some of what we think are “files” in these devices are actually “shortcuts,” and deleting these from the devices will not delete the files themselves. Nowadays, personal computers and mobile devices, such as smartphones have replaced the old paper-file method for storing or even doing work. If you are thinking about selling or donating your personal laptop or any of your mobile devices, there are some precautionary steps you may want to take in order to ensure that any personal or sensitive information does not get left behind. Sensitive information left behind can be retrieved and pose a serious problem.

For computers there are two methods for getting rid of files or information stored in hard drives. These two methods are called reformatting and wiping the hard drive. When you format your computer, the files on the disk are not completely erased; it means the address tables are – where a search will prevent the files from being easily located. Formatting the disk is much more than deleting files, however, it is important to understand that it is not completely secure. Reformatting a drive may still allow your data to be recovered, making you susceptible to data theft.

So, it will all depend on the data you have stored in your device. Think about what you have used your computer for. If you have used your computer for online banking, paying bills online, personal email, storing income tax return forms, and/or other important documents – you may want to consider disk wiping. Disk wiping is the other alternative for computers – it removes software and data from the hard drive. The process of disk wiping overwrites your hard drive. If you are getting rid of your laptop, you may want to consider performing a disk wipe service. If unfamiliar how to perform it, there are technical support groups who may be able to perform this task for you.

Here is a link to an excellent short article on this practice: http://enterprisefeatures.com/2012/02/disk-formatting-vs-disk-wiping/

On the other hand, let’s talk about smartphones. It is said that if you have a Blackberry or Apple device – that data wiping will completely remove any stored data on your device. Therefore, you shouldn’t be worried about the possibility of someone hacking into the operating system and retrieving your data. You may either install wiping software or for these two devices, use the factory settings for data wiping. Now, we know there is a third party missing – the Android operating devices. There has been recently publicized advice that if you are considering getting rid of your Android device, that you are better off keeping it rather than letting it go.

Android devices also offer a factory data reset, where all the data on your phone is erased. While the phone is in use, the user can also setup data encryption, where all personal data on the phone is encrypted. In addition, files can be encrypted to your memory card and internal phone storage – you’ll find this under the storage encryption option. Regardless of the type of smartphone you use, you need to be aware of all the information it harvests, and make certain that data is not given away when you are done with the phone.

Ultimately, the truth of the matter is your security depends on the type of information or data you have stored in your device. Often times, if we store personal identifying information or sensitive information that can lead to identity theft, we should be very concerned of the possible threat if we haven’t taken the measures to appropriately delete or erase the data. Exercise precaution.

“Botnet,” has become commonplace terminology in the world of cyber-security. This term is used to refer to a network of private computers (or bots) infected with malicious software and controlled as a group without the owners’ knowledge. Major breach and hacking events over the past few years have awakened many to the potential dangers created by hackers with the ability to utilize other individual’s computers remotely.

Botnets are commonly used to mass email spam, malware, viruses, or to overload a specific website with so many simultaneous requests that it overloads the site causing it to temporarily shut down (commonly known as a DDoS attack).

Last week, the US Federal Communications Commission (FCC) launched a new voluntary U.S. Anti-Bot Code of Conduct (ABCs) for Internet Service Providers (ISPs). It creates new opt-in procedures for ISPs who are dealing with the networks of enslaved zombie computers.

According to FCC Chairman Julius Genachowski, “The recommendations approved [last week] identify smart, practical, voluntary solutions that will materially improve the cyber security of commercial networks and bolster the broader endeavors of our federal partners. Among these recommendations, were things such as: increasing end-user education to prevent bot infections; more aggressive and assertive detection of bots; notification to law enforcement government and consumers of potential bot infections; remediation of bots; and collaboration and sharing of information.”

Many large providers such as AT&T, Sprint, Time Warner Cable, and CenturyLink have all voiced their approval of this approach. They perceive there will be several benefits. The idea is to increase consumer goodwill through taking this active role in anti-bot activities. Some of the expected benefits of this new initiative are fewer calls to help desks from customers with infected machines, reduced upstream bandwidth consumption from denial-of-service (DDos) attacks and spam, and a drop in spam-related complaints.

“Introducing the New FCC Anti-Botnet Code” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.

A recent study done by a cyber security firm known as F-Secure, found that 58 new threats to the Mac operating system were discovered between April and December of 2011. It is a commonly perpetuated falsehood amongst consumers that viruses and malware are only issues for PC platforms, not Macs. Unfortunately, this is a fallacy. Viruses are like any program; they have to be written with platform specific languages, with instructions written for that machine, operating system, type of processor, etc. What this means in simple layman’s terms is that in order to infect a Mac, you must develop software designed for a Mac.

Mac malwareSo while it is technically true that Macs have historically been far less likely to become infected with a virus or malware, the reasons for this discrepancy should be examined. Is it really that Macs are so much more secure? The reality is that Macs are only less likely to be infected…so far, because there are less of them in operation as opposed to PC platforms. As such, they represent a lower possible return on any investment in time and money a cyber criminal or criminals may choose to invest in developing and spreading malware. At this point, because the Mac operating system still owns a minority of the market share, it is comparatively safer than PC operating systems…for now. One scenario that could happen to make attacks on Macintosh computers more common: an increase of Market share of MacOS X computers. Macs must control enough of the market to entice profit-driven malware and viruses to be more commonly developed.

As Internet usage and personal computer ownership continues to become more common the world over, it is entirely plausible that niche-market viruses could develop to focus on Mac operating systems. Remember that while the Mac system is – at this point – more secure, it is more a result of being a less common target of cyber-criminals, and not because the system is inherently more secure. Be wary of links from people you don’t know, or spam emails, as one wrong click can expose your Mac to malware in the same fashion it would a PC. As Macs become ever-more popular, expect the number of threats to increase in a linear fashion.

“Think Your Mac is Immune to Malware? Think Again” was written by Matt Davis. Matt is a Victim Advisor at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to and linking back to ITRC Blog.