Is it just us or did the holidays roll around a little early this year? With time flying by and holiday shopping approaching quickly, we thought it would be helpful for our audience if we covered the topic of mobile payment safety.  Mobile devices have made our lives so much easier haven’t they?

 

Gone are the days where you had no choice but to pack into the mall like a sardine and hope that that special gift was still on the shelf.  Now, there are a multitude of ways that you can get those gifts without even leaving your couch.  However, with this convenience comes additional risk to your security.  Identity thieves have also adapted as online financial transactions have become more and more prevalent.  That is why we have asked Lookout  to join us to help you stay safe while taking advantage of the convenience of shopping on those mobile devices.

This month’s #IDTheftChat will take place, as usual, on the first Thursday of the month which means we will be tweeting away on December 5th at 11:00am PST.  We will be talking to you about your concerns, stories and tips in regards to mobile payment safety.  Of course, Lookout and the ITRC will be there to provide you with excellent information. Here are the questions for this month’s event.

Q1: Your phone has become a digital wallet. What steps are you taking to protect your financial information?

Q2: When you use your mobile device for financial transactions are you worried about ID Theft?

Q3: Online shopping has never been easier. What devices do you trust to make purchases with?

Q4: Which mobile payment apps have you used? Do they feel safe?

Q5: What’s your favorite tip for online shopping?

Q6: Have you ever had a shady experience during a financial transaction on your mobile device? What happened?

Q7: How do you tell which links are legitimate when browsing the web on a phone?

Q8: How do you think we can bridge the gap between convenience and security on mobile payments?

This month’s event should help produce great collaborative thought and perhaps even some unique and novel solutions to safe mobile payment methods. In order to participate, users should follow the hashtag #IDTheftChat . Those who would like to participate can RSVP via online invitation.  Everyone is welcome and we hope that we will see consumers, businesses and organizations alike!

Participants may find it helpful to participate through the #IDTheftChat Twub which can be found at http://twubs.com/IDTheftChat.  Anyone who has questions should contact ITRC’s Media Manager at nikki@idtheftcenter.org. We hope you will join the conversation and bring your friends!

I have been waiting for a certain day all year long. No, it isn’t Thanksgiving where I get to eat as much turkey as I please or Christmas Day when I will undoubtedly receive numerous pairs of my favorite slipper socks.  It’s Cyber-Monday and I am counting down the days.  Last year I managed to get 6 pairs of shoes for under $50.

These weren’t flip flops either. There were heels, boots, wedges… You name it; I was having it shipped to my house. Of course the shipping was free, as
well.  I spent a better part of 6 hours shopping online that day and not for one second did I stop to think about how safe I was being with my personal information. I came away from my little frenzy safe, thank goodness, but I may not have been so lucky.

Cyber Monday is a day when consumers are looking for those “Too Good to Be True” deals because it is Cyber Monday and those deals exist on this one magical day. If you think cybercriminals don’t take advantage of this day and the hurried  mindset of online shoppers, you’re wrong.  Cybercriminals know that on any other day you wouldn’t click on link for an ad claiming to offer “Buy 1 iPad, get 2 free”, but on Cyber Monday you just might. Of course, the ITRC wants you to get those deals, but we also want you to stay safe and protect your identity while you are doing it.  So, here are 3 tips to help you avoid becoming an identity theft victim while you shop till your mouse drops.

  1. Use Secure Sites: Secure websites use security technology to transfer information from your computer to the online merchant’s computer. This technology scrambles (encrypts) the information you send, such as your credit card number, in order to prevent computer hackers from obtaining it “en route.” This reduces the number of people who can access the transaction information. The following items shown on your web browser will indicate a connection to a secure web site.
    • https:// The “s” that is displayed after “http” indicates that the website is secure. Often, you do not see the “s” until you actually move to the order page on the website.
    • A closed yellow padlock displayed at the bottom of your screen. If that lock is open, you should assume it is not a secure site.
  2. Research the Vendor or Website: It is best to do business with companies you already know. If the company is unfamiliar, investigate their authenticity and credibility. Conduct an Internet search (i.e. Google, Yahoo) for the company name.  Third party review sites also offer good information regarding what other consumers have experienced.  Sites such as the Better Business Bureau and Yelp are useful tools.  The results should provide both positive and negative comments about the company. If there are no results, be extremely wary. Remember, anyone can create a website.
  3. Credit vs. Debit: The safest way to shop on the Internet is with a credit card. In the event something goes wrong, you are protected under the federal Fair Credit Billing Act. You have the right to dispute charges on your credit card, and you can withhold payments during a creditor investigation. When it has been determined that your credit was used without authorization, you are only responsible for the first $50 in charges. We recommend that you obtain one credit card that you use only for online payments to make it easier to detect wrongful credit charges and keep your other cards from being exposed.  Keep the limit on the credit card as low as you need to meet your shopping budget. No use in have thousands of dollars in open credit if you won’t use it.  This will only allow the thieves to do as little damage as possible if they do in fact, get a hold of your information.

The above tips are three easy ways to protect yourself from those cyber criminals out there who have their eyes on your identity while you have your eyes on that plasma TV at half price. Use them to make sure you come away the victor on Cyber Monday rather than the vanquished.  In addition, if you find any amazing deals on shoes or jewelry, feel free to let me know. You know… just for research purposes.

So Many Shoes, So Little Security: Your Guide To Cyber Monday” was written by Nikki Junker.  Nikki is the Media Manager at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

From time to time, here at the Identity Theft Resource Center, we partner with our sponsors to conduct surveys in order to find out more about how we can help consumers.  Recently we concluded a survey with our friends over at Private Wi-Fi and the results were stunning.

During the course of the survey we had more than 700 people respond to our questions. What we found really opened up our eyes to the bigger picture of just how everyday consumers use public Wi-Fi and what their concerns are. Below are 3 findings which we thought were extra important.

  1. 76% of survey takers said that using free Wi-Fi can lead to identity theft.  This startling statistic showed us that a good percentage of people know just how dangerous using free public Wi-Fi can be.  The word is out on the Internet and in the news that identity thieves are now using public W-Fi hotspots to pick up your personal information to commit identity theft.  The ITRC was happy to hear about this level of awareness on the issue.
  2. People were 3 times more likely to use a public Wi-Fi hotspot if it was free.  Free is good, right? Not so much when it comes to your security.  Private W-Fi came up with a concept they call “The Convenience Factor” and it is something we have been thinking about for some time here at the ITRC. Basically, it means that the desire for convenience will override a person’s desire for security in many cases.  This is an important issue to consider when we try to show everyday consumers how to stay safe.  If the advice is not convenient, people will not take to it as easily.
  3. There is some risky business going on during consumers’ use of public Wi-Fi. Of those who took the survey, 71% had accessed their email using public Wi-Fi.  Even more frightening was the amount of personal banking information consumers were making available to identity thieves.  More than one in ten of the survey takers had banked online using public Wi-Fi and 13% had shopped online using a credit card. Yikes!

In addition to everything we learned, all of the information from the survey was put into a fantastic infographic by the people over at Private Wi-Fi. The infographic is titled “The Ultimate Guide to Staying Safe on Public WiFi” and it is a great way to get the word out to people about being safe while using public Wi-Fi.  You can view the infographic below.  Please feel free to use the code below the graphic to embed it into your site to help consumers learn more about the dangers of Public Wi-Fi and how they can stay safe!

Public WiFi Dangers: In Pictures” was written by Nikki Junker.  Nikki is the Media Manager at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Free WiFi Costs More Than You Think

HTML Code for embedding:

<p><strong>Please include attribution to privatewifi.com with this graphic.</strong></p> <p><a href=”http://www.privatewifi.com/infographic-76-say-free-wifi-can-lead-to-identity-theft” _mce_href=”http://www.privatewifi.com/infographic-76-say-free-wifi-can-lead-to-identity-theft”><img src=”http://www.privatewifi.com/wp-content/uploads/2013/11/freewifi_FINAL.jpg” _mce_src=”http://www.privatewifi.com/wp-content/uploads/2013/11/freewifi_FINAL.jpg” alt=’Free WiFi Costs More Than You Think’ width=’660px’ border=’0′ /></a></p> <p>

Black Friday and Cyber Monday are the biggest shopping days of the year. With so many holiday sales being offered and only so many days left till Xmas, shoppers flood the stores and the internet in droves. And so do scammers.  In the fever for trying to find the best deals, be on the lookout for scam artists, con artists, and thieves.

Black Friday Risks:

  • Never leave your purse or wallet unattended. It only takes a few seconds for a thief to take your purse/wallet in an unattended cart while you step away to examine a potential gift.
  • Never let your credit card out of your sight. Skimming machines and devices that record your card information are small and easily hidden in a palm, under the counter, or implanted in a machine. Never let a salesman take your card some place where you can’t see what they are doing with it. This also applies to fast-food and drive-thru and restaurants.
  • The holidays are the time when people will ask you to fill out surveys or other forms for the chance to win a car or a trip to an exotic location. Be careful if you fill these out. Often times these places are actually gathering information on you. Never give them your social security number, driver’s license number or banking information.
  • The holidays are the time for giving and many charities are out collecting for their cause. There is never anything wrong with donating to a reputable organization, but scammers are out in force as well. Avoid giving checks or credit cards when making a donation. A thief can use this information to scam you in the future. When in doubt, donate physical items such as toys or clothing, or look up the company online and see if they are reputable. Many charities have a “donate here” button on their website so that you can send the money or items directly to them without a middleman.

Cyber Monday Risks:
With so many websites offering such great deals and scrambling for your attention it’s hard to decide what ads are legitimate and which ones are not. But if you keep the following in mind you can be safe in your online shopping.

  • Try to shop at reputable websites such as sites that you have been to before or have a high rating with the Better Business Bureau.
  • Avoid clicking on pop ups. They may look like they are from a legitimate store, but they could be a ploy to take you to another site designed to get your financial information.
  • Never give your social security information online. You do not need to give this information when purchasing an item online.
  • Be on the lookout for emails telling you that you owe money to sites you have never been to. Check to see if this company actually exists. If so, see if there is an account under your information. Often scammers will pose as a legitimate company in order to trick people into giving up their information
  • Be on the lookout for emails claiming to be from a charity organization. Many scammers will pose as a charity in order to prey on holiday good will. When in doubt, look up that charity with the BBB or find their actual website and donate to them directly. Do not use the information in the email.

And remember, always check your credit card statements at the end of the month and check your debit card purchases at least once a week. This is the best way of catching fraudulent transactions and reporting them immediately.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit http://www.idtheftcenter.org/anyone-3.

November 7th is the first Thursday of the month and that means it is time for another Identity Theft Twitter Chat.  This month’s topic is mobile device safety and identity theft and we are very happy to have Christopher Burgess, CEO of Prevenda, as our co-host.  Don’t know how he is? Well you should because it isn’t often you get to talk about mobile safety with someone who used to be in the CIA!

We are very excited about this Identity Theft Twitter Chat as we are all nomophobics over here at the ITRC.  This Identity Theft Twitter Chat is just another way that ITRC is really trying to reach mainstream consumers to make them aware of identity theft and we think this is a great topic to do just
that.  It is our hope that this chat will reach those who may not consider participating in a twitter chat based around identity theft or cybersecurity, but would be interested in mobile device safety.

This Identity Theft Twitter Chat will take place at 11:00am PST on November 7th.  The questions that we will be basing the discussion around are:

Q1: How old were you when you got your first mobile phone?

Q2: How many mobile devices do you have?

Q3: What do you do with your old mobile devices?

Q4: Do you have anti-virus on your smartphone or tablet? Why or why not?

Q5: What concerns you most about mobile device safety?

Q6: Have you ever had a mobile device stolen? What happened?

Q7: What do you do to keep your identity safe on mobile devices?

Q8: What tips do you have for people to keep their identity safe on mobile devices?

Q9: What resources do you use to teach your kids about mobile device safety?

This month’s event should help produce great collaborative thought and perhaps even some unique and novel solutions to safe mobile device usage. In order to participate, users should follow the hashtag #IDTheftChat . Those who would like to participate can RSVP via online invitation.  Anyone is welcome and we hope that we will see consumers, businesses and organizations alike!

Participants may find it helpful to participate through the #IDTheftChat Twub which can be found at http://twubs.com/IDTheftChat.  Anyone who has questions should contact ITRC’s Media Manager at nikki@idtheftcenter.org. We hope you will join the conversation and bring your friends!

 

If you run a business that has commercial interests and online interactions (as nearly all companies do these days), you might consider cyber insurance as a tool to mitigating the potential financial damage that may occur as a result of any type of breach, hack, or other fraud arising from internet communications.

Cyber insurance is a method to address the first and third party risks associated with all types of e-business, networks, and any other valuable information trafficked online.  This form of insurance can potentially encompass all types of potential loss; from risks associated with privacy issues, virus transmission, or infringement on intellectual property.  Virtually any type of loss or liability that can result from online interaction can be covered.  This relatively new industry sprung up as a natural counterpoint to the risks assumed by interacting in an exponentially growing e-marketplace.  Traditional liability insurance products do not address these types of risks.  Commercial businesses operating online now assume many of the same risks of exposure as that of large data companies, publishers, and information providers.  The major difference is the potentially limitless class of people and organizations that may hold your company liable in the event of a breach incident or improper exposure of their personally identifying information (PII).

In addition to the liability coverage cyber insurance provides, there is also an additional benefit of heightened awareness of threats on the part of management (who are footing the bill for the insurance) and therefore the greater level of effort towards educating employees on best practices to mitigate this type of risk.  When one considers purchasing cyber insurance, the insurance issuer will require an assessment of current conditions of your network security, employee practices, and every other aspect of a company’s operation that may alter the level of risk associated with e-commerce.  While this can be an annoyance, it can also be a very valuable tool.  Cyber insurance companies usually make use of an independent third party to run the initial assessment.  This will provide the employer with a very thorough look at their relative security, and point out where the greatest areas of risk are in their particular operation.  Though none of this sounds like a whole lot of fun, I promise you that being held liable for a major breach is much less so, and is far more expensive than even the highest insurance premium.

So if you have a business that maintains a large online presence, it might be worth considering the costs and benefits of cyber insurance.  For additional questions, contact the Identity Theft Resource Center at (888) 400-5530.

“Cyber insurance: What is it and why would you get it?” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

According to the National Cyber Security Alliance, this year and the foreseeable future, one in five small businesses in the U.S. will be hacked. Of those that do get hacked, there’s a better than 60% chance they will go out of business. That’s about the same odds as playing the game of Russian roulette.

No sane person would ever consider playing that game, knowing the possible end result. So why do small to medium size businesses (SMBs), and many big ones too, play this game in the business world? Yet all across the globe SMBs, law firms and medical practices play this game on a daily basis with their business computers, leaving them vulnerable to cyberattacks with their sensitive data exposed. So how do cyber-criminals gain easy access to corporate computers, laptops, and mobile devices? How are they grabbing crucial data that’s causing many of the hacked businesses to close their doors for good?

The answer is keyloggers. It’s an insidious and extremely effective piece of malware that’s capable of evading detection by nearly all anti-virus programs. It can get past sandboxing and white listing attempts by some of the most advanced firewalls and IPS/IDS devices. A keylogger does exactly what the name states. It captures every keystroke typed on a computer keyboard and transmits that stolen information to a remote server controlled by the hackers. This may seem elementary to many people in the cybersecurity industry, but most people from small business owners up to board members of Fortune 500 companies are not aware of this very effective weapon used to compromise thousands of computer systems.

Keyloggers have been credited with many of the world’s most notable breaches: RSA/EMC, Lockheed Martin, Google, Epsilon, Oakridge Nuclear Weapons Lab, Citibank, Sony, World Bank, TJX, Heartland Payment Systems, the New York Times, NBC, Schnucks Supermarkets, as well as tens of millions of medical clinics, small business and consumers around the world. According to the 2012 Verizon Data Breach Investigative Report, malware was found in 69% of the breaches. Of the breaches where malware was used to steal data, 98% of the time they were paired with keylogging functionality.

Let me emphasize that: 98% of malware contain keyloggers.

What makes the keylogger the preferred weapon of choice is that they have been designed to avoid detection from anti-virus and anti-malware tools, and ephishing training, too. Cyber-criminals continuously test their malware against all the available security solutions to ensure they can evade detection to deliver their payload. Keyloggers can be embedded into any type of download (MP3, video, a picture file, a codec to run some videos, a Flash file, an online game) or attached to a phishing email or any type of web link. Speaking of mobile devices, mobile malware has jumped 614% in the last year.

Social Networking websites, like Facebook, LinkedIn, Twitter, Tumblr, and Pintrest, have become one of the favorite places for hackers to propagate spyware. Why? They are porous in terms of defense. Facebook is an extremely popular attack vector because of the popularity of third-party applications and games such as Farmville, Candy Crush Saga, Words With Friends, amongst others. Adding a “dislike” button and apps to see who unfriended you are also very popular and successful tactics. Just last month, a hacker who “debugged” a Facebook code, who wasn’t paid, got the world’s attention by hacking Mark Zuckerberg’s FB page. Should anyone now entrust his or her data on Facebook?

Anti-virus and anti-spyware cannot keep up with this threat; they are still stuck in the 1990s relying on signatures and weak attempts at behavioral analysis. This is why A/V solutions have been found in recent studies and reported in the New York Times to be less than 25% effective against modern malware, and less than 2% effective against a targeted attack. Keyloggers make a mockery of the majority of cyber defenses. It’s the path of least resistance for hackers.

The Internal Threat of Email

So what kind of data are the cyber-criminals after that’s causing so much economical carnage? For starters, it’s banking credentials. Banking websites’ usernames and passwords are highly sought after because hackers can easily create wire transfers of all the money in the bank to foreign bank accounts and or prepaid debit cards. Email user names and passwords are also highly sought after by the cyber-criminals because they are the keys to our online lives. Email addresses can be used to reset passwords for nearly everything we do online, such as credit cards, home utility bills, car payments, health insurance access, and online payroll websites. It’s easy for a cyber-criminal to setup several of their cronies with paychecks at the expense of small businesses.

Cyber-criminals are also after product designs, engineering drawings, sales plans / forecasts, negotiation positions, client / customer lists, contracts, sensitive emails, H.R. records with employee social security numbers, and a whole lot more. For medical practices such as doctor’s offices and clinics the danger lies in the fact many of them have poor and non-existent cybersecurity hygiene skills to begin with. They play online games, download music, and surf the web unrestricted on the same computers that house patient medical information. (I know because I have personally witnessed this behavior numerous times.) Healthcare systems easily become infected with keyloggers due to poor user behavior and protocol, not to mention lack of security tools. Medical office staffs are burdened with finding training solutions and documents to satisfy the HIPAA training compliance and requirements.

In an effort to avoid paying for these solutions, they perform web searches and will download a free document, PowerPoint or PDF file. Not realizing that these files may be booby trapped with malware that was intentionally placed there for free by the hackers in an effort to lure unsuspecting victims to them. This is known as a Watering Hole Attack.

The Prize of Medical Data

Prized medical data includes Medicare and other health insurance identification numbers, access to cloud based EMR/EHR (Electronic Medical Records / Electronic Health Records), access to a doctor’s ability to write e-prescriptions. With access to e-prescriptions, a cyber criminal can impersonate a doctor to access expensive drugs and other controlled substances, then invoice them to an unsuspecting patient’s insurance. A medical-hacker can also impersonate a patient or obtain expensive medical care under the victim’s name.

Medical identity theft is not as easy to repair as financial identity theft. In many cases, these forms of personal attacks take upwards of five years to be corrected, and still might not be done by the credit agencies’ indifference towards people. Medical identity theft can also have dire and sometimes-deadly consequences for an elderly or sick victim, with the advent of incorrect prescriptions or treatments as a result of contaminated and altered medical records due to someone impersonating them to obtain healthcare. Is it any wonder that healthcare is seen to be approximately seven to ten years behind the financial industry when it comes to cybersecurity controls?

To think that all of this is started with keyloggers and could have been prevented is the amazing part. Why make life easy for the army of hackers? Aside from the financial impact of suffering a cyber breach, and/or not reporting it the right way in accordance with data breach notification laws, the damage to reputation can be irreparable. Compound that problem with class action lawsuits, as well as insurance companies denying liability claims to victimized businesses, and state attorney general offices penalizing for suffering a breach. How can these breached companies stay in business?

Over the years many security solutions have sprung up attempting to either stop the keyloggers from getting onto a computer system to using impractical virtual keyboards. Some even give a false and a dangerous sense of security by promising to hold all the secret passwords in an encrypted vault. I say false and dangerous because while the passwords may be encrypted in the database, the master password used to lock and unlock these applications is still susceptible to desktop keylogging.

This is also one of the major flaws of file encryption tools to begin with. What good is encryption if the keys to the kingdom are compromised at the keyboard? That is an impossible task for these solutions to accomplish because they are attempting to protect the data at the application layer all while the keylogger is operating at the kernel layer hooking into the message queues of the Windows and Apple operating systems (You read that correctly, Apple is not immune to keyloggers). To put it in plain English, they’re trying to protect the 7th floor of a building by locking the doors and windows, while completely ignoring the air vents coming up from the basement.

Now this is not an attempt to disparage the password vaults and encryptions tools, because they’re still the good guys and are making an effort to combat cyber-crime, except they’re fighting the battle on the wrong front. Many organizations educate their staff with anti-phishing training hoping they become more secure because their employees now recognize the Nigerian 419 scam and know not to click on an attachment from a foreign person or entity. But how many of those training sessions are effective at helping an employee recognize that their colleague’s or college friend’s email have been hijacked by a cyber-criminal in an attempt to get them to open a trapdoor attachment named “executive pay summary” or “recruitment plan”?

That type of spear phishing campaign is what compromised RSA’s systems with keyloggers and gave the hackers access to the company’s SecureID two-factor authentication product design. A security company being hacked with its flagship product, how ironic is that? Anti-phishing training isn’t effective because all it takes is one clueless or disgruntled employee to click on the link and compromise everything. And with large corporations turning over new workers every week, training alone will not get it done. A company’s cyber defenses should never solely be dependant on training to detect phishing attempts, which is only one line of defense. Employees should instead be trained on what constitutes sensitive and protected information, and how to handle the data to comply with the various regulatory compliance laws. They also need to be trained on the regulatory and privacy laws within the jurisdiction of their businesses, such as HIPAA, PCI, MA201 in the U.S. and the EU Data Protection Act and PCI for businesses that are based or operate within the European Union.

The best approach is a holistic approach. That is what businesses need to survive the relentless assault against all the hard work they’ve spent years building. The best approach should be comprised of a defense in depth, coupled with education. In other words, focus on protecting the data and applications by locking them down with role based access controls, tag the data to detect abnormal behavior and insider abuse, authenticate the human with multi-factor authentication instead of certificates on the machine when a request comes in remotely. And last but not least, cloak the data from the hackers by deploying a “keystroke encryption technology” to render keyloggers useless. Only then will the playing field be leveled and businesses will have a chance of surviving this cyber onslaught.

“The Dangers of Spies on Your Keyboard” was written by Peter Simon. Peter is an Information Security Evangelist and IT security solutions architect. He founded OneForce Technologies in 2007. OneForce Technologies helps companies demystify security by delivering training solutions to address the various regulatory compliance requirements for data security. This article originally appeared in Cyber Defense Magazine.

As the Identity Theft Resource Center helps to recognize National Cyber Security Awareness Month, it is appropriate for us to reflect upon how much has changed in the world of privacy, cyber security and identity theft in the last 10 years.

In 2003, the cost of a gallon of gas was $1.83 compared with the approximate $3.90 we see today.  Apple had just launched iTunes and the first iPod only two years previously (January and October 2001 respectively).  It would still be another four years until the first iPhone would be launched.  Now, 10 years later, it is announced that Apple is the number ONE most value brand in the world (surpassing even Coca-Cola).

In 2003, Google had been around for 7 years and was enjoying the almost inconceivable number of 200 million searches per day, and Gmail was getting ready for launch in early 2004.  Today, Google handles more than double that traffic, has 67% share in the U.S. search market and there are now 425 million Gmail users.

The ITRC is celebrating a 10 year anniversary as well.  In 2003 we were recognized as a 501c3 non-profit.  At that time the sole mission of the ITRC was to provide the best in class victim assistance at no charge to consumers throughout the United States.  That goal has remained at the core of the ITRC’s mission. However, much has been added to our goals and activities. We now provide education and awareness initiatives in identity theft related issues such as cyber security, data breaches, scams and fraud.  It is our goal to stem the tide of identity theft by determining issues that are potential pitfalls for consumers and helping them to minimize their risk.

One constant over the past 10 years has been the steady increase in the number of victims of identity theft.  For more than the last 10 years (13 years actually) identity theft has been the number one fraud related complaint captured by the FTC Consumer Sentinel Report.  We have seen this number of reported victims grow from 31,000 in 2000 (FTC Consumer Sentinel) to 8.6 million in 2010 (Bureau of Justice Statistics).

While we recognize that low tech mechanisms certainly still exists as a means to pilfer one’s identity, we believe the tremendous growth in the crime must be attribute to the overwhelming growth of the cyber world.  This year it is estimated that the number of cell phones on the planet will outnumber people.  We are all walking around with a tiny computer in our hands and all the inherent risk that poor cybersecurity practices carry with it, are now carried in our pockets and purses.

Sound cybersecurity practices are at the base of the pyramid when it comes to protecting our identities.  That is why the ITRC is a champion of National Cyber Security Awareness Month.  We have scheduled several projects that will demonstrate both our commitment to this effort and the importance of its success.  From a local presentation at a town hall meeting on October 1st, to a twitter chat that will attempt to engage a national audience, we are preparing to make great efforts to build awareness of this issue. Please engage in this dialogue this month.  Get your families, from you mother and father down to your children, this is everyone’s business!

“How Far We Have Come” was written by Eva Velasquez. Eva is the CEO/President of the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

In the digital era that we live in, almost any service we use requires a username and password regardless of whether it is a paid service or not. To avoid identity theft and fraud, it is important to ensure that your passwords are strong and not susceptible to being hacked by criminals seeking your personal information.

To help you protect all your valuable personal information, we have compiled a list of tips on creating and protecting your passwords.

Create a Strong Password: A strong password is one that is not easily guessed and not easily cracked by a hacking program.

  • Make your password as many characters as possible with a minimum of at least 8 characters. The more characters there are the harder it will be to guess or crack using a hacking program.
  • Mix special characters, lowercase letters, uppercase letters, and numbers to increase the complexity of your password.
  • Do not use correctly spelled words found in a dictionary as hacking programs will use “libraries,” or lists of common words or bits of text, to speed up how fast they can crack passwords.
  • Do not use your birthday, Social Security number, place of birth or anything other personal information in your password as this information is sometimes readily available on the internet.

Do not share your password with anyone: This is a bit of common sense, but many people think that it is ok to share a password with someone they trust. Sharing a password is never a good idea. Even if the person you are giving it to you is trustworthy, they may not protect your password as diligently as you would or the email you sent them your password in may get hacked at some point, giving account access to a thief.

Do not use the same password multiple times: While it is understandable that you do not want to create a completely unique password for every website or service you use, you should still try to differentiate your passwords. When you use the same password for everything, this gives thieves the chance to steal an easier to access password for a low security website and then use it to gain access to a high security website like your online bank account. You can use the same base password and make a unique ending related to each website, but the more unique your passwords are the better.

Beware of phishing scams: A phishing scam is where a criminal attempts to trick you into giving out your username or password information by pretending to be a site administrator or an employee of a company. Often, this will come in the form of an email which will look official because it has a logo, a heading, and an official sounding title of the sender of the email who is asking you for your information. This will always be a scam as companies will typically never ask you for your login information over the phone or email.

It is understandable if you have so many accounts that it isn’t feasible to have a completely unique and strong password for each one. A password manager may be useful for you as they will reduce the number of passwords you will have to remember and some of them will even create passwords for you. To read more about password managers on our website, click here.

“Secure Password Tips” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Your computer’s hard drive contains an extraordinary amount of personal information; information that an identity thief could use to commit financial, criminal and medical fraud under your identity. So when you are considering selling or throwing away an old computer, naturally, you delete everything off of your hard drive. But is that enough?

There are different methods of “deleting” information off of your hard drive and not all of them actually delete anything. Data is encoded onto a hard drive by magnetizing strips of material that the computer can later retrieve by reading the magnetic pattern encoded into the disk. To permanently delete information, the magnetic code must be fully removed from the disk.

Recycle or Trash Bin

Most people delete files and information off of their computer by dragging or sending the file to the recycle or trash bin and then emptying it. This is misleading because that information is not actually deleted. When a file is “deleted” in this manner, the computer does not remove the magnetic information from the disk, but instead makes that space on the disk available for information to be stored. Thus, you may think you deleted a file, but in actuality the information is still encoded into your hard drive and could be retrieved by someone else unless your computer happened to write over that information when you saved something else.

Physical Destruction or Degaussing of Hard Drive

There are two ways you can destroy the hard drive to ensure the data stored on it is unrecoverable. One, you can smash the hard drive yourself with a hammer or other tool, but you run the risk of leaving some information that is recoverable if you do not do a thorough enough of a job. There are many companies who provide shredding machines capable of reducing a hard drive into a pile of scrap metal, fully eliminating any ability to recover any information.

Another way to permanently delete information off of the hard drive is to degauss it. Degaussing is a process by which magnetic fields are either reduced or eliminated. Unfortunately, this method of permanent deletion will also damage your hard drive, rendering it incapable of storing information in the future. Obviously, the downside to these methods is that you will not be able to sell or use the hard drive ever again, but at least you know your data is gone forever.

Electronic Shredding

Electronic shredding is the process in which information is deleted off of a hard drive by rewriting information over the old information multiple times. This is a form of formatting the hard drive, but is more thorough due to the multiple rewrites and the pseudorandom data that is used to write over the old information. The multiple rewrites continually erode any old magnetic fields coded into the disk until they are unrecoverable. Some programs permanently delete individual files or folders and others permanently delete the entire hard drive. It is recommended that if you are throwing away or selling your computer to use the electronic shredding program that wipes your entire hard drive. This ensures that no personal information is left on your hard drive in the case that some of your personal information is in a file or folder that you forget to individually delete.

The bottom line here is that when you are releasing control of your hard drive, you need to make sure that all of your personal information is permanently erased or destroyed to avoid identity theft and fraud.

“Electronic Shredding – Get Rid of Ghost Data” was written by Sam Imandoust, Esq. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.