There are two specifically related but not interchangeable threats to your identity, and the terms can often get confused. Credential cracking and credential stuffing both involve someone getting their hands on your personal data, especially your usernames and passwords, but how those two things take place are somewhat different.

Credential Cracking

Credential cracking happens when a hacker targets you or your company specifically. They spend a significant amount of time and tech resources on breaking into your accounts by undermining your password defenses. While victims of credential cracking can absolutely be random citizens caught up in a hacker’s trap, the effort behind it often means that the victim was targeted specifically. It might be a business account or a company’s social media accounts, financial accounts, or even the personal finances for someone within a company.

Credential Stuffing

Credential stuffing, on the other hand, usually occurs when a hacker casts a wider net. They either steal a database filled with information, buy it on the Dark Web, or even stumble upon it in an unsecured web-based storage server. Then, they use software that lets them attempt thousands of “matches” at a time, cross-referencing the stolen usernames and passwords that work on one website with many other websites. When they land on a match—meaning the victim’s username and password from PayPal, for example, are the same one they use on Amazon—they can use that information to steal money and even more identifying information.

Read next: TurboTax Security Breach Cause by Credential Stuffing

Who’s Targeted

Another major difference between these two forms of attack is in how the tech-using public can take action. Credential cracking is potentially in your own hands, unless a cybercriminal targets your place of employment; a lot of your preventive strategy will involve practicing good password hygiene. Credential stuffing, on the other hand, is a result of finding a treasure trove of information that someone else did not properly secure. You often have no way of knowing whether or not your information was included in such a database until you receive a notification letter from the company who allowed it to become compromised.

How to Protect Yourself

As always, one of the best defenses against either of these attacks is to use strong, unique, unguessable passwords that you change routinely. Changing your password can actually prevent credential stuffing since your old (and stolen) information would no longer be valid; by keeping your passwords unique—meaning they are valid on one account only—you can also work to avoid credential stuffing since they will not work on any other account.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The Force Has Awakened this #StarWarsDay! May the Fourth Be With You as you break out your lightsabers and prepare to do battle against the Dark Side of our cyber world with tips from the Identity Theft Resource Center and National Cyber Security Alliance.

To celebrate this #MayTheFourthBeWithYou, use the messages below on Twitter, Facebook and LinkedIn to join the cyber force on May 4th, 2019. Don’t forget to use the #MayTheFourthBeWithYou hashtag!

Download all images and messages here.

 

Tweet: It’s #StarWars Day and the cyber force has awakened! Use our tips for protecting your identity from the dark side. #MayTheFourthBeWithYou @IDTheftCenter @StaySafeOnline https://idtheft.center/MayTheFourth

More resources: Identity theft impacts 17 million individuals every year and unfortunately, can impact you at anytime. Learn about the different types of identity theft and how you can protect yourself with help from ITRC.


Tweet: “Do. Or do not. There is no try.” Taking steps to protect your digital identity & privacy every day is a must. #MayTheFourthBeWithYou @IDTheftCenter @StaySafeOnline https://idtheft.center/MayTheFourth

 

More resources: The National Cyber Security Alliance’s (NCSA’s) CyberSecure My Business™ is a national program helping small and medium-sized businesses (SMBs) learn to be safer and more secure online.

 

Tweet: You don’t have to go Solo. Get help from the cyber force with tips from @IDTheftCenter & @StaySafeOnline #MayTheFourthBeWithYou https://idtheft.center/MayTheFourth

More resources: Learn how to protect yourself, your family and devices with these Online Safety Basics

 

Tweet: A new hope for your digital identity is here. We have a plan to help you recover from identity theft. @IDTheftCenter & @StaySafeOnline #MayTheFourthBeWithYou https://idtheft.center/MayTheFourth

 

More resources: For free one-on-one assistance with identity theft, scams, fraud, cybersecurity, privacy and more, contact the Identity Theft Resource Center toll-free 888-400-5530 or LiveChat

 

Tweet: Think you have what it takes to be a digital jedi? Train with steps to empower your privacy & identity. #MayTheFourthBeWithYou #RiseOfSkywalker @IDTheftCenter & @StaySafeOnline https://idtheft.center/MayTheFourth

More resources: Take privacy into your own hands with a privacy quiz. Then learn how to update your privacy settings on popular devices and online services.

 

Even after May The Fourth, you can safeguard your information from the Empire all year-long by staying up to date with the latest threats to your identity and tips by signing up for our newsletters:

Stay Safe Online Email Sign-up: https://staysafeonline.org/email-signup 

Identity Theft Resource Center Email Sign-up: https://www.idtheftcenter.org/newsletter-signup/ 


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

Gear up for your next vacation with advice on how to travel safe when it comes to technology and cybersecurity.

Be honest, show of hands who is ready to put this winter weather behind them and take a nice vacation? No matter if it is a glowing sandy beach escape or a picturesque mountain retreat, a vacation can be an instant pick me up after the winter blues.

Unfortunately, as too many travelers already know heading out of town can be filled with pitfalls. Lost luggage, sudden cancellations, unexpected illnesses are just the tip of the iceberg when it comes to potential problems. However, there is a far more serious danger lurking for the would-be traveler with consequences that take years to recover from – identity theft.

Cybercriminals do not take vacations, so you cannot let your guard down where your identity, your financial data, even your gadgets are concerned. In fact, in many ways, traveling brings a whole new kind of cybersecurity threat, one that specifically targets people when they are away from home.

Once you have planned your getaway, there are a number of steps you must take to travel safe. Whether you are traveling within the country or abroad you should consider taking the below actions to protect your information.

Update and Backup all of Your Technology

If you are bringing any devices with you, now is the time to make sure they are updated to the most recent operating system. The same is true of your apps. When you continue to use an outdated piece of software or an old app, you are leaving yourself wide open to a data breach; developers often issue updates specifically because they have uncovered a security hole. While you are at it, make sure you save all of your important files, documents, or photos to a secure source at home, just in case someone does attack your device.

Disable your Wi-Fi

A simple slide with your fingertip is all it takes to prevent your mobile device from automatically connecting to unknown networks. These are the kinds of free Wi-Fi connections found in coffee shops, hotels, restaurants, airports, and more. Turning off the Wi-Fi will not only save your battery, it will stop lurkers from infiltrating your device over unsecured networks. Do not worry, you can turn it right back on whenever you are in range of a safe connection.

Power Up with Confidence

Avoid public charging stations if you can help it. Whether you use your own cord or use one that is provided, you cannot know where the cord’s connection will lead. In a scheme called “juicejacking,” criminals lure travelers into plugging in their devices for a quick charge, but the cord is actually connected to a hidden computer. The computer is downloading all of the files and information off the devices while you charge up, including usernames, passwords, account numbers, and more. If you can carry your own external charger battery or a “block” to plug into a regular power outlet, that would be much safer.

Passcodes, Passwords, and Pass it On

You might want to update your passcode lock on your mobile devices and your account passwords on sensitive accounts before you leave. That way, you are not enjoying a day out on the waves—and away from a phone or computer—when a hacker steals a database of old usernames and passwords, or steals access to your online bank account and credit card. If you can leave these passwords with a trusted family member, they can help you out if something goes wrong while you are out of pocket.

The Trip is Only Part of the Equation

Remember, your vacation basically starts (at least from a cybercriminal’s perspective) from the day you book the trip through the weeks after you have returned. Make sure you are booking your travels through a reputable company over a safe online connection, and that you are monitoring your accounts before, during, and long after your trip in order to watch out for suspicious activity.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

Consumers have been warned for years about the potential danger of compromised payment card readers. Whether in a store, at a gas pump, or even an ATM, a thief simply has to tamper with the keypad and card reader a little bit, install a micro-thin skimming device, then gather up your card information.

Now, a recently uncovered threat called formjacking is basically doing the same thing, only it is happening when you enter your payment details on a website. By inserting malicious code into the site, cyberthieves can swoop in and steal your card number, security code, zip code, and much more.

According to security software developer Symantec, “The number of instances of formjacking blocked by Symantec more than doubled, jumping from just over 41,000 to almost 88,500—a percentage increase of 117 percent.” The company estimates it blocks nearly 7,000 formjacking attempts every day.

This might sound like a problem that only targets less secure websites, but that’s not who thieves are going after. With websites like Ticketmaster being a victim, formjacking targets large e-commerce companies. By gaining access and injecting the harmful code into a website payment page or form, the hackers steal your information without you realizing it and without you ever leaving the trustworthy site you visited. Hackers can gain access to these trustworthy sites through supply chain attacks or by going through a third-party integration like payments, analytics or chat. If a third-party integration is compromised by hackers that is used widely, multiple websites could be at risk from just one infiltration.

That means consumers have to protect themselves from an invisible threat. Fortunately, a comprehensive security suite can often include additional features like suspicious URL blockers which keep you from landing on unsafe websites as well as payment card protections. With options out there to meet every budget—from free to car payment-sized—you can certainly find a solution that offers you greater protection and still fits your finances. If your card information is stolen, you can find out about it immediately by launching “card not present” transaction alerts from your financial institution.

On the other side of the web, it’s up to businesses to ensure they are not putting their customers at risk. It’s important to fully vet any third-party provider that connects to your company’s website, no matter what kind of service they offer. Companies should also ensure they are taking proactive steps to prevent these attacks and perform regular security checks.

Symantec is a proud financial sponsor of the Identity Theft Resource Center


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The How and Why of Tax Identity Theft

In the age of the #selfie, there are millions of apps for users to apply teeth whitening, air brushing and the perfect filter for a flawless pic to be shared on social media. Unfortunately, downloading apps can also pose a security risk, depending on the app and the platform from which is was accessed.

Four million Android users who downloaded a popular app from the Google Play store are believed to have been infected with malware that has a variety of consequences. Some of these involve stealing access to your contacts list and pictures, while others actually redirect any popups to pornography websites. Trying to get rid of the app doesn’t work since the app remains hidden after deleting it, making it impossible to drag it to the delete garbage can icon.

The Google Play store for Android users and the App Store for iOS (Apple) users are two of the biggest app sources in the world, and they have two very different structures. Google believes in a more open-source approach, meaning any developer can list an app and users have a responsibility to read the reviews before downloading. Apple, on the other hand, has a reputation for being far more secure, but that comes at a price: listing an app on the iOS store can mean a lengthy wait while the app is tested and approved and a laundry list of requirements for developers to adhere to.

For better or worse, most of the affected apps in this case were downloaded in Asia. However, that doesn’t mean there aren’t malicious apps that are targeting US users with similar harmful tactics. Logically, Android users stand to be at a somewhat higher risk than Apple users due to the open nature of the Google Play store, but that doesn’t mean iPhone and iPad users are immune to this threat.

No matter which mobile operating system you use, you’ve got to be careful with your device. Read the user reviews before you download an app, and make sure there aren’t any specific privacy concerns mentioned. Also, read the app description itself and get a good idea of what kinds of access the app needs. If an app wants too much information or access that it shouldn’t need in order to function, then it’s best to skip it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Fortnite Bug Let Hackers Into Players Accounts

Valentine’s Day is just around the corner and many people are looking to swipe right on a match through a dating app in hopes of meeting their suitor in real life. In 2018, Tindr alone processed a record 1.6 billion swipes a day. With 40 percent of Americans switching to online dating, there’s now an app for every kind of user preference including dog lovers, foodies and celebrity look alikes. With love in the air, scammers are also upping their game on these platforms in order to get your money or personal information. Let’s talk about how to swipe left on a romance scam.

Many popular dating apps like Tinder and Zoosk have reported numerous incidents of romance scams taking place on their platforms. Scammers are becoming more advanced in their techniques including using chatbots to reach more people at a faster rate and evolving their messages to remain current. To avoid being caught, scammers might also try to lure you off the dating app by claiming they are canceling their account or some other excuse. Don’t go breaking your heart or your bank, read more about how to detect a romance scam here.

When using dating apps you should always be conscious of the information you disclose and who you choose to talk to. Be extra leery if someone gives you excessive compliments, reveals in-depth information about themselves immediately, is located outside your country, asks for money or expresses interest in marrying right away. If you come across a scammer, report their profile right away to the company they have an account with. Never send anyone from a dating app money, passwords or login info to your accounts or personal contact information.

Who would’ve thought that swiping right on a popular dating app could get you in the hands of an identity thief? Kerrie Roberts with sponsor, Experian and Eva Velasquez of Identity Theft Resource Center weighs in on the ever so popular, “romance scams”.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What’s the Latest Threat From Your Internet Connected Toys?

Malware is a growing threat, one that can impact everyone from a casual computer user to a Fortune 500 company. More than just a virus, malware is more like a catch-all term for any kind of malicious software that can infect a computer and be used for harm. Now, thanks to a new Swiss initiative and a team of volunteers, cybercriminals have a little less leverage for attacking computers.

The project, URLHaus, relied on volunteers within the cybersecurity company to seek out websites that distribute malware. These websites can infect your computer even if you don’t engage or if you visited by mistake, and it’s a common tactic that hackers use when they get you to fall for a phishing attempt. More than 100,000 of these websites have been identified and taken down in the last ten months.

A malicious website is just one of many different avenues for infecting your computer, but it’s a widely used method of attack. When a scammer sends out a phishing email that spoofs a known company, for example, the link within the email will often take the victim to a harmful website where the malware infection takes place. Common phishing emails include copycat messages from your bank telling you there’s a problem with your account, fake emails from known retailers like Amazon or PayPal, requests to verify your identity or account information, and many other believable messages.

Scammers can also use social media to get their victims to visit a harmful website. Private messages that appear to come from someone you know, telling you to click here to get this incredible deal or see these unbelievable pictures they found of you, for example, are widespread. Of course, actually paid ads for interesting products and fantastic sales can also redirect users to a fake website.

Once you visit the website and interact with it, the malware is installed on your computer or mobile device. It might be ransomware that locks up your computer, spyware or adware that tracks your online activity, a keylogger that steals everything you type (including account logins), and more.

So how does the cybersecurity industry fight back? One website at a time, which is why the project and its volunteers are so crucial to protecting tech users. Unfortunately, finding these websites scattered across the vast world wide web is a slow and tedious process; of course, getting the companies who host the sites to take them down can take even longer, about an average of eight days from the date of notification.

While the volunteers continue this vital work, the next step for URLHaus is to help those web hosting companies take action more immediately. Some companies respond within a day, while others take as long as a month. The bigger the company and the more customers they have hosting websites through their platform, the longer it can take to investigate a site that’s been reported.

In the meantime, there are some behaviors that tech users can deploy that will help them avoid some of these sites…

1. Never click a link in an email, text message, or social media message unless you’ve verified it with the sender; don’t just trust that you know the sender, either, since accounts can be hacked or copycatted.

2. Avoid clicking on ads in social media posts unless you can explicitly trust the company and the link. When in doubt, simply do a quick internet search for the product and the seller in order to look at the item more closely.

3. Most important of all, make sure you have a reputable security suite installed and updated. Antivirus software isn’t enough anymore, not with so many different threats out there. A lot of great software developers even offer their products at “freemium” pricing, which means there’s a price plan for every budget. There’s literally no excuse to not protect your tech.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Getting the Most Out of Your Antivirus

February 5th is Safer Internet Day, an international effort aimed at making our world wide web safer for every kind of user.

This year’s theme, “Together for a better internet”, focuses on creating a better internet for all users.

 

Whether it’s children playing a game or doing homework, longtime friends reconnecting over social media, or a company conducting business around the world, the internet was designed to bring people together. Ideally, it should happen without becoming the victim of a crime.

 

The Safer Internet Day website contains a wealth of resources and announcements about events in different locations, but you don’t have to save it all for one special day. There are a number of things you can do to make the internet a better place.

1. Embrace strong password security

A lot of people misunderstand the mechanism by which hackers grab your password. They think teams of criminals sit at workstations and type in various numbers or letters until they get it right. That’s why a lot of people think using something like “password” is a good idea: “They’ll never guess something so obvious!” The truth is, hackers use software that can make billions of guesses per second. They don’t have to type a thing, they just launch the software and wait for access to your account.

But you can fight back against this by using a password that even a computer would have a hard time guessing. Combinations of uppercase and lowercase letters, numbers, and symbols are important for protecting your accounts, as is ensuring that you only use that password on one account.

2. Beware of what you share

Social media hoaxes are nothing new, but they continue to run rampant because people blindly click to send them out again. A lot of hoaxes may be silly stories or “click like and share if you want this baby to be healed!” kinds of pointless content. However, there’s a reason accounts like those post fake content.

Even if it looks like they’re not benefitting in any way, they still are. When you share someone’s post, you’re telling the social media platform that this is valuable content. That means the algorithms behind it are more likely to make other content from that user visible to a lot of people.

Of course, silly hoaxes are one thing, but posting negative information is something else altogether. Make sure you’re not accidentally sharing inaccurate medical information, content that willfully targets an individual, or posts that damage reputations despite being false.

3. Even if it’s about yourself, don’t overshare

Oversharing on social media doesn’t just mean spilling the beans about family secrets or uploading embarrassing potty training videos of your kids. It also means posting so much information about you or your family that an identity thief can connect the dots. Even worse, you could accidentally post so much information that this same thief can connect the data dots on your friends and relatives.

Remember to maintain an air of caution about what you put in your profiles, what you say in your posts, and which friend requests you accept in order to avoid being targeted by someone masquerading as something they’re not.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read more: Hackers Use Memes To Hide Malicious Code

Fans of the iPhone video chat feature FaceTime might be surprised to learn that a software bug may have been leaking their private calls. While the process took a number of steps to initiate—so it’s unlikely anyone accidentally eavesdropped, but instead chose to do so intentionally—there was also no way to know if someone was listening to you during your calls.

To make the glitch work in their favor, a user had to initiate a FaceTime call and then add their own phone number as another person in the group call. That way, even if the actual third-party never answered, the call remained connected and the user could listen in on the other person. Even worse, if the unaware third-party pressed their volume button or power button for some reason, the eavesdropping became a video monitoring call instead of just audio.

This kind of privacy flaw isn’t like Apple, a company known for its consumer-centric security. Several industry watchers like 9to5Mac and the Verge have reported on this bug, and Apple has temporarily disabled all group FaceTime function until a patch can be written and a software update released.

First, the immediate warning for consumers: situations like this one are why you must make it a priority to download new software updates when they become available. When companies release an update, it’s because they’ve found ways to make their product better. Many times, the update can actually resolve a serious security or privacy problem.

More importantly, this is a stark reminder that our technology is only as good as the level of human error behind it. Apple prides itself on producing great products and focusing on its users’ needs, but even the best can sometimes experience flaws. If you don’t put blind trust in your products or platforms, you’ll be less likely to feel the harmful effects of accidental issues.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Spring Cleaning for Your Mobile Device