Mistyping a domain name in an email or website can lead to disaster, as one Australian bank recently found out.

 

If you’ve used the internet, been in a room when someone used the internet or even just seen a commercial about (yes) using the internet, you’ve been exposed to a domain name. What is it? It’s

what many of us refer to as a website or web address. If you’ve ever said, “I’m shopping on Amazon,” or “I’ll PayPal you the money,” you were using a domain name.

Individuals who wish to create a website purchase domain names. There’s a legal but somewhat disingenuous practice of purchasing a domain name in anticipation of something becoming popular, such as buying the web address for “www.appletoaster.com” if rumors circulate about Apple getting into the kitchen gadget industry. The goal, of course, would be to sell the domain name to Apple for a nice profit.

However, there’s another legal practice involving domain names that can lead to illegal activity: masking. It’s easy for a scammer to purchase “amaz0n.com” or “citybank.com” or “paypaI.com” (that’s a capital I instead of the L, in case you couldn’t tell), then send you emails pretending to be the real company. You land on a fake website where they steal your information, accept payments for products you’ll never receive or even install viruses on your computer.

Unfortunately, not all domain name issues like this are the work of scammers, even though the consequences can still be severe. Mistyping a domain name in an email or website can lead to disaster, as one Australian bank recently found out. They thought they were sending sensitive customer data to the correct entities within their own company, bank employees had sent out more than 600 emails with the wrong domain. Rather than using the Commonwealth Bank of Australia’s own domain for emailing of “cba.com.au,” the employees simply typed “cba.com.”

It’s never a good thing when emails with sensitive data goes is emailed to the wrong person. Luckily, “cba.com” is the domain name for a U.S.-based cybersecurity company; also, the chances of the prefix or the person’s name within the company email, matching up to someone at cba.com weren’t very high. If important information had to end up in the wrong mailbox, at least it was a business that deals with security.

Commonwealth Bank took immediate action by blocking the cba.com domain from its network, meaning it’s no longer possible to send an email to that domain name and suffix from their computers. As an added precaution, the bank also purchased the cba.com address in order to prevent any further information from going to that address. This step would also prevent scammers from later buying “cba.com” and using it to send malicious phishing emails to unsuspecting customers.

For typical tech users, though, there’s no network or IT department to make sure you’re only using trusted domain names. That’s why it falls to consumers to protect themselves. If you receive an email that seems like it might not be genuine, you can check by hovering your mouse over the sender’s name. It will pop up and show you the actual domain. If you can’t be sure it’s not typed wrong, copy and paste it into a Word processing program and change the fonts until you can read it more clearly. If you’re the one sending the email, make sure you’ve typed it correctly in order to avoid embarrassment and security risk by messaging the wrong person.

Remember, the domain name can be identical, but the suffix at the end (such as .com, .net, or .org, just to name a few) can change, too. You might think you’re emailing your bank or work, but if someone has purchased the domain name with “.net” instead of the .com you meant to use, you may still be contacting a scammer.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Cell phone customers have been warned about a lot of different pitfalls when it comes to protecting their privacy and their data.

Using a passcode to lock your phone, logging out of sensitive apps and making sure you’re only downloading vetted content are still important ways to avoid a lot of common threats. Recently, word got out about the danger from phone number porting (when a scammer convinces a cellular provider employee to move your phone number to a new handset) and consumers have been warned to be vigilant about any unusual activity with their phones as a result.

Now, there’s a new threat: SIM swapping. Your SIM card (Subscriber Identification Module), the tiny little microchip that tells your phone what number it responds to and what information it contains, is transferable to another phone. That’s how you can upgrade to a new phone or  buy another phone if yours is damaged, while still keeping your phone number, photos, music downloads and more. But much like phone number porting, SIM porting is easy to do if you can convince a cellular employee to do it.

This new hacking threat came to light when an Instagram user began receiving notifications about his account. He checked his phone and didn’t notice anything out of the ordinary, but later realized he was using it on his home Wi-Fi connection (not cellular…smartphones will work as mini tablets even without mobile plans as long as they’re connected to Wi-Fi). Only after he was locked out of his Instagram account and Snapchat account did he realize there was a serious problem.

After checking with his provider, he learned that his SIM card information transferred to a new SIM card and inserted into a different handset. It’s not certain yet if the cellular employee did this maliciously or was truly unaware that the person who attempted it was not the account holder.

Of course, there’s more to the story: the person who did this didn’t want the victim’s personal information, email account or mobile wallet. They simply wanted to take over that individual’s social media accounts so they could have the username. Again, it’s not certain what the person planned to do with that username once they took control of it since loading any Instagram images themselves would have implicated them, but that is the only thing the thief did with the access to the phone.

This incident and others like it should serve as a warning about taking strange activity seriously. It doesn’t matter if it’s a weird charge on your credit card statement, notification from a company you do business with, a strange message on Facebook that indicates someone has broken into your account or a medical bill for the care you didn’t receive. If you learn that something unusual has occurred, it could be a sign of a much bigger problem. Take immediate action by contacting the entity directly and find out just how far the suspicious activity goes.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

If you know anything about cryptocurrency and the supposed investment opportunities that go along with it, you’ve probably run across more than a few shady details so far.

Originally created as an anonymous payment currency—for people who want to make purchases that don’t leave a financial paper trail—these non-existent “coins” are now the stuff of ransomware payment, Dark Web purchases, crypto jacking and investment scams.

In this newest scam, someone launches an Initial Coin Offering or ICO. This is much like starting a business or purchasing property, then offering “shares” for sale to investors. The weird thing about even the most genuine, legal ICO of cryptocurrency is that the shares the investor buys are for an object that doesn’t exist.

Many states are cracking down on cryptocurrency and ICO scams in order to protect consumers who are lured in by “strike while the iron is hot” sales pitches from dealers. This multi-state effort, known as “Operation Cryptosweep,” has already involved 70 ICOs, resulting in the prosecution of 34 separate cases.

Investing has a long history of producing both financial gains and losses for those who participate. If you think of investing as not only benefitting the investor but also the company—helping it to grow, expand, bring in new people and technologies and more with the money made from the sale of shares—then it makes sense for those who’ve done their homework. But investing in cryptocurrency is one-sided, meaning the goal is to buy as much as possible of this non-existent token and hope that its value somehow increases, despite the fact that it’s not a business that offers a product or service. The entire investment is based on the hope that more people will be enticed into buying it later, driving its value up.

Some experts worry that the flash-in-the-pan craze associated with cryptocurrency investing will result in so many burned investors that typical, sounder forms of investing will be damaged by associating with the losses.

North American Securities Administrators Association (NASAA) President Joseph Borg has announced, “The persistently expanding exploitation of the crypto ecosystem by fraudsters is a significant threat to Main Street investors in the United States and Canada, and NASAA members are committed to combating this threat.”

If you’re ever interested in an investment opportunity—whether in a real commodity, real business or crypto-item—you’ve got to do your homework. It’s not just a matter of accidentally losing your investment when it doesn’t pay off (which is part of the stakes in any speculation), but the real danger is in the anonymous nature of ICOs and cryptocurrency. As unsecured forms of currency, there is no agency to back you up and protect your investment if it turns out bad.


For toll-free, no-cost assistance, contact the Identity Theft Resource Center at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In the race to come up with even more secure forms of protecting your technology and your accounts, researchers have been experimenting with a variety of methods. Everything from two-step authentication to advanced biometrics (think fingerprint sensors) have been used in some way.

A new facial recognition sensor from a company managed to fall a little short, though. One of its new phone models allowed the user to store a “selfie” as the phone’s standard, then use the camera to scan the stored image alongside the live face for comparison. If the phone detected a match, it unlocked the device for use.

Unfortunately, a picture was worth a thousand words, or at least a thousand logins…

Prior to a security patch for that phone, the camera would readily accept a photo of the person instead of their actual face. The unlock process was a little slower but wasn’t halted completely. This is a departure from a fairly old aspect of facial recognition that requires the user to blink during the scan in order to prove the camera isn’t seeing a still image (unfortunately, even that level of security wasn’t hard to override). The test a user conducted in this case actually involved pointing the Samsung Galaxy 8 at another phone which displayed the picture.

This news is the latest in a long, questioning road to better biometric security protocols. What level of protection can our fingerprints, retinas, even our DNA provide, but more importantly, what can the bad guys do with it?

It’s important to understand that Samsung says this was never meant to be a security or “lock” feature, but rather is more like swiping the phone screen with your fingertip to wake it up. Rather than put down any items you might be holding or look at the screen while you’re busy, you could simply turn your face toward the phone or hold it up and point, and it would give you access to the phone screen.

With every new technology, it can often feel like we’re playing catch up. The innovation comes first, the security violation comes next, and then the fix follows on its heels. We can work to halt that process by asking the hard questions: how does this actually keep me safe? who else can interfere in the process? is this actually a step towards greater security, or just flashier tech? By knowing the answers to those questions and taking a good look at how the functionality works, you just might ward off any unexpected privacy problems.


If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App.

“Cell phones are so convenient that they’re an inconvenience.” ― Haruki Murakami

In the past fifty years, humans have gone from computers that took up entire rooms and were strictly the domain of governments and corporations, to having computers conveniently located on your wrists that even children can use. “Typing class” of the 20thcentury has been replaced with coding, robotics, app development and other STEAM curricula for students as young as elementary school.

That is a lot of innovation in a short amount of time, practically the blink of an eye. One of the drawbacks to having such incredible advancements in a relatively small window is that security and privacy considerations have struggled to keep pace with the new capabilities.

Kaspersky has now released a new report on a phenomenon called “cyber-stress,” which refers to the very tangible emotional toll that things like identity theft, data breaches, and hacking events can take on consumers. The Identity Theft Resource Center, which operates a toll-free call center and a live chat app for victims of identity theft, has also tracked the emotional fallout from discovering that someone has stolen your personal identifiable information.

According to the findings in the Kaspersky survey:

– 81 percent of Americans and 72 percent of Canadians report that news of data breaches causes them to feel stressed

– The average respondent reports that they manage at least sixteen different username and password combinations, which can lead to weak password security and “reusing” passwords

– 46 percent of Millennials find it stressful to manage the number of passwords they maintain

– The average household now has more connected devices than people, and 75 percent of respondents say that protecting all these devices from outside threats has caused them stress

This might seem like overkill or a lot of reactionary worry over statistically minor issues. However, the opposite is true; the ITRC tracked more than 1,500 separate data breaches last year alone and 46 percent of the respondents to the Kaspersky survey said they had been personally impacted by some kind of cybersecurity threat. Thirty-three percent of those who’d been affected by a cyber-attack stated that they continue to experience stress about protecting themselves from future attacks.

Part of this ongoing emotional impact may be attributed to the fact that new data breaches continue to occur. The Equifax data breach compromised more than 145 million consumer records, while new point-of-sale hacking shows that the “old school” method of targeting consumers’ payment cards is not going away. This stress may even be an opposing reaction to a recognized form of apathy towards protecting yourself known as data breach fatigue, which occurs when the news surrounding too many data breaches is simply overwhelming.

Fortunately, there are resources for consumers to turn to and trustworthy options to provide help. Significant numbers of respondents stated that they trusted friends, family members or spouses with their personal data, which means they have someone they can turn to in a cyber-stress situation. Many young adults and teenagers claimed that they would immediately turn to their parents in a cyberattack situation, providing them with a trustworthy outlet for support. Of course, advocates like those at the ITRC can provide consumers of any demographic with solid resources in the event of a cyber-related issue.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Too often, the apps we use on a daily basis can lead to issues with privacy and security. In many cases, the culprit is none other than the function of the app itself.

The recent news about Facebook losing control of millions of user profiles is a testament to that, but now, a new feature in many Apple devices has led to a complete and permanent vulnerability for users who are affected.

Called “trustjacking,” this vulnerability occurs when you click “yes” to trust a device. In this particular case, iPhones that have been enabled to sync their iTunes accounts over wifi—as opposed to only when the cable is plugged into both the phone and a computer—have given permission to “trust” the connection. Trusting the connection is the mechanism for letting the device and the computer talk to each other… and that’s when hackers with the right know-how can strike.

Security experts Roy Iarchy and Adi Sharabani of Symantec* presented their findings about iOS trustjacking at a recent conference, stating that not only can a hacker access the user’s photos, text messages, and iTunes backup, but can also “use this access to the device to install malicious apps, and even replace existing apps with a modified wrapped version that looks exactly like the original app, but is able to spy on the user while using the app and even leverage private APIs to spy on other activities all the time.”

Fortunately, there was an easy fix to this: the researchers alerted Apple to the possibility that a hacker can take over someone’s device via trustjacking, so now users must enter their passcodes in order to “trust” a new plugin. If the device has not been connected to the computer before, the passcode will be required. This should put a dent in the occurrences of “juice jacking,” too, which happens when someone tampers with a free charging station like the ones at airports or retail shops in order to steal information from the patrons’ phones.

However, there’s one more alarming aspect to this scenario: if your own computer becomes infected with malware, plugging it in to sync your iTunes or iCloud could compromise your device this way. Make sure you’ve got strong anti-virus software installed and kept up-to-date, and run a virus scan from time to time to ensure that your computer isn’t the source of the infection.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Peer-to-peer payment apps, or P2P apps, are a convenient way to share funds with people but come with some identity risks.

It might be a friend who bought those Taylor Swift concert tickets for your kid’s birthday present on your behalf, someone who owes you money for picking up the tab at lunch last week, or even a way to conduct business transactions like selling a piece of furniture or handmade crafts. One of the increasingly popular uses for P2P apps is when multiple people have to “chip in” to pay for a single item, like a hotel room, cruise ship cabin, or baby shower gift for a co-worker.

Though convenient, P2P platforms have been scrutinized for their potential security concerns. As a platform that is connected to some type of payment account, they’re a golden ticket for hackers. When you create your account on a P2P site, you will link a credit card, debit card, or bank account in order to deposit and withdraw funds; if a hacker gains access to your P2P account, they have access to a more serious form of your finances.

If you plan to take advantage of this handy payment method, you’ve got to use some precautions. The very first is your password security, which is always a good idea. Whether it’s an app account, your email account, or any other online portal, a strong and unique password is a must. A strong password contains a lengthy combination of uppercase letters, lowercase letters, numbers, and symbols, typically between eight and twelve characters in length. A unique password means that you don’t use it on other sites, no matter how tempting that may be.

Once your account is secured with a strong, unique password, it’s important to monitor all activity in case someone still manages to get in. You can set up transaction alerts to let you know right away if your account has been used, and you can schedule some time to log in and take a quick look each week. If you see activity that you don’t recognize, report it immediately.  Deposits you weren’t expecting, not just withdrawals or purchases, can still be a sign that someone is in your account.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

April is Financial Literacy Month, and it’s a great time to take stock of your monetary health and wellbeing.

Are you paying too much interest on your credit cards? Are you working to make a budget and stick to it? Do you have financial goals you’d like to reach, but need a little help understanding how to get there? There are a lot of programs and online resources that can help you get started.

No matter how your financial health is doing these days, it can take just one data breach or identity theft event to derail even the most carefully planned roadmap. It might be an easily-addressed matter of a few unauthorized charges on your credit card or a much more serious case, like tax return fraud or medical identity theft, that leaves you with horrifying bills hanging over your head. No matter how it happens, your financial security is closely tied to your personally identifiable information.

One consumer who spoke to the Identity Theft Resource Center, was excited about returning to full-time employment after taking a few years off to stay home with her small children. Money had been tight during that time, and she was eager to go back to work and practically double her family’s household income. That almost came to a halt when the employer called her during the last stages of the hiring process to inform her that she had failed her background check due to a warrant for her arrest. Even worse than this warrant was the crime: failure to appear in court after being arrested for passing bad checks.

It was a case of stolen identity—the suspect had provided the victim’s name and Social Security number at the time of arrest, then never appeared in court after posting bail—and the matter was resolved within a few weeks. Thankfully, the woman did get the job despite the initial suspicion hanging over her head.

This is just one example of how identity theft and fraud can throw off your financial health, so understanding how this type of crime can impact your funds is important. Even more important is understanding how to reduce your risk of becoming a victim, and then knowing how and when to take immediate action if you think something isn’t right.

1. Your financial literacy will always involve your credit report and your credit score, but monitoring those two pieces of information on a regular basis will also help you spot unusual activity. Any strange items on your credit report or a sudden change in your credit score can indicate that someone is using your identity.

2. Monitoring your bank account statements and credit card statements is another crucial aspect of financial literacy, while also being vital to keeping tabs on your identity. Don’t assume that any money deducted or added to your account is a small matter.

3. Medical debt is a significant problem for US consumers, but so is medical identity theft. If you receive bills or health insurance statements for care that you didn’t seek, that could be an honest billing mistake at best, and identity theft at worst.


 Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Identity Theft Resource Center’s thoughts going into National Consumer Protection Week.

National Consumer Protection Week is coming up in the next few days (March 4-10, 2018) and it’s a great time to take stock of your personally identifiable information (PII), your data privacy and your technology. The goal is to empower the public with information that will help keep them safe, while also fighting the very real fatigue that can come about from too much news about this sort of crime.

Everywhere you look, it seems like there’s news of another virus, another hacking event, another data breach. It can feel like fighting back to protect your information is, well, kind of pointless. Fortunately, that’s not the case… not by a long shot.

Experian and the Identity Theft Resource Center conducted a survey asking consumers to assess their attitudes and habits towards protecting their information. The results were a little surprising, in a good way:

– 73% of respondents worry that their PII will be compromised when they log into an online account

– 79% of Millennials know that connecting to the internet over public Wi-Fi—such as in a hotel or coffee shop—could leave them at risk

– Nearly half of all respondents—an encouraging 45%—spend at least an hour a week on security behaviors like checking their account statements, changing their passwords, checking up on their privacy settings, and more.

Download the infographic here

No one wants to have to live in fear that their data or their identities will be stolen. In fact, survey respondents expressed some measure of dissatisfaction with how hard they have to work to protect themselves in this digital era. Weren’t the internet and technology supposed to make our lives easier, instead of leaving us exposed to crime?

Like so many other safety precautions through the years, learning to be cyber-safe is mostly a matter of developing some good habits. Think back to what it must have been like to drive one of the first cars that came equipped with seatbelts, or to work in a factory that installed safety railings and protective guards on its machinery. The few extra steps involved in protecting yourself might have seemed annoying or pointless at first, but over time they developed into a lifelong habit that keeps the public safe.

The same is true of cybersecurity. Having to enter a code that was sent to your phone thanks to two-factor authentication takes only a few extra seconds and it can spare you countless hours of trying to recover your stolen money and clearing your name from identity theft-related crimes. Memorizing a new password every few months might slow down your internet activities and placing a unique password on every account might seem tedious, but the payoff is worth it to keep prying eyes out of your email, social media, or online banking accounts.

Protecting your home from intruders means checking the doors and windows. Protecting your physical safety in a motor vehicle means wearing your seatbelt and making sure your car is in good working order with up-to-date maintenance checks. Protecting your identity and privacy means practicing good technology habits and staying on top of the latest threats.

For more information on how other steps you can take to ensure your practicing good identity hygiene, download our free Identity Theft Help App.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

The Winter Olympics in South Korea are already underway, and as usual, people around the world will watch their favorite athletes and cheer on their countrymates. Unfortunately, patriotic fans aren’t the only ones keeping an eye on the Games, as hackers have already targeted the event.

Two different groups of operatives are already believed to have broken into some of the hundreds of computers that are keeping everything from schedules to cafeteria orders to scoring up and running during the fifteen different sports’ events. One group is believed to be a Russian hacking group, and has accessed sensitive documents sent between members of the International Olympic Committee. Another group, thought to be a North Korean hacking contingent, has been targeting South Korean computers for a little over a month.

There are a lot of different motives for hacking. Stealing money, personal information, state or military secrets, and logistical data are all just a few treasured items cybercriminals work to get their hands on. However, it’s impossible to overlook the “hacking for embarrassment” sake aspect to cybercrimes, as doing something on a large-scale during a highly publicized international event can garner a hacker a lot of “street cred” among their peers.

With these events and other hacking attempts that are anticipated throughout the Games, it’s important for athletes, coaches, staff, and spectators to keep a close eye on their information. They also need to be mindful of which wifi connections they rely on, and understand that other people may be able to view their activity while online.

Of course, the attention and interest in the Olympics can impact people back home, too. Links to videos are a common source of malicious code, so sending out viral messages claiming to have a video of a specific event or performance from PyeongChang would be an effective way to infect a lot of computers at once. Sending messages or emails that entice victims to click the embedded link or open the attachment is a common tactic that hackers use to share malware; a message that looks like it comes from a trusted source (like a media sponsor of the Games) could trick people into installing it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.