Black Friday and Cyber Monday are the biggest shopping days of the year. With so many holiday sales being offered and only so many days left till Xmas, shoppers flood the stores and the internet in droves. And so do scammers.  In the fever for trying to find the best deals, be on the lookout for scam artists, con artists, and thieves.

Black Friday Risks:

  • Never leave your purse or wallet unattended. It only takes a few seconds for a thief to take your purse/wallet in an unattended cart while you step away to examine a potential gift.
  • Never let your credit card out of your sight. Skimming machines and devices that record your card information are small and easily hidden in a palm, under the counter, or implanted in a machine. Never let a salesman take your card some place where you can’t see what they are doing with it. This also applies to fast-food and drive-thru and restaurants.
  • The holidays are the time when people will ask you to fill out surveys or other forms for the chance to win a car or a trip to an exotic location. Be careful if you fill these out. Often times these places are actually gathering information on you. Never give them your social security number, driver’s license number or banking information.
  • The holidays are the time for giving and many charities are out collecting for their cause. There is never anything wrong with donating to a reputable organization, but scammers are out in force as well. Avoid giving checks or credit cards when making a donation. A thief can use this information to scam you in the future. When in doubt, donate physical items such as toys or clothing, or look up the company online and see if they are reputable. Many charities have a “donate here” button on their website so that you can send the money or items directly to them without a middleman.

Cyber Monday Risks:
With so many websites offering such great deals and scrambling for your attention it’s hard to decide what ads are legitimate and which ones are not. But if you keep the following in mind you can be safe in your online shopping.

  • Try to shop at reputable websites such as sites that you have been to before or have a high rating with the Better Business Bureau.
  • Avoid clicking on pop ups. They may look like they are from a legitimate store, but they could be a ploy to take you to another site designed to get your financial information.
  • Never give your social security information online. You do not need to give this information when purchasing an item online.
  • Be on the lookout for emails telling you that you owe money to sites you have never been to. Check to see if this company actually exists. If so, see if there is an account under your information. Often scammers will pose as a legitimate company in order to trick people into giving up their information
  • Be on the lookout for emails claiming to be from a charity organization. Many scammers will pose as a charity in order to prey on holiday good will. When in doubt, look up that charity with the BBB or find their actual website and donate to them directly. Do not use the information in the email.

And remember, always check your credit card statements at the end of the month and check your debit card purchases at least once a week. This is the best way of catching fraudulent transactions and reporting them immediately.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit

The geo tagging feature on your smart phone can be a very cool way of allowing people to know where you took a beautiful scenery picture, attended an interesting event, or even serve you as a digital road map to locations associated with fun experiences you’ve had over the years in just a few clicks of the mouse or touches of the screen on your phone. Geo tagging makes it easier for you to arrange photos and let friends know where they might be able to replicate some enjoyable experience you had.

As with most modern technological conveniences, there is also risk to consider when using your Geo tag capabilities.  Primary amongst these is the risk of “social surveillance.”   Most of us who use social media regularly are familiar with social stalkers.  These modern creepers make use of the information you publish on social media pages in order to track your movement, your habits, and your associations.  Stalkers can make use of public geo tagging information to pinpoint your present location, find out where you live, and even how and where you spend your time with very little effort. This very fun feature of modern smart phones can also potentially put your safety and security at risk, depending on who you are, and the value to anyone who might want to track your movements.

The point is not to scare you, but to note the risks and be wary.  It pays to know the risks, and have an air of caution when using this feature.   Avoiding the risks of geo tagging is definitely something consumers need to be wary of as privacy continues to erode in our ever more electronically connected society.  What follows are a few best practices to keep you safe while geo tagging.

  1. Take the time to note your default privacy settings: This applies both to your smart phone or mobile device and the social media networks you access through your device.  To geo tag something is simply attaching GPS grid coordinates to a picture, video, website or text message.  Sometimes tagging a location maybe a default setting on your phone or on the social network you’re using.  It is important to be aware of these settings so you can consciously decide when and where you geo tag, and who the information will be available to.
  2. Understand the Risk:  Realize that geo tagging information gives anyone who views it the opportunity to know your exact whereabouts, particularly in instances where you’ve posted your location to multiple sites (e.g. Twitter, Facebook, and Instagram).  A check-in at the airport with the message “vacation for the next week!” for example lets anyone who might care to look know that you’ll be out of town for a week.  If you’ve also been geo-located at your place of residence in the past this information could be very valuable to a thief looking for an opportune time to break in.  Additionally, if you use the geo tag feature regularly, it can also give others an understanding of your movement patterns, which will give anyone with an interest in stalking you a picture of your routine, allowing them to predict where you will be and when.  Be aware of who in your network will have access to this information, as it’s possible that not all of them are really your “friends.”
  3. Know How to Disable the Geo Tagging Feature: Every smartphone has a geo tag feature, and many of them will be automatically set up to function without you consciously choosing to have it do so.  You need to take the time to figure out how to prevent it from doing this.  It’s a much better idea to consciously decide to geo tag each time you post rather than having to remember to opt out of geo tagging each time you post.  Leaving the default setting as geo tag operational will likely mean there will be times when you inadvertently post your location to the world when it is risky or unnecessary to do so.

For iPhones: Go to the “settings” page of the geo-tagging program.  Go to “settings” then “general” and then “location services.”  Disable those applications that automatically make use of your GPS tracking data.

For Android Platforms:  Start the camera application.  Open the menu and go to “settings.”  Turn off “geo tagging” or “location storage” (depending on the type of Android).

For digital cameras, be sure to consult the user manual.  Not all digital cameras come with a geo tagging feature, but it’s important you know how your particular camera operates in relation to location tracking.

“Geo Tagging and Do Not Track” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

The Florida Senate Committee on Commerce and Tourism unanimously supported the Keep I.D. Safe (KIDS) Act this Monday, a bill designed to help reduce child identity theft in the state. Florida is a known hotspot for identity theft and fraud.

The Federal Trade Commission (FTC) compiles and analyzes complaints submitted to the FTC, the Internet Crime Complaint Center (IC3), Better Business Bureaus and other organizations by crime and state in an annual report titled the Consumer Sentinel Network Data Book. Florida has been listed by the report as the state with the highest per capita rate of reported identity theft complaints for the last four years in a row.

Children, and especially foster children, are vulnerable to identity theft because they are considered high value targets by identity thieves. Due to their lack of a credit report or history, they are blank slates that an identity thief can abuse for years before the child or parents ever find out. When the child first applies for a credit card, student loan or anything that requires credit, they discover all the fraud that has been conducted in their name and are denied the credit.

Child identity theft is detrimental to the child as it can postpone college due to student loan denials, gaining employment, purchasing their first vehicle, and accessing credit. This delay lasts however long it takes the child to dispute all the fraudulent activity and have them cleared from their credit reports, which can take months or even years.

During the announcement for the bill, Florida Commissioner of Agriculture and Consumer Affairs Adam H. Putnam said, “more than 50,000 Florida children are victims to this exploitation each year, and more than $100 million is stolen every year from those whose identities are compromised.” Adam Putnam has worked with Sen. Nancy Detert and Rep. Heather Dawes to introduce the KIDS Act, which is estimated to prevent 10,000 children from identity theft each year and save Florida more than $21 million annually by department economist Sergio Alvarez.

The KIDS Act (SB 242, HB 151) will follow in the footsteps of Maryland’s child identity theft law in that it enables parents or guardians to create a credit report for their children and subsequently freeze it to block an identity thief from abusing their credit. The House KIDS Act bill was referred to the Business and Professional Regulation Subcommittee just yesterday and has not scheduled a vote as of yet.

Florida Child Identity Theft Bill Progresses in Senate” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

November 7th is the first Thursday of the month and that means it is time for another Identity Theft Twitter Chat.  This month’s topic is mobile device safety and identity theft and we are very happy to have Christopher Burgess, CEO of Prevenda, as our co-host.  Don’t know how he is? Well you should because it isn’t often you get to talk about mobile safety with someone who used to be in the CIA!

We are very excited about this Identity Theft Twitter Chat as we are all nomophobics over here at the ITRC.  This Identity Theft Twitter Chat is just another way that ITRC is really trying to reach mainstream consumers to make them aware of identity theft and we think this is a great topic to do just
that.  It is our hope that this chat will reach those who may not consider participating in a twitter chat based around identity theft or cybersecurity, but would be interested in mobile device safety.

This Identity Theft Twitter Chat will take place at 11:00am PST on November 7th.  The questions that we will be basing the discussion around are:

Q1: How old were you when you got your first mobile phone?

Q2: How many mobile devices do you have?

Q3: What do you do with your old mobile devices?

Q4: Do you have anti-virus on your smartphone or tablet? Why or why not?

Q5: What concerns you most about mobile device safety?

Q6: Have you ever had a mobile device stolen? What happened?

Q7: What do you do to keep your identity safe on mobile devices?

Q8: What tips do you have for people to keep their identity safe on mobile devices?

Q9: What resources do you use to teach your kids about mobile device safety?

This month’s event should help produce great collaborative thought and perhaps even some unique and novel solutions to safe mobile device usage. In order to participate, users should follow the hashtag #IDTheftChat . Those who would like to participate can RSVP via online invitation.  Anyone is welcome and we hope that we will see consumers, businesses and organizations alike!

Participants may find it helpful to participate through the #IDTheftChat Twub which can be found at  Anyone who has questions should contact ITRC’s Media Manager at We hope you will join the conversation and bring your friends!

Prescription fraud occurs when an identity thief, using your personal information, has a prescription issued and possibly filled under your name. Prescription fraud is just one consequence of medical identity theft, where a thief obtains enough of your personally identifying information to be able to assume your medical identity.

Prescription fraud affects the victim in many ways, including their finances, ability to get necessary health care and possibly their ability to check their own health records. According to the Ponemon Institute’s 2013 Survey on Medical Identity Theft, 60% of medical identity theft victims they surveyed indicated that their identity was stolen to obtain prescription pharmaceuticals or medical equipment.

An identity thief using your identity to be prescribed restricted medications may also use your health insurance to purchase the medication. This means that you, the victim, will often get left with the bill for any unpaid expenses the identity thief incurs while using your identity and medical insurance. It is important to be alert for any explanation of benefits (EOB) you receive from your health insurance provider or bills for medical services you did not seek or receive. This may be your best warning that an identity thief is abusing your medical identity and insurance.

Unfortunately, there are worse consequences to being a victim of prescription fraud than bearing the brunt of fraudulent medical bills. When an identity thief uses your medical identity to be prescribed medication, this information will be incorporated into your health record. Any subsequent medical personnel looking at your record will see the new prescriptions and make medical decisions based on this fraudulent record.

Lastly, it can be exceedingly difficult to set your health records straight after an identity thief has received services or prescriptions under your name. Under the Health Insurance Portability and Accountability Act, or HIPAA, strict rules prevent access to patients’ medical records by unauthorized entities or individuals. Sadly, this very same rule prohibits victims of prescription fraud from accessing their personal health records in order to correct it because health care providers fear it may be a violation of the identity thief’s rights to confidentiality of their medical records.

The best defense to prescription fraud or any identity theft is to be keenly aware of your personal information. Any documents that contain personal information such as your birth date, Social Security number, driver’s license number, or insurance plan information, should be stored somewhere safe and secure or shredded when no longer needed. Do not carry your Social Security card, military identification, or Medicare card on your person as they have your Social Security number on them and are extremely helpful in the hands of an identity theft. New military identification cards no longer have Social Security numbers on them, so if you have an old military ID you can always renew your card to reduce your risk of identity theft.

Prescription Fraud Resulting From Identity Theft was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Senator Edward J. Markey and Rep. Joe Barton will soon be reintroducing their Do Not Track Kids Act, a bill that would update the existing Children’s Online Privacy Protection Act (COPPA), The Hill reports. Senator Markey, a member of the Senate Commerce, Science and Transportation Committee, and Rep. Barton, the co-char of the Congressional Bi-partisan Privacy Caucus, believe that COPPA needs to be updated to reflect the new “Internet ecosystem” of the 21st century.

They cite a recent report from Commonsense Media that found 70% of children under the age of eight have used a mobile device and those children spend triple the amount of time on these devices than in previous years. The Do Not Track Kids Act of 2011 proposed several key updates to COPPA that weredesigned to curb the tracking of minors’ activities on the Internet.

These updates included:

  • Restricting operators of a website, online service, online application, or mobile application directed to minors from collecting personal information if the purpose of doing so is for targeted marketing purposes.
  • Creating a Digital Marketing Bill of Rights limiting how, when and what information from minors may be collected by website operators.
  • Requiring website operators to provide clear notice about what geolocation the operator collects and how they use it, obtain verifiable parental consent prior to information collection, and provide to the minor or parent any geolocation information collected by the operator upon request.
  • Requiring website operators to implement mechanisms, or “eraser buttons,” that allows users to delete content that is publicly available on the website and contains or displays personal information of the minor.

The Do Not Track Kids Act of 2011 is similar to California’s recently passed SB 568, approved by Governor Brown on September 23rd. A common theme in both of these bills is the restriction against collecting information about minors for the purpose of targeted marketing purposes, although SB 568 only restricts information collection for the use of marketing certain products, not all. In addition, both pieces of legislation include a requirement for allowing minors to request the removal of certain content or information posted to a website; however, the Do Not Track Kids Act limits this requirement to information or content that contains or displays personal information of the minor.

It will be interesting to see if Sen. Markey and Rep. Barton make any changes to the new bill, such as banning the advertisement of certain products to minors on websites like SB 568 or requiring operators to disclose how they will treat Do Not Track signals from users’ browsers. We will be following the progression of this bill and keep you updated on any new provisions that may be added when reintroduced.

“Lawmakers to Reintroduce Do Not Track Kids Act” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

For consumers who may be unaware, skimming is a tactic used to steal credit card information. The thief can procure a victim’s credit card number using basic methods such as photocopying receipts or more advanced methods such as using a small electronic device to steal a victims’ credit card numbers.

In order to avoid becoming a victim of credit card skimming, here’s a list of the five most common places skimming occurs:

1. The Gas Pump 

The gas station is a favorite for thieves who use skimmers. This is because there are multiple credit card slots sitting outdoors, none of which have a clerk or employee directly monitoring their use.  Typically thieves will install a small electronic reader (which can be seen if closely observed) on the existing card reader. This additional illicit reader will store your credit card information as you swipe your card to activate the gas pump.  They’ll then come back later and pick the reader up in order to make use of the stolen credit card information.

2. ATM Machines

This is a popular choice for the same reasons as the gas station.  Thieves can leave a skimmer on a card reader outdoors and leave it to collect your information.

3. Restaurants/Bars

Usually, in these circumstances, the theft is pulled off by one of the actual employees of the establishment you’re visiting.  Either utilizing a small, mobile card reader or by waiting until you open a bar tab and walk away, a skimmer in this circumstance will either scan or otherwise store your credit card number in order to run up illicit charges in the coming days and weeks. Most of us never think twice about leaving our cards unprotected in the hands of an employee at the restaurant or bar we frequent, and the majority of servers and bartenders are honest, hardworking people.  But beware those few bad apples.  Just to be safe, it’s always good practice to close out your bar tab after each drink order (unless you know the bartender personally) and pay attention to what your server does once they walk off with your card.

4. Department Stores

The next time you go clothes shopping, be sure to pay close attention to the clerk who swipes your card.  Department stores can be potential hot spots for skimming because much like a restaurant or bar, it is not unusual for a clerk to leave your sight to process the transaction, making the temptation greater, and the successful completion of the scam easier.  Sometimes a skimmer will pay an inordinate amount of attention to the number on your card, so if they seem to be staring as though trying to memorize your number, or examining it front and back as if they’ve never seen such wonders before, it would be smart to watch them closely.

5. Call Centers

Do you order goods or services over the phone? Buyer beware, especially of call centers in foreign countries where the phone operators are paid very low wages.  In these cases, there’s a higher likelihood that one of these operators will use the credit card number you supply over the phone for their own personal gain.

The same concerns exist if you use a debit card.  However, the risk of damage to you is greater with a debit card, since you don’t have the same legal protections as a credit card.  Skimming a debit card requires that the thief also get the security PIN for the card, which does make it more difficult.  However, as the ITRC has seen, crooks can and do also seek debit card information.  So, you should be very careful of any transactions requiring the use of your debit card PIN where clerks or other bystanders could gain access to the card and the PIN at the same time.

If you suspect you’ve become a victim of credit card skimming, contact your credit card carrier and your bank and inform them of the fraud. Check your statements regularly so you can catch fraudulent activity as soon as it happens.  In some cases, you may be required to file a police report, but most complaints filed with your bank or credit issuer within 30 days of the fraud will be forgiven.

If you think you may be a victim of identity theft, contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530.


If you run a business that has commercial interests and online interactions (as nearly all companies do these days), you might consider cyber insurance as a tool to mitigating the potential financial damage that may occur as a result of any type of breach, hack, or other fraud arising from internet communications.

Cyber insurance is a method to address the first and third party risks associated with all types of e-business, networks, and any other valuable information trafficked online.  This form of insurance can potentially encompass all types of potential loss; from risks associated with privacy issues, virus transmission, or infringement on intellectual property.  Virtually any type of loss or liability that can result from online interaction can be covered.  This relatively new industry sprung up as a natural counterpoint to the risks assumed by interacting in an exponentially growing e-marketplace.  Traditional liability insurance products do not address these types of risks.  Commercial businesses operating online now assume many of the same risks of exposure as that of large data companies, publishers, and information providers.  The major difference is the potentially limitless class of people and organizations that may hold your company liable in the event of a breach incident or improper exposure of their personally identifying information (PII).

In addition to the liability coverage cyber insurance provides, there is also an additional benefit of heightened awareness of threats on the part of management (who are footing the bill for the insurance) and therefore the greater level of effort towards educating employees on best practices to mitigate this type of risk.  When one considers purchasing cyber insurance, the insurance issuer will require an assessment of current conditions of your network security, employee practices, and every other aspect of a company’s operation that may alter the level of risk associated with e-commerce.  While this can be an annoyance, it can also be a very valuable tool.  Cyber insurance companies usually make use of an independent third party to run the initial assessment.  This will provide the employer with a very thorough look at their relative security, and point out where the greatest areas of risk are in their particular operation.  Though none of this sounds like a whole lot of fun, I promise you that being held liable for a major breach is much less so, and is far more expensive than even the highest insurance premium.

So if you have a business that maintains a large online presence, it might be worth considering the costs and benefits of cyber insurance.  For additional questions, contact the Identity Theft Resource Center at (888) 400-5530.

“Cyber insurance: What is it and why would you get it?” was written by Matt Davis.  Matt is Director of Business Alliances at the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

Steve Peace and Michael Thorsnes, sponsors of the California Personal Privacy Initiative, have given up on collecting the 807,615 signatures needed to qualify the measure for the ballot.

The proposed measure sought to amend the California Constitution in a number of ways:

  1. to create a presumption that any and all personally identifying information collected for a commercial or governmental purpose is confidential
  2. to require the person or entity collecting personally identifying information for commercial or governmental purposes to use any and all reasonably available means to protect it from unauthorized disclosure
  3. to create a presumption of harm whenever someone’s confidential personally identifying information is disclosed without his or her authorization
  4. to create a safe harbor for unauthorized disclosure if there is a countervailing compelling interest and there is no reasonable alternative for accomplishing said interest

One of the effects of these changes would be a major impact on litigation as privacy and security data breach class actions often do not succeed due to the difficulty of proving harm to the plaintiffs. Just last month, an Illinois federal judge dismissed a class action lawsuit accusing Barnes & Noble Inc. for being responsible when a security breach of PIN pads in 63 of their retail stores may have divulged customers’ personal information. The judge dismissed the lawsuit, finding that the plaintiffs did not sufficiently show they had suffered any harm from the breach. A presumption of harm would have gone a long way towards helping the plaintiffs obtain a significant settlement from Barnes & Noble Inc.

California’s Legislative Analyst’s Office, in a review of the proposed constitutional initiative, found that the presumption of harm would “make it easier for individuals to win privacy lawsuits against state and local governments” and result in “unknown but potentially significant costs to state and local governments from additional or more costly lawsuits, increased court workload, data security improvements, and changes to information-sharing practices.” The Sacramento Bee reported that the Legislative Analyst’s Office opinion was a major reason for dropping the initiative saying that Steve Peace “struggled to coalesce the entire privacy community and ‘couldn’t in good conscious ask people to spend 25 million bucks’ on a proposal ‘where we were going to have to spend all of our time on defense’ because of the analyst’s analysis.”

“California Personal Privacy Ballot Initiative Dropped” was written by Sam Imandoust, Esq., CIPP, CIPA. He serves as a legal analyst for the Identity Theft Resource Center. We welcome you to post/reprint the above article, as written, giving credit to the author and linking back to the original posting.

According to the National Cyber Security Alliance, this year and the foreseeable future, one in five small businesses in the U.S. will be hacked. Of those that do get hacked, there’s a better than 60% chance they will go out of business. That’s about the same odds as playing the game of Russian roulette.

No sane person would ever consider playing that game, knowing the possible end result. So why do small to medium size businesses (SMBs), and many big ones too, play this game in the business world? Yet all across the globe SMBs, law firms and medical practices play this game on a daily basis with their business computers, leaving them vulnerable to cyberattacks with their sensitive data exposed. So how do cyber-criminals gain easy access to corporate computers, laptops, and mobile devices? How are they grabbing crucial data that’s causing many of the hacked businesses to close their doors for good?

The answer is keyloggers. It’s an insidious and extremely effective piece of malware that’s capable of evading detection by nearly all anti-virus programs. It can get past sandboxing and white listing attempts by some of the most advanced firewalls and IPS/IDS devices. A keylogger does exactly what the name states. It captures every keystroke typed on a computer keyboard and transmits that stolen information to a remote server controlled by the hackers. This may seem elementary to many people in the cybersecurity industry, but most people from small business owners up to board members of Fortune 500 companies are not aware of this very effective weapon used to compromise thousands of computer systems.

Keyloggers have been credited with many of the world’s most notable breaches: RSA/EMC, Lockheed Martin, Google, Epsilon, Oakridge Nuclear Weapons Lab, Citibank, Sony, World Bank, TJX, Heartland Payment Systems, the New York Times, NBC, Schnucks Supermarkets, as well as tens of millions of medical clinics, small business and consumers around the world. According to the 2012 Verizon Data Breach Investigative Report, malware was found in 69% of the breaches. Of the breaches where malware was used to steal data, 98% of the time they were paired with keylogging functionality.

Let me emphasize that: 98% of malware contain keyloggers.

What makes the keylogger the preferred weapon of choice is that they have been designed to avoid detection from anti-virus and anti-malware tools, and ephishing training, too. Cyber-criminals continuously test their malware against all the available security solutions to ensure they can evade detection to deliver their payload. Keyloggers can be embedded into any type of download (MP3, video, a picture file, a codec to run some videos, a Flash file, an online game) or attached to a phishing email or any type of web link. Speaking of mobile devices, mobile malware has jumped 614% in the last year.

Social Networking websites, like Facebook, LinkedIn, Twitter, Tumblr, and Pintrest, have become one of the favorite places for hackers to propagate spyware. Why? They are porous in terms of defense. Facebook is an extremely popular attack vector because of the popularity of third-party applications and games such as Farmville, Candy Crush Saga, Words With Friends, amongst others. Adding a “dislike” button and apps to see who unfriended you are also very popular and successful tactics. Just last month, a hacker who “debugged” a Facebook code, who wasn’t paid, got the world’s attention by hacking Mark Zuckerberg’s FB page. Should anyone now entrust his or her data on Facebook?

Anti-virus and anti-spyware cannot keep up with this threat; they are still stuck in the 1990s relying on signatures and weak attempts at behavioral analysis. This is why A/V solutions have been found in recent studies and reported in the New York Times to be less than 25% effective against modern malware, and less than 2% effective against a targeted attack. Keyloggers make a mockery of the majority of cyber defenses. It’s the path of least resistance for hackers.

The Internal Threat of Email

So what kind of data are the cyber-criminals after that’s causing so much economical carnage? For starters, it’s banking credentials. Banking websites’ usernames and passwords are highly sought after because hackers can easily create wire transfers of all the money in the bank to foreign bank accounts and or prepaid debit cards. Email user names and passwords are also highly sought after by the cyber-criminals because they are the keys to our online lives. Email addresses can be used to reset passwords for nearly everything we do online, such as credit cards, home utility bills, car payments, health insurance access, and online payroll websites. It’s easy for a cyber-criminal to setup several of their cronies with paychecks at the expense of small businesses.

Cyber-criminals are also after product designs, engineering drawings, sales plans / forecasts, negotiation positions, client / customer lists, contracts, sensitive emails, H.R. records with employee social security numbers, and a whole lot more. For medical practices such as doctor’s offices and clinics the danger lies in the fact many of them have poor and non-existent cybersecurity hygiene skills to begin with. They play online games, download music, and surf the web unrestricted on the same computers that house patient medical information. (I know because I have personally witnessed this behavior numerous times.) Healthcare systems easily become infected with keyloggers due to poor user behavior and protocol, not to mention lack of security tools. Medical office staffs are burdened with finding training solutions and documents to satisfy the HIPAA training compliance and requirements.

In an effort to avoid paying for these solutions, they perform web searches and will download a free document, PowerPoint or PDF file. Not realizing that these files may be booby trapped with malware that was intentionally placed there for free by the hackers in an effort to lure unsuspecting victims to them. This is known as a Watering Hole Attack.

The Prize of Medical Data

Prized medical data includes Medicare and other health insurance identification numbers, access to cloud based EMR/EHR (Electronic Medical Records / Electronic Health Records), access to a doctor’s ability to write e-prescriptions. With access to e-prescriptions, a cyber criminal can impersonate a doctor to access expensive drugs and other controlled substances, then invoice them to an unsuspecting patient’s insurance. A medical-hacker can also impersonate a patient or obtain expensive medical care under the victim’s name.

Medical identity theft is not as easy to repair as financial identity theft. In many cases, these forms of personal attacks take upwards of five years to be corrected, and still might not be done by the credit agencies’ indifference towards people. Medical identity theft can also have dire and sometimes-deadly consequences for an elderly or sick victim, with the advent of incorrect prescriptions or treatments as a result of contaminated and altered medical records due to someone impersonating them to obtain healthcare. Is it any wonder that healthcare is seen to be approximately seven to ten years behind the financial industry when it comes to cybersecurity controls?

To think that all of this is started with keyloggers and could have been prevented is the amazing part. Why make life easy for the army of hackers? Aside from the financial impact of suffering a cyber breach, and/or not reporting it the right way in accordance with data breach notification laws, the damage to reputation can be irreparable. Compound that problem with class action lawsuits, as well as insurance companies denying liability claims to victimized businesses, and state attorney general offices penalizing for suffering a breach. How can these breached companies stay in business?

Over the years many security solutions have sprung up attempting to either stop the keyloggers from getting onto a computer system to using impractical virtual keyboards. Some even give a false and a dangerous sense of security by promising to hold all the secret passwords in an encrypted vault. I say false and dangerous because while the passwords may be encrypted in the database, the master password used to lock and unlock these applications is still susceptible to desktop keylogging.

This is also one of the major flaws of file encryption tools to begin with. What good is encryption if the keys to the kingdom are compromised at the keyboard? That is an impossible task for these solutions to accomplish because they are attempting to protect the data at the application layer all while the keylogger is operating at the kernel layer hooking into the message queues of the Windows and Apple operating systems (You read that correctly, Apple is not immune to keyloggers). To put it in plain English, they’re trying to protect the 7th floor of a building by locking the doors and windows, while completely ignoring the air vents coming up from the basement.

Now this is not an attempt to disparage the password vaults and encryptions tools, because they’re still the good guys and are making an effort to combat cyber-crime, except they’re fighting the battle on the wrong front. Many organizations educate their staff with anti-phishing training hoping they become more secure because their employees now recognize the Nigerian 419 scam and know not to click on an attachment from a foreign person or entity. But how many of those training sessions are effective at helping an employee recognize that their colleague’s or college friend’s email have been hijacked by a cyber-criminal in an attempt to get them to open a trapdoor attachment named “executive pay summary” or “recruitment plan”?

That type of spear phishing campaign is what compromised RSA’s systems with keyloggers and gave the hackers access to the company’s SecureID two-factor authentication product design. A security company being hacked with its flagship product, how ironic is that? Anti-phishing training isn’t effective because all it takes is one clueless or disgruntled employee to click on the link and compromise everything. And with large corporations turning over new workers every week, training alone will not get it done. A company’s cyber defenses should never solely be dependant on training to detect phishing attempts, which is only one line of defense. Employees should instead be trained on what constitutes sensitive and protected information, and how to handle the data to comply with the various regulatory compliance laws. They also need to be trained on the regulatory and privacy laws within the jurisdiction of their businesses, such as HIPAA, PCI, MA201 in the U.S. and the EU Data Protection Act and PCI for businesses that are based or operate within the European Union.

The best approach is a holistic approach. That is what businesses need to survive the relentless assault against all the hard work they’ve spent years building. The best approach should be comprised of a defense in depth, coupled with education. In other words, focus on protecting the data and applications by locking them down with role based access controls, tag the data to detect abnormal behavior and insider abuse, authenticate the human with multi-factor authentication instead of certificates on the machine when a request comes in remotely. And last but not least, cloak the data from the hackers by deploying a “keystroke encryption technology” to render keyloggers useless. Only then will the playing field be leveled and businesses will have a chance of surviving this cyber onslaught.

“The Dangers of Spies on Your Keyboard” was written by Peter Simon. Peter is an Information Security Evangelist and IT security solutions architect. He founded OneForce Technologies in 2007. OneForce Technologies helps companies demystify security by delivering training solutions to address the various regulatory compliance requirements for data security. This article originally appeared in Cyber Defense Magazine.