Posts

The IDSA shares with the ITRC in the newest Fraudian Slip podcast exploring identity management & the future of identity

  • This week, the Identity Theft Resource Center (ITRC) celebrated Identity Management Day, hosted by the Identity Defined Security Alliance (IDSA). The day raised awareness on the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers.
  • The ITRC sat down with the IDSA to discuss how identity management has changed, the future of identity, how identity crimes are changing and much more.
  • To learn more, listen to this week’s episode of The Fraudian Slip
  • You can also learn more about the identity-related crimes discussed in the podcast and how to protect yourself from identity fraud and compromises by visiting the ITRC’s website.
  • If you think you are the victim of an identity crime or your identity has been compromised, you can call us, chat live online, send an email or leave a voice mail for an expert advisor to get advice on how to respond. Just visit www.idtheftcenter.org to get started.

Below is a transcript of our podcast with special guest Julie Smith, Executive Director of the Identity Defined Security Alliance

Welcome to The Fraudian Slip, the Identity Theft Resource Center’s (ITRC) podcast, where we talk about all-things identity compromise, crime and fraud that impact people and businesses. 

This month, April, we’re going to talk about one of the hottest topics in the world of cybersecurity, privacy and identity. Namely, the shift from what we think of as traditional identity theft to what is increasingly more common today – identity-based fraud.

As more organizations analyze their 2020 data and information from the first three months of 2021, there is a common theme. Cybercriminals are less interested in mass attacks seeking to scoop up as much information as possible about consumers. Instead, data thieves are focusing on attacking organizations where they can hold data for ransom, or where an attack against a single company can yield information from all the customers who rely on the breached business.

At the core of many of these attacks are identity credentials, little pieces of information that once upon a time was pretty much limited to your driver’s license, Social Security number and occasionally your mother’s maiden name. Today, identity credentials are everything from your login and password, which is more valuable than your credit card information to a cybercriminal, to the location where you use your smartphone.

The complexity of identity today makes it simultaneously more difficult to protect your identity while also making it easier to prove you are who you say you are.

This week we celebrated Identity Management Day to raise awareness of the importance of identity management, securing digital identities and sharing best practices to help organizations and consumers. Be Identity Smart. 

Identity Defined Security Alliance (IDSA) hosted the day.

We talked with Executive Director of IDSA Julie Smith about the following:

  • The IDSA, its members, and issues
  • How identity management has changed
  • A businesses role in managing and protecting consumer identities; the most important actions to take
  • The future of identity

We also talked with ITRC CEO Eva Velasquez about the following: 

  • How identity crimes are changing
  • Consumer self-management and protection; the most important actions to take
  • The future of identity

For answers to all of these questions, listen to this week’s episode of The Fraudian Slip Podcast

Contact the ITRC or IDSA

You can learn more about data privacy, cybersecurity, the future of identity and other identity-related issues by visiting the ITRC’s website www.idtheftcenter.org. If you want to learn more about the IDSA and its work, you can visit www.idsalliance.org.

If you have questions about how to protect your personal information, or if you believe you have been the victim of an identity crime or compromise, talk to one of our expert advisers on the phone (888.400.5530), by live-chat or by email during normal business hours (6 a.m.-5 p.m. PST). Just visit www.idtheftcenter.org to get started.

Be sure and join us next week for our Weekly Breach Breakdown podcast and next month for another episode of The Fraudian Slip.

  • According to a survey by Proofpoint, ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers. 
  • Cybersecurity firm Emsisoft found that at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. 
  • The Emsisoft report also reports that more than 1,300 companies lost data, including intellectual property and other sensitive information in 2020. 
  • Ransomware attacks cause significant disruption when ambulances carrying emergency patients are redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notified
  • Keep an eye out for the ITRC’s 15th Annual Data Breach Report. The 2020 Data Breach Report will be released on January 28, 2021.  
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the Identity Theft Resource Center toll-free at 888.400.5530 or via live-chat on the company website. 

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for January 22, 2021. Each week, we look at the most recent and interesting events and trends related to data security and privacy.  Human beings tend to end a year by looking forward, but begin the new year by looking back. This week, such is the case when researchers, having just finished publishing their 2021 predictions, turn to sharing their annual trend reports. How many of X and the increase or decrease in Y. 

Here, we are interested in the trends that impact consumers and businesses regarding data privacy and security. The first significant report on those topics concludes that ransomware attacks are now the single biggest cyber threat to companies based on what happened in 2020. If it’s a threat to businesses, it’s a threat to consumers. 

You may not know the name Phil Dusenberry, but you know his work. If you saw a Pepsi commercial during the ’80s, ‘90s and early 2000s, you saw his handy work. If you ever saw the “Morning in America” film for President Reagan or the baseball movie, “The Natural”, those belonged to Phil Dusenberry, too. Now, he has contributed to today’s episode when he said: “Writing advertisements is the second most profitable form of writing. The first, of course, is…” Hold that thought, and we’ll come back to it.  

Ransomware Attacks Considered A Top Cybersecurity Threat 

Cybersecurity firm Proofpoint has found that ransomware attacks are now viewed as the top cybersecurity threat by nearly half, 46 percent, of Chief Information Security Officers in a recent survey. Even more alarming is research from New Zealand-based cybersecurity firm Emsisoft that concludes at least 2,354 U.S. government agencies, healthcare facilities and schools were the victims of ransomware attacks in 2020. The impacted organizations include: 

  • 113 federal, state and municipal governments and agencies 
  • 560 healthcare facilities 
  • 1,681 schools, colleges and universities 

These kinds of attacks cause significant, and sometimes life-threatening, disruption when ambulances carrying emergency patients have to be redirected, cancer treatments are delayed, lab test results are inaccessible and 9-1-1 services are interrupted. 

The Impact of Ransomware Attacks on Private Businesses 

Ransomware attacks are not limited to the public sector. Private businesses are very much in the crosshairs of the professional cybercriminals who commit these crimes. According to the Emsisoft report, more than 1,300 companies, many based in the U.S., lost data, including intellectual property and other sensitive information in 2020. That’s just the number of companies with data published on websites where thieves post their ransom notes or stolen data for sale. It does not include the unknown number of companies that paid the ransom before anyone noticed.  

Few cyber-criminal groups released the data they stole in 2020. Only two are known to have done so after companies refused to pay a ransom. However, by the end of 2020, more companies were paying ransom figures over $200,000 on average to avoid the release of their compromised information.  

Many times, they paid the demands even if they didn’t have to do so. Emsisoft has documented cases where businesses with the necessary back-ups to restore their information still paid the ransom for fear their data would be released if they didn’t pay. Proving Phil Dusenberry’s theory, the most profitable form of writing…is a ransom note. 

ITRC to Release Annual Data Breach Report 

Next week, the ITRC will publish its annual report on data breaches. The report includes how many breaches occurred, who was impacted, why they occur and much more. There are some very interesting trends that we’ll discuss in our next episode.  

Contact the ITRC 

If you have questions about how to protect your information from data breaches and data exposures, visit idtheftcenter.org, where you will find helpful tips on this and many other topics.  

If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor on the phone (888.400.5530), chat live on the web or exchange emails during regular business hours (6 a.m. to 5 p.m. PST). Visit the company website to get started. 

If you want to work ahead and read our 2020 Data Breach Report, our 15th annual edition, it will be posted on our website on Thursday, January 28, as part of Data Privacy Day. Just visit idtheftcenter.org

  • The software provider behind some of the largest travel websites, Prestige Software, maintained a cloud database without a password. The unsecured database led to approximately 10 million accounts being available to view online to anyone who knew where to look.  
  • Prestige Software provides technology services to Booking.com, Expedia, Hotels.com, Sabre and other hotel reservation websites around the world. Information included credit card details, payment details and reservation details dating back to 2013.  
  • While there is no evidence the exposed information is being misused, travel website users should change their passwords on their accounts (our experts suggest enacting a passphrase), add two-factor authentication, freeze their credit, monitor their bank statements for any unusual activity and keep an eye out for phishing attempts.  
  • For more information, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website. 
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we look at the all too frequent event in the world of data – unsecured databases. 

A Lack of Secure Online Databases 

In the context of data protection, repeating the same mistake can have significant consequences. It is why cybersecurity professionals tend to focus on preventing data breaches. That requires them to continually adapt their strategies and tactics to match those of the treat actors who are frequently attacking company systems.  

 Securing online databases continues to slip away from cybersecurity teams. The software provider behind some of the world’s largest travel websites maintained a cloud database without a password, leading to 10 million accounts being available online for access by anyone who knew where to look.  

Forensic researchers believe the available information dates back to 2013 and only relates to hotel reservations. While the information contained in the unsecured database could be used to commit several identity crimes and fraud, right now, there is no evidence the information has been copied and removed from the database. Also, right now, there are no reports of the data being used. 

Software Provider Behind Large Travel Websites Leaves Database Unsecured 

Prestige Software provides technology services to websites that many consumers may have used, including: 

  • Booking.com 
  • Expedia 
  • Hotels.com 
  • Sabre (The reservation system used by American Airlines) 
  • Other hotel reservation websites & mobile apps 

The cloud database was hosted in an Amazon Web Services (AWS) environment that included basic security protections. However, they were not configured. Prestige Software confirmed the database was open to the internet and is now secured.  

Information Exposed Due to Unsecure Prestige Software Database 

The information stored in the unsecured database included large amounts of personal information like full names, email addresses, national I.D. numbers and phone numbers of hotel guests. Additional information stored includes: 

Credit card details: card number, cardholder’s name, CVV and expiration date 

Payment details: total cost of hotel reservations 

Reservation details: reservation number, dates of a stay, the price paid per night, additional requests made by guests, number of people, guest names and much more 

What Impacted Consumers Need To Do 

Consumers who have used these travel websites should assume that any information they shared since 2013 is in the wild and available to be misused in identity crimes, fraud and phishing schemes. Consumers should act as if they have already received a breach notice due to the unsecured database and take the necessary steps to protect their personal information

  • Change your passwords on the travel accounts to a longer, memorable passphrase. Make sure it is unique to the account. Do not use the same passphrase on more than only one account because it helps the bad guys. 
  • Add two-factor authentication. 
  • Freeze your creditif you haven’t already, and monitor your credit card statements for unusual activity over the next few months. 
  • Keep an eye out for phishing attemptsespecially related to any websites affected by this breach or other travel-related websites. Remember, the best protection is to never click on unsolicited links. If you are unsure, contact the company directly.  

How It Impacts Prestige Software 

For the company, the impacts of the lapse in cybersecurity could be significant. Prestige Software is based in Spain and subject to the European Union’s strict privacy and cybersecurity law, known as the General Data Protection Regulation (GDPR). Companies found to have failed to protect consumer information are subject to significant fines up to four percent of their annual revenue.  

Also, companies that process credit cards are subject to self-regulations. The penalty for failing to comply with the Payment Card Industry (PCI) standards include, in some cases, a company losing the right to process debit and credit cards. It is surprising that we have to continue to remind companies of a simple fact: Companies are responsible for securing their cloud environments, not cloud platform providers like Amazon, IBM, Microsoft or any other cloud services companies. Cloud hosts will make basic tools available, but companies have to use them. Also, companies are still responsible for patching their applications and maintaining their advanced cybersecurity tools.  

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC 

If you believe you have been affected by the Prestige Software database exposure and want to learn more or think you’re the victim of an identity crime, contact the ITRC at no-cost by calling 888.400.5530 or by live-chat on the company website. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 


Timberline, BankSight and MAXEX Headline the Most Notable Data Breaches in October

California Voters Pass Strongest Privacy Law in the U.S. – The California Privacy Rights Act (CPRA)

Reports Show Consumer Privacy and Cybersecurity Views Have Evolved

  • Two new research papers from OpSec Security and Consumer Reports shows how consumer privacy and cybersecurity views are evolving across the U.S. 
  • Findings in the OpSec Security report show that cyberattacks and data breaches are pervasive, and consumers are concerned and desensitized by the volume of information compromises. 
  • The Consumer Reports report concludes that consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. 
  • For more information on the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. It is updated daily and free to consumers.  
  • For cybersecurity, privacy or data breach advice, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website. 

Privacy and cybersecurity impact consumers. Two new research papers show how consumer privacy and cybersecurity views are evolving across the U.S. The reports validate a central concern among consumers that there is not enough done to protect their most precious possession; their name. 

Subscribe to the Weekly Breach Breakdown Podcast 

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will look at two new research reports. The first focuses on recent changes in consumer attitudes. The second takes a longer-term look at how consumer privacy and cybersecurity views are different now compared to 25 years ago when the modern commercial internet was born.

The Importance of Reputation 

Reputations are important to individuals, companies and organizations. That’s why OpSec Security, a global cybersecurity firm, recently surveyed 2,600 consumers throughout the U.S. and four European countries. Researchers asked consumers whether they have been affected by cybercrime, their perceptions of brands, and if their role – or the role they should play – in keeping consumers safe has changed over time. 

The findings show that cyberattacks and data breaches are pervasive and consumers are both concerned and desensitized by the volume of information compromises. Some of the key findings in the last year include the following: 

  • 40 percent of respondents were a victim of an email or phishing scam
  • 51 percent of respondents say they receive more phishing attempts now than before the COVID-19 pandemic. 
  • 35 percent of respondents experienced credit or debit card fraud. 
  • 21 percent of respondents were a victim of identity theft at some point.  

Meanwhile, 30 percent of respondents were impacted by a data compromise, which did not surprise nearly one-third of the people who received a data breach notice. Of those who had their data compromised, 46 percent were contacted more than five times. Almost half of those who haven’t received a data breach notice, 48 percent, are worried they will soon.  

Those 30 percent of consumers in the OpSec survey who say they had their data compromised in a data breach equal the same percentage of people who responded to a similar question from Consumer Reports.  

Consumers Think Businesses are Responsible for Protecting Personal Information 

Both surveys came to a similar conclusion: consumers believe companies are primarily responsible for protecting the personal information businesses collect, store and use. Consumer Reports surveyed more than 5,000 U.S. residents about privacy and security. They also reviewed past research to show how consumer attitudes changed over time. 

  • In 1995, 44 percent of consumers were worried “a lot” or “some” about losing privacy due to the internet. 
  • By 2002, 76 percent of survey respondents were uncomfortable about companies collecting data about them. However, 94 percent thought they had a legal right to see what data the company collected about them from a website. 
  • Fast forward to 2019; 65 percent of consumers said they do not believe their personal information is kept private. 

In the Consumer Reports research published in October, 96 percent of consumers surveyed agreed that more could be done to ensure companies protect consumer information. Other findings include the following: 

  • 68 percent of consumers surveyed believe companies should be required to delete the data they have about someone upon the consumer’s request. 
  • 67 percent of respondents think there should be tougher penalties, like high fines, for companies that don’t protect someone’s privacy. 
  • 63 percent say companies should be required to give consumers access to the data companies have about them. 
  • 63 percent also believe there should be a national law that says companies must get a person’s permission before sharing their information. 

There are now laws, passed in multiple states, that include one or more of the items from the consumers’ privacy wish list above, but a national privacy law remains elusive. 

Built-In Privacy Features 

One finding that did not emerge from either survey on consumer privacy and cybersecurity views was a consensus around what consumers want to happen next to protect their information. Consumer Reports notes that companies are beginning to build products with built-in privacy features. More than 40 percent of consumers say they may be willing to pay companies to stop collecting, sharing and selling their personal information. Right now, that practice is prohibited in California, the state with the toughest privacy law in the U.S.  

notifiedTM  

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.   

Contact the ITRC 

If you receive a breach notice and would like to know how to protect yourself, contact the ITRC at no-cost by calling 888.400.5530 to speak with an expert advisor. You can also live-chat with an advisor on the company website. Also, download the free ID Theft Help App to access advisors, data breach resources, a case log and much more.  

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.   


Read more of our latest information & educational resources below

Unsubscribe Email Scam Looks to Trick Consumers

Social Media Scams are on the Rise as More People Use the Platforms to Connect

Phishing Attack Report Reveals Microsoft is the Top Spoofed Brand and Other Data Breach News

  • A recent report by Comparitech says that six percent of all Google Cloud environments are misconfigured and left open to the web for anyone to see.  
  • Dunkin Donuts settled in a lawsuit with the State of New York after being accused of not taking appropriate action in response to two cyberattacks dating back to 2015.
  • 217 Blackbaud users have announced they are impacted by the technology services provider data breach. The breach has affected at least 5.7 million individuals.
  • To learn about the latest data breaches, visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notifiedTM. Consumers impacted by a data breach can call the ITRC at 888.400.5530 or live-chat with an expert advisor on the company website.

It’s a busy week in the world of data breaches. A report released reports six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view them; Dunkin Donuts paid a settlement over a series of cyberattacks that resulted in multiple Dunkin Donuts data breaches; There’s also an update in the data breach of Blackbaud.

Subscribe to the Weekly Breach Breakdown Podcast

Every week, the Identity Theft Resource Center (ITRC) looks at some of the top data compromises of the previous week in our Weekly Breach Breakdown podcast. This week, Dunkin, Blackbaud and Google Cloud highlight the list.

Misconfigured Google Cloud Environments

2020 has had its share of high-profile data events. Sar far in September, an estimated 100,000 customers of a high-end gaming gear company had their private information exposed from a misconfigured server. Another misconfigured server impacted 70 dating and e-commerce sites, leaking personal information and dating preferences. In Wales, personally identifiable information (PII) of Welsh residents who tested positive for COVID-19 was exposed when it was uploaded to a public server.

According to a recent research report published by Comparitech, six percent of all Google Cloud environments are misconfigured and left open to the web where anyone can view their contents. Amazon, the largest cloud provider, has also had issues with clients failing to secure their databases. There is no evidence that any of the data was stolen or misused by threat actors. However, the kinds of data Comparitech uncovered includes thousands of scanned documents such as passports, birth certificates and personal profiles from children. This is not considered a data breach. Rather, it is categorized as a data exposure because their information was not taken; it was just exposed on the internet. With that said, it is a poor cybersecurity practice that puts consumers at risk.

If anyone uses a cloud database in their business, they should make sure their information is secure, starting with a password.

Dunkin Donuts Data Breach Settlement

Dunkin, the company many know as Dunkin Donuts, experienced multiple data breaches where at least 300,000 customers’ information was stolen. A settlement from a lawsuit with the State of New York was reached due to the Dunkin Donuts data breaches. The lawsuit alleged that Dunkin Donuts failed to take appropriate action in response to two cyberattacks dating back to 2015.

The New York Attorney General says Dunkin Donuts failed to notify its customers of a 2015 breach, reset account passwords to prevent further unauthorized access, or freeze the store customer cards registered with their accounts. The State also claimed Dunkin Donuts failed to implement appropriate safeguards to limit future attacks.

The company was notified by a third-party vendor in 2018 that customer accounts had, again, been attacked. Although the company contacted customers after the 2018 Dunkin Donuts data breach, the State claimed the notification was incomplete and misleading.

Dunkin Donuts will pay the State $650,000, refund New York customers impacted by the data breach, and will be required to take additional steps to prevent further Dunkin Donuts data breaches.

Businesses with customers in New York should check to see if the State’s new privacy and cybersecurity law, known as New York SHIELD, applies to them. It has very specific notice requirements in the event personal information is exposed in a data breach.

Blackbaud Data Breach Update

The ITRC notified consumers of a data breach of Blackbaud in August. The technology services provider announced in July that data thieves stole information belonging to the non-profit and education organizations that use Blackbaud to process client information. The cybercriminals demanded a ransom, and Blackbaud paid it in exchange for proof the client information was destroyed.

Since the data breach of Blackbaud was announced, 217 different Blackbaud users of all shapes and sizes have reported their client’s information was impacted in the ransomware attack. Not every organization has listed how many people have been affected. However, the latest count from the organizations that have is 5.7 million individuals.

Blackbaud has not shared the number of customers with compromised information. Instead, they have relied on the customers to self-report it. Breach notices continue to be filed each day, and the ITRC will keep consumers updated on any future developments. 

notifiedTM

For more information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notified. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.

Contact the ITRC

If you believe you are the victim of an identity crime, or your identity has been compromised in a data breach, like the data breach of Blackbaud, you can speak with an ITRC expert advisor on the website via live-chat or by calling toll-free at 888.400.5530. Victims of a data breach can also download the free ID Theft Help app to access advisors, resources, a case log and much more.

Join us on our weekly data breach podcastto get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.


Read more of our latest news below

iPhone 12 Chatbot Scam Begins to Spread Through Text Messages

Unemployment Benefits Mail Fraud Scams Strike Across the U.S.

50,000+ Fake Login Pages for Top Brands from Credential Theft

People are spending more time on their phones, tablets and computers now than ever, making the importance of cyber-hygiene tips as paramount as they’ve ever been. The Identity Theft Resource Center (ITRC) wants to highlight some of the best practices and steps that users can take to improve their online security.

We recommend everyone make these cyber-hygiene tips part of their regular routine to greatly reduce their risk of identity theft or other cybersecurity compromises.

1. Use a secure connection and a VPN to connect to the internet

A virtual private network (VPN) is a digital tool that keeps outsiders, such as hackers, identity thieves, spammers and even advertisers from seeing online activity. Users should also be wary of public Wi-Fi. While public Wi-Fi may be convenient, it can have many privacy and security risks that could leave someone vulnerable to digital snoops. If connecting to public Wi-Fi, be sure to use a VPN.

2. Get educated about the terms of service and other policies

It is important to understand what the terms of service and other policies say because, once you check the box, you may have agreed to have your information stored and sold, automatic renewals, location-based monitoring and more.

3. Make sure anti-virus software is running on all devices

It is very important to have anti-virus software running on every device because it is designed to prevent, detect and remove software viruses and other malicious software. It will protect your devices from potential attacks.

4. Set up all online accounts (email, financial, shopping, etc.) with two-factor or multi-factor authentication

Two-factor authentication (2FA) or multi-factor authentication (MFA) adds an extra layer of protection to your accounts; it requires at least two separate verification steps to log into an account. Relying on a minimum of two methods of login credentials before accessing accounts will make it harder for a hacker to gain access.

5. Use secure payment methods when shopping online

One easy cyber-hygiene step is to only shop on trusted websites and use trusted payment methods. Consumers should not use payment portals or shop on websites with which they are not familiar.

Always use a payment instrument that has a dispute resolution process – like a credit card or PayPal – if you have to shop on an unfamiliar site.

6. Use unique passphrases for passwords and do not reuse passwords

The best practice these days is to use a nine to ten-character passphrase instead of an eight-character password. A passphrase is easier to remember and harder for hackers to crack.

Also, users should employ unique passphrases; if they use the same one, hackers can gain access to multiple accounts through tactics like credential stuffing.

7. Never open a link from an unknown source

Do not click on links or download attachments via email or text – unless you are expecting something from someone or a business you know. If it is spam, it could insert malware on your device.

Also, never enter personally identifiable information (PII) or payment information on websites and web forms that are not secure or have not been fully vetted. It could be a portal to steal personal information.

8. Make sure devices are password protected

If devices are not password protected, it is just that much easier for a hacker to share or steal personal information. Without a layer of protection or authentication to access the device, all the information saved on it becomes fair game. Use a PIN code, biometric or pattern recognition to lock your devices and set the same protection for apps that have access to sensitive information like banking or credit cards.

9. Log out of accounts when done

This is another bad habit that makes it much easier for someone to share or steal your information. Always log out of accounts when done so no one can get easy access to them.

While there is nothing that can be done to eliminate identity theft, account takeovers and other malicious intent, these cyber-hygiene tips will help keep consumers safe, as well as reduce the number of cybercrime victims.

For anyone who believes they have been a victim of identity theft or has questions about cyber-hygiene tips, they can call the ITRC toll-free at 888.400.5530 to speak with an expert advisor. They can also live-chat through the website or the free ID Theft Help app.


Read more of our related articles below

The Unconventional 2020 Data Breach Trends Continue

School District Data Breaches Continue to be a Playground for Hackers

Is This an Amazon Brushing Scam?

Identity theft is not one single type of crime. There are many different ways a criminal can use your information, such as applying for government benefits, getting a job under your Social Security number, receiving medical care or prescription drugs in your name, and of course, the financial aspects. But stealing from your bank account or signing up for a new credit card in your name are just scraping the surface when it comes to the harm identity theft can cause.

Tax identity theft occurs when someone uses your compromised information to file a tax return in your name. They fudge the numbers, enter an unrelated refund dispersal option like a prepaid debit card, and make off with your money before you ever know that anything has gone wrong.

How do they get their hands on your data in the first place? There are many ways, including:

  • Imposter scams
  • Data breaches
  • Stolen mail or W-2s
  • CEO/HR phishing scams
  • Corrupt insiders/tax preparation services
  • Unsecured and public Wi-Fi hotspots
  • Social Security number that is lost, stolen or compromised

Of course, it’s just as easy for a criminal to purchase your previously stolen information online, then use it to file a fraudulent return.

How can you know if someone has filed a return with your stolen information? Again, you may find out in different ways, but one common way is for the IRS to inform you.

They don’t usually call you up and say, “Guess what? Someone stole your identity!” Instead, it’s a lot more likely that the IRS will reject your legitimate tax return because someone has already filed using your Social Security number. Another way is someone not necessarily filing the entire return in your name, but rather claiming your dependents on their return if they’ve stolen your kids’ identities; in that case, the IRS will still contact you about the duplicated dependents. Finally, the IRS might contact you if someone files a business return involving your identity as an employee and the agency wants you to answer for the unreported income you supposedly earned but didn’t list on your return.

The fact of tax identity theft is that hundreds of millions of consumers’ identities have been compromised in different data breaches over the years. That means no one is immune from the threat of having their tax refund stolen.

For more questions and answers about tax identity theft, read our tips here.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Tidying Up For Your Identity, Mobile Device and More…

In the age of the #selfie, there are millions of apps for users to apply teeth whitening, air brushing and the perfect filter for a flawless pic to be shared on social media. Unfortunately, downloading apps can also pose a security risk, depending on the app and the platform from which is was accessed.

Four million Android users who downloaded a popular app from the Google Play store are believed to have been infected with malware that has a variety of consequences. Some of these involve stealing access to your contacts list and pictures, while others actually redirect any popups to pornography websites. Trying to get rid of the app doesn’t work since the app remains hidden after deleting it, making it impossible to drag it to the delete garbage can icon.

The Google Play store for Android users and the App Store for iOS (Apple) users are two of the biggest app sources in the world, and they have two very different structures. Google believes in a more open-source approach, meaning any developer can list an app and users have a responsibility to read the reviews before downloading. Apple, on the other hand, has a reputation for being far more secure, but that comes at a price: listing an app on the iOS store can mean a lengthy wait while the app is tested and approved and a laundry list of requirements for developers to adhere to.

For better or worse, most of the affected apps in this case were downloaded in Asia. However, that doesn’t mean there aren’t malicious apps that are targeting US users with similar harmful tactics. Logically, Android users stand to be at a somewhat higher risk than Apple users due to the open nature of the Google Play store, but that doesn’t mean iPhone and iPad users are immune to this threat.

No matter which mobile operating system you use, you’ve got to be careful with your device. Read the user reviews before you download an app, and make sure there aren’t any specific privacy concerns mentioned. Also, read the app description itself and get a good idea of what kinds of access the app needs. If an app wants too much information or access that it shouldn’t need in order to function, then it’s best to skip it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Fortnite Bug Let Hackers Into Players Accounts

Sparking joy has taken on a whole new meaning thanks to the KonMari method of tidying up. Cleaning up your physical and digital life are some ways to minimize your risk of identity theft.

Marie Kondo is taking the world by storm with the premise of decluttering your life, tidying up your home and work spaces, and basically living by a simple principle: if it doesn’t “spark joy,” you don’t need it. The mindset behind the so-called KonMari method has proven so effective that second-hand stores and thrift shops are seeing record-setting levels of donations.

This decluttering concept can be applied to physical possessions, but you should also consider its ability to benefit other areas of life. You might clean up your email inbox or desktop for example. There’s another level of protection that consumers can take from this “spark joy” concept, and that’s keeping their identities out of a criminal’s hands.

Before You Begin

There are a number of steps that can help you organize your identity before you ever have to deal with cluttering consequences. These would include things like halting subscriptions to magazines and newspapers you don’t read, blocking credit card offers with your financial institutions, going “paperless” on bills and bank statements, and more. By ensuring these things don’t arrive at your home, you’ll have less clutter to deal with and fewer security pitfalls that a thief could exploit.

Another possible vulnerability is your email inbox. Adopt the good habit of not just deleting unwanted emails, but actively unsubscribing from them. This will require you to open them, scroll all the way down, and click unsubscribe. Do NOT follow this procedure for emails that appear to be scam attempts, as clicking a link can redirect you to a harmful website or install malicious software on your computer. Are you holding on to an old email address?

Physical Mail

As for identity tidying in your home or workplace, that can seem very daunting. Don’t worry, it’s not. Following commonly shared methods from organizational experts like Marie Kondo and others, you can start by creating “piles.” Establish a temporary spot for everything that could be linked back to your identity: a pile for bills, a pile for junk mail, a pile for important papers, and more.

The bills: your monthly bills must be accessible but protected, so find out where you are most likely to see them but keep others from coming across them. As you pay a bill, shred the remaining mailer portion so that you don’t end up with random piles of paper that will need to be addressed later.

Junk mail: it’s too easy to toss some junk mail on the counter and think you’ll deal with it later. It’s even easier to throw it in the trash unopened, but that could lead a dumpster-diving identity thief to pieces of your overall data puzzle. Keep a basket near your cross-cut shredder to stash these items until you’re ready to shred.

Important papers: a lot of people would agree that tax documents, health insurance statements, and other key papers don’t exactly “spark joy” and therefore should be done away with immediately. However, that’s not wise. What is useful, though, is investing in a small file cabinet or file box where important papers can be stored when not needed. It’s important that this file be accessible in an emergency but not left out in the open where anyone could rifle through it.

Digital Clutter

It’s easy to forget that your identity is vulnerable online, too, but the same principles behind decluttering can help you in the virtual space. Investing in an external hard drive or cloud-based storage subscription can protect the things you want to keep while getting them out of your physical space. Even better, if there’s a paper you might need at a later date, you can simply photograph it or scan it, then store it in these outside spaces. That way, you can discard the original but retain a protected printable copy if you need it.

Mobile Apps & Privacy Settings: First, take a look at all of the apps on your device – are there any you’re not using anymore? Delete those.

Second, visit your mobile device settings to see what information your applications are collecting from you and update them for increased privacy. For example, you might need to let a map app see your location for example, but does it need to be active all the time or just when in use? Same thing for photos, do all of your apps need access to your media library? Definitely not. It’s also a good time to run any updates for your phone software or apps. Read the descriptions carefully and note any cybersecurity language before choosing to update.

You should also be concerned about the permissions you allow (see trustjacking) the mobile apps on your device. Through these apps, third-parties might be tracking information about you that you might not realize like your location, search history and even your photos. Even if they aren’t actively using this collected data, they’re still storing it which can leave your personal information vulnerable to cyberattacks should the third-party fall victim to a breach.

Also, think twice before discarding that old device. Be sure to reset to your factory settings.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What’s the Latest Threat From Your Internet Connected Toys?

Valentine’s Day is just around the corner and many people are looking to swipe right on a match through a dating app in hopes of meeting their suitor in real life. In 2018, Tindr alone processed a record 1.6 billion swipes a day. With 40 percent of Americans switching to online dating, there’s now an app for every kind of user preference including dog lovers, foodies and celebrity look alikes. With love in the air, scammers are also upping their game on these platforms in order to get your money or personal information. Let’s talk about how to swipe left on a romance scam.

Many popular dating apps like Tinder and Zoosk have reported numerous incidents of romance scams taking place on their platforms. Scammers are becoming more advanced in their techniques including using chatbots to reach more people at a faster rate and evolving their messages to remain current. To avoid being caught, scammers might also try to lure you off the dating app by claiming they are canceling their account or some other excuse. Don’t go breaking your heart or your bank, read more about how to detect a romance scam here.

When using dating apps you should always be conscious of the information you disclose and who you choose to talk to. Be extra leery if someone gives you excessive compliments, reveals in-depth information about themselves immediately, is located outside your country, asks for money or expresses interest in marrying right away. If you come across a scammer, report their profile right away to the company they have an account with. Never send anyone from a dating app money, passwords or login info to your accounts or personal contact information.

Who would’ve thought that swiping right on a popular dating app could get you in the hands of an identity thief? Kerrie Roberts with sponsor, Experian and Eva Velasquez of Identity Theft Resource Center weighs in on the ever so popular, “romance scams”.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: What’s the Latest Threat From Your Internet Connected Toys?