Posts

  • Identity criminals can compromise people’s phones and devices through weaknesses in the device operating software, applications and SIM swaps.
  • To protect your device from a tablet or phone hack, automatically download patches and software updates as soon as they are available, set up your lock screen to use biometrics or a password/passcode/PIN, enable “Find My…” device features, only download apps from the device manufacturer’s app stores, and avoid public Wi-Fi if possible.
  • You will know if you suffered a tablet or phone hack if you can’t make or receive calls, access your device, or there are calls and text messages that you did not initiate. Certain kinds of malware can also slow your device and result in your battery draining faster.
  • If you believe you’ve been compromised, pull out your SIM card, contact your carrier and be prepared to reset your phone or tablet.
  • To learn more, contact the Identity Theft Resource Center. You can speak with an advisor toll-free by phone (888.400.5530) or live-chat on the company website www.idtheftcenter.org.

As phones and tablets become more and more like portable mini-computers and the world moves towards digital versions of paper documents and currency, more personal data is stored on our devices. This makes them attractive targets for thieves who want to steal or sell your information or impersonate you, which could lead to you having your tablet or phone hacked. Many people are afraid of being hacked, but does being “hacked” truly mean?

People think of being hacked as a third-party gaining access to a device through some highly specialized technology where they’re able to crack passwords and get around device security. When it comes to tablet and phone hacks, that usually isn’t the case. Unfortunately, it can be much simpler than that for a thief to gain access to a device because of our own behaviors.

How They Access Your Device (While You Still Have It)

  • Through known weaknesses in the device software – those software update notices you get are to patch those weaknesses and add new features. If the device doesn’t have the latest update, it’s open to known vulnerabilities.
  • Through downloads – app downloads or clicking on links that download software.
  • SIM swap – a criminal calls your carrier pretending to be you and moves your phone number and backup data to another device.

How to Protect Yourself or Your Mobile Device

  • Download patches and software updates as they become available.
  • Only download apps from approved app stores from the maker of your device (Google, Samsung, Apple, Microsoft, for example). These apps have been through a review process to help ensure your safety and security. Some devices and applications are more security and privacy respectful than others. Be sure to do your research first.
    • Look at the data collection notice – the more data they want to collect from you, the less legitimate the app developer may be.
    • Look for apps that have high ratings from a large number of people.
    • Watch out for apps that tell you to download directly from their site instead of through a manufacturer’s app store.
  • Don’t download apps directly from a website. Cybercriminals create legitimate-looking websites with malware-filled applications for download. The only way to reduce your risk of a tablet or phone hack is to avoid direct downloads and rely on your device maker’s app store.
  • Don’t use public Wi-Fi for your mobile devices or laptop.

How to Protect Your Device If It’s Lost or Stolen

  • Report your mobile phone or SIM card-enabled tablet as stolen to your mobile carrier. The carrier can disable the service and recognize the device if someone tries to connect it to a new or different account.
  • Make sure you have the “Find My…” device enabled for your phone, tablet and smartwatch. If your device is lost or stolen and the SIM card has not been removed, you can locate the device or disable it so it cannot be used until returned. If the SIM card has been removed, that defeats the “Find My” feature.
  • Set up your lock screen to use biometrics, a password, or passcode (PIN). This will make your device difficult, if not virtually impossible, to compromise depending on the device maker.

How to Know if Your Device Was Compromised

  • You can’t make outbound calls or receive inbound calls.
  • You can’t open your device or access your apps.
  • There are outbound calls or texts not initiated by you.
  • You’re using more data than usual.
  • Your battery is draining faster than normal, but you’re still using the device the same amount of time, performing the same tasks as usual.

What to Do if You’ve Been “Hacked”

  • Pull your SIM card.
  • Contact your carrier for a mobile phone or tablet with a SIM card.
  • Be prepared to reset your phone or tablet if asked by your carrier. You can usually do this through your phone account or restore your device to the factory settings.
  • If your tablet is Wi-Fi only, contact your device maker’s support department.
  • Be careful if using a backup to restore your settings. Your backup may include malware, so consider only restoring your data and not your applications. You can reload the latest versions of your applications from the original app store.

Contact the ITRC

If you believe you have suffered a tablet or phone hack and want to learn more, contact the Identity Theft Resource Center. You can speak with an expert advisor toll-free by phone (888.400.5530) or live-chat on the company website. Just visit www.idtheftcenter.org to get started.

  • Amazon recently connected to its new network, “Sidewalk,” leaving some people wondering how to opt-out of Amazon Sidewalk. It takes a little piece of people’s network bandwidth, who have either an Amazon Echo or a Ring doorbell connected to their Wi-Fi, and shares it with others who have Amazon devices to create a mesh network.
  • While Amazon says the information will not be shared with other devices on the network, it still connected to people’s devices without their permission.
  • To opt-out of Amazon Sidewalk on an Amazon speaker, open the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk and choose Disable. For Ring doorbell,in the app go to the Control Center Amazon SidewalkDisableConfirm.
  • To learn about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) data breach tracking tool, notified.
  • For more information, or if someone believes they are the victim of identity theft, consumers can contact the ITRC toll-free at 888.400.5530 or via live-chat on the company website www.idtheftcenter.org.

Sharing is Not Caring

Welcome to the Identity Theft Resource Center’s (ITRC) Weekly Breach Breakdown for June 11, 2021. Our podcast is possible thanks to support from Experian. Each week, we look at the most recent and interesting events and trends related to data security and privacy. This week, we will talk about how your parents, grandparents and teachers were wrong when you were young – at least when it comes to cybersecurity. We will also discuss how to opt-out of Amazon Sidewalk, a new mesh network.

How many times did you hear someone tell you that you need to share your toys with your sister or brother? “Share what you have” with your friends probably was thrown in there, too – along with this chestnut: sharing is caring.

That might be true on the playground when you’re talking about a cup of goldfish crackers. However, in today’s episode, we are talking about privacy and cybersecurity. Sharing is definitely NOT caring, especially when you’re forced to give up a piece of your internet bandwidth to your neighbors.

Amazon’s New Mesh Network “Sidewalk”

We are talking about Amazon’s new mesh network known as “Sidewalk.” Sounds innocent enough, right? It makes you think of walking around your neighborhood waving at your friends sitting on their front porch while you take a stroll with your trusty dog Rex.

Except in this scenario, you have an Amazon Echo smart speaker and a Ring doorbell connected to your Wi-Fi. Rex is wearing a tile smart tag, so you can find him when he runs away to make a deposit on a neighbor’s lawn. All of those Amazon smart devices are now automatically connected to the new Sidewalk network that went live on June 8, without your permission.

What the New Sidewalk Network Does

Right about now, you may be wishing you could trade that glass of lemonade you have been nursing on your walk for something a little stronger because chances are you’ve never heard of Sidewalk. That’s what Amazon calls its new local network that takes a little piece of your network bandwidth, up to 500 MB per month, and shares it with your neighbors who also have Alexa hanging around their houses.

The idea is it boosts Wi-Fi signals in weak areas by pooling the bandwidth of every house that has an Amazon device on a network. This “take a little here and give a little there” approach is known as a mesh network.

What It Means

Amazon hasn’t been shy about touting the benefits of this kind of expanded network. It means when Rex runs away, that tile smart tag you put on his collar can be tracked as long as Rex is near the new neighborhood-wide network. It means a sketchy signal will not prevent your Ring doorbell from showing you that pimply-faced kid who just showed up to take your daughter to the movies. Also, it means you can ask Alexa to tell you a joke in parts of your house where you couldn’t connect until Sidewalk launched.

What it doesn’t mean, according to Amazon, is that Alexa will share your information with the other devices in your neighborhood that are now connected to the wider network. There are also strict limits on how much bandwidth Sidewalk can use per month, so your internet bill doesn’t go through the roof.

While that’s good to know, it doesn’t change the fact that Sidewalk is, like Alexa and Ring, always on and you were not asked if you wanted to join the network.

How Opt-Out of Amazon Sidewalk

Fortunately, there is a way to jump off the Sidewalk by changing the settings on your Amazon devices. Here’s how to opt-out of Amazon Sidewalk:

  • For the Echo family of speakersopen the Alexa mobile app and go to More > SettingsAccount SettingsAmazon Sidewalk. Choose Disable, and you’re done.
  • In the Ring app, go to the Control Center Amazon SidewalkDisableConfirm.

While you’re busy putting your Wi-Fi back in the house where it belongs, make sure you have a strong password on your home network to keep cybercriminals and your cheapskate neighbor off your network. Sorry, we can’t do anything about the kids or dogs on your lawn.

Contact the ITRC

If anyone has questions about keeping their personal information secure or on how to opt-out of Amazon Sidewalk, they can visit www.idtheftcenter.org, where they will find helpful tips. People can also sign-up to receive our regular email updates on identity scams and compromises and download our latest report on how identity crimes impact individuals.

If someone thinks they have been the victim of an identity crime or a data breach and needs help figuring out what to do next, they should contact us. Victims can speak with an expert advisor on the phone, chat live on the web or exchange emails during our normal business hours (6 a.m.-5 p.m. PST).

Thanks to Experian for supporting the ITRC and this podcast. Next week be sure to check out our sister podcast, The Fraudian Slip when we talk with the CEO of LexisNexis Special Services about the role of information in preventing identity crimes. We will be back in two weeks with another episode of the Weekly Breach Breakdown.

  • The list for the most common passwords in 2020 is out, released by cybersecurity firm NordPass. The three most common passwords of 2020 are 12345, 123456789 and picture1.  
  • Weak passwords continue to be a security issue. According to Verizon, compromised passwords are responsible for 81 percent of hacking-related data breaches
  • To strengthen password security, consumers should change their password to a passphrase, never reuse a password (consider a password manager), use two-factor authentication when possible and never use work passwords at home (and vice versa). 
  • For information about recent data breaches, consumers and businesses should visit the Identity Theft Resource Center’s (ITRC) new data breach tracking tool, notifiedTM
  • For more information on how to upgrade your password, contact the ITRC toll-free at 888.400.5530 or by live-chat on the company website.  

Subscribe to the Weekly Breach Breakdown Podcast  

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our  Weekly Breach Breakdown Podcast. This week, we will look at one of the behaviors that are increasingly at the foundation of many, if not most, data compromises in 2020: weak passwords

Why Passwords are Important 

As ITRC Chief Operating Officer James Lee mentions in the podcast, like the Porter outside Macbeth’s castle, passwords are designed to allow entry to our personal and work castles. Passwords protect the devices that are home to the applications and data we use and create.  

Passwords in the 1980s and 1990s 

People have been protecting passwords since the 1980s. The first passwords were simple, and most people only needed one. Maybe the password was assigned to someone at work, so they used the same one at home; that is if there was a computer at home. People were told never to write down their password.  

Then came the internet in the mid-1990s, and suddenly there was a need for more passwords. People needed a password for their AOL or Earthlink account. Eventually, people had to add passwords to the handful of other online accounts they created. However, most people probably just used the same word or set of numbers that was their device login password. 

Passwords Today 

Fast forward to today, according to cybersecurity firm NordPass, the average person now has to manage a staggering 100 passwords, up 25 percent from 2019. The rise is due, in part, to the increase in online transactions during 2020 related to COVID-19.  

Most Common Passwords 

NordPass also publishes an annual list of the most common passwords, which also corresponds with the passwords cracked most often by professional data thieves. Here are the top 10 most common passwords of 2020 and how long it takes a cybercriminal to crack the password: 

  1. 12345 (takes less than one second to break) 
  1. 123456789 (takes less than one second to break) 
  1. picture1 (takes up to three hours to crack) 
  1. password ( takes less than one second to break) 
  1. 12345678 (takes less than one second to break) 
  1. 111111 (takes less than one second to break) 
  1. 123123 (takes less than one second to break) 
  1. 12345 (takes less than one second to break) 
  1. 1234567890 (takes less than a second to break) 
  1. Senha (the Portuguese word for password; takes 10 seconds to break) 

The Dangers of Weak Passwords 

Weak passwords allow cybercriminals to access systems and accounts easily. People use weak passwords because there are so many to remember, which also prompts people to use the same weak passwords on multiple accounts and use them at work and home. 

Here are a few statistics from earlier in 2020: 

What You Can Do to Avoid Weak Passwords 

The good news is that people can do many things to make sure they have strong passwords that will keep their accounts secure. Here are some tips: 

  • Change your password to a passphrase. Use a passphrase like a movie quote, a song lyric, or a favorite book title that is easy to remember and at least 12 characters long. It would take a cybercriminal 300 years to crack a 12-character passphrase with upper and lower case letters. If you add a number, the passphrase will last 2,000 years.  
  • Never reuse your passwords, or passphrases since you just upgraded, right? If you have too many passwords to remember, use a password manager. If you want a free solution, many browsers offer a form of a built-in password manager. Safari and Firefox are two examples. 
  • Use two-factor authentication when it’s available. An authentication app like those offered by Microsoft and Google is best. However, even the two-factor authentication version that sends a code to you by text is better than no multi-factor authentication. 
  • Never use your work password at home, or vice versa. Stolen work credentials are one way cybercriminals use to get the access they need to launch ransomware attacks against companies.  

notifiedTM   

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC  

If you have questions about how to upgrade your password to protect your information from data breaches and exposures, visit www.idtheftcenter.org, where you will find helpful tips on this and many other topics. If you think you have already been the victim of an identity crime or a data breach and you need help figuring out what to do next, contact us. You can speak with an expert advisor at no-cost by calling 888.400.5530 or chat live on the web. Just visit www.idtheftcenter.org to get started. 

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform.  

  • Vertafore, a Denver based insurance tech company, discovered three files containing driver-related information were posted to an unsecured online storage service. The files included data from before February 2019 on nearly 28 million Texas drivers.
  • The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.
  • Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings.
  • Consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety. Vertafore is offering one year of free credit monitoring and identity restoration services.
  • For more information on the Texas driver’s records exposed, contact the Identity Theft Resource Center toll-free at 888.400.5530 or live-chat on the company website.
  • For the latest on data breaches, visit the ITRC’s data breach tracking tool notifiedTM.

Subscribe to the Weekly Breach Breakdown Podcast

Every week the Identity Theft Resource Center (ITRC) looks at some of the top data compromises from the previous week and other relevant privacy and cybersecurity news in our Weekly Breach Breakdown Podcast. This week, we will discuss the Vertafore data compromise that exposed personal information to the risk of being stolen by a cybercriminal by not installing security on a cloud storage service.

What We Know

There is one thing that almost everyone carries in their pocket – their driver’s license. Without a driver’s license, people can’t legally drive or show proof of age or identity. It is one of the most important forms of identification a person needs in the U.S. That is why a recent event that led to Texas driver’s records exposed has millions of people worried about how it could affect them.

Vertafore, a Denver based insurance tech company, discovered that three files containing driver-related information were moved to an unsecured online storage service. In other words, it was moved to a third-party cloud database with no security. The files included data before February 2019 on nearly 28 million Texas drivers. The files included lienholder information, drivers’ license numbers, names, dates of birth, addresses and vehicle registration histories.

In a statement announcing that Texas driver’s records were exposed, Vertafore says there is no evidence of information misuse. However, the company acknowledges that there is evidence an unknown and unauthorized party accessed the information. Other Vertafore data – including partner, vendor or additional supplier information – and systems remain unimpacted. No Vertafore systems were found to include known software vulnerabilities, and Vertafore immediately secured the suspect files.

Investigators hired by the company believe the unauthorized access to the data occurred between March 11 and August 1 of 2020. The files supported one of Vertafore’s products that helps insurance companies determine insurance policy costs. The files did not contain Social Security numbers or financial information about consumers. Vertafore is offering one year of free credit monitoring and identity restoration services.

Cloud Databases Continue to be Left Unsecured

Unfortunately, this kind of event is far too common. On last week’s podcast, we highlighted another company that left a cloud database unsecured, leading to nearly ten million people’s travel accounts being available online.

Failing to secure a cloud database is tied with ransomware as the most common cause of data compromise, according to IBM. The ITRC’s own data breach information corroborates the findings. Most of the time, there is no evidence data thieves removed or copied the data – meaning the risk of misuse is relatively low. However, it is not zero. It is why consumers impacted by the Vertafore data compromise need to follow the advice given by Vertafore and the Texas Department of Public Safety.

How the Data Ends Up in the Hands of a Private Company

The event that led to Texas driver’s records exposed has prompted consumers to ask questions about how their driver’s license and related data ends up in the hands of a private company. That is not an uncommon question when data breaches, compromises and exposures involve businesses that victims have never heard of – and did not give permission for their data to be shared.

While the answer to the question varies from state to state, the response is almost always some version of “it’s legal.” Also, consumers rarely have the opportunity to “opt-in” or “opt-out” of the sale or sharing of information like driver’s license data by the government.

In response to questions about the Vertafore compromise, the State of Texas issued a statement about the use of driver’s data:

“Texas law permits, and at times requires, the release to authorized parties of driver license and vehicle registration information.”

In the case of Vertafore, the permitted use involves ensuring companies have the data they need to appropriately price insurance premiums for drivers.

Even the nation’s toughest privacy law, the California Consumer Privacy Act (CCPA), allows personal information from government agencies to be sold and shared for certain purposes without the consumers’ consent. Generally, consumers cannot opt-out of these uses if they are designed to prevent fraud or are used to verify someone’s identity.

notifiedTM  

For information about recent data breaches, consumers and businesses should visit the ITRC’s new data breach tracking tool, notifiedTM. It is updated daily and free to consumers. Organizations that need comprehensive breach information for business planning or due diligence can access as many as 90 data points through one of the three paid notified subscriptions. Subscriptions help ensure the ITRC’s identity crime services stay free.  

Contact the ITRC

If you have questions about how to protect your information from data breaches and data exposures, or if you want to learn more about the Vertafore data compromise, contact the ITRC. You can speak with an advisor toll-free over the phone (888.400.5530), live-chat on the web, or email itrc@idtheftcenter.org during business hours. Just visit www.idtheftcenter.org to get started. Also, download the free ID Theft Help App to access resources, a case log and much more.  

Join us on our weekly data breach podcast to get the latest perspectives on the last week in breaches. Subscribe to get it delivered on your preferred podcast platform. 

With some businesses opening back up after temporarily closing due to the COVID-19 pandemic, scammers are trying to capitalize using online job scams to steal people’s personal information.

Recently, Scripps Health found hackers exploiting job seekers through phishing emails with Scripps Health-themed “lures.” Scripps sent the following email to warn their community members:

Image provided to the Identity Theft Resource Center by public

ATA Engineering, another San Diego-based company, reports they also are seeing similar-type online job scams.

The Identity Theft Resource Center (ITRC) has seen a rise in victims contacting the organization about online job scams, including phishing emails. Some of the particular job scams reported to the ITRC include ones from Indeed, Zip Recruiter, and Facebook. The ITRC has had more than 40 victims reach out about online job scams the last three months.

Who Is It Targeting

People looking for work amist the COVID-19 pandemic

What Is It

Either a fake listing posted on a job board or a phishing email, robocall, social media message, or text message looking for a response.

What Are They After

While scammers attack in different ways, they are all looking for one thing: personal information. They hope they can trick people who are desperate or vulnerable into giving up sensitive data like usernames and passwords, financial data, or Social Security numbers. Once scammers have that information, they can commit many different forms of identity theft.

How You Can Avoid It

  • Never click on a link or open an attachment from an email you are not expecting. Instead, go directly to the source to verify the validity of the message.
  • Review all emails and websites carefully to make sure there are no suspicious addresses, subject lines or URLs.
  • Be careful about how much personal data you share, at least during the application process. Do not turn over information like your Social Security number until you are hired.
  • Make sure you have the job, and it is legitimate, before giving away financial information like a bank account number or routing number for direct depositing of paychecks.

If you think you may have fallen victim to an online job scam, you can call the ITRC toll-free at 888.400.5530. You can also live-chat with an expert advisor on the company website.


Read more of our latest articles below