Posts

Securing Our Nation’s Critical Infrastructure Is Everyone’s Responsibility

In Week 4 of #CyberAware Month we’re emphasizing the importance of securing our critical infrastructure and highlighting the roles the public can play in keeping it safe.

A nation-wide pizza chain made news in 2018 by announcing a new contest: nominate your town for pothole repair. The very endearing marketing tactic asked customers around the country to explain why their town deserves a little roadway TLC in order to keep pizzas from bouncing around the car on the way to their tables. One winner would be chosen, and the chain would fund pothole repair for that city.

As fun as that sounds, maintaining and protecting our infrastructure isn’t a game, especially when it comes to the real threat of cyber attacks. These coordinated attacks can disable anything from our power grid, telecommunications and E-911 systems, water supply and sewage and more. Taking down even one of these vital utilities with a cyber attack would have devastating consequences while targeting more than one system could cripple entire sections of the country.

October is National Cyber Security Awareness Month, a project hosted by StaySafeOnline. This year’s theme is “Our Shared Responsibility,” and each weekly theme focuses on how consumers, businesses, and stakeholders can play key roles in protecting against hacking, data breaches, and other related crimes.

But how are members of the public supposed to prevent a large-scale hacking event that aims infrastructure? It’s one thing to update your home computer’s antivirus or log out of your sensitive accounts when you’re not using them, but those behaviors will hardly stop highly-skilled operatives from threatening a country’s water supply.

Or can they? Can the security behaviors you adopt prevent the next widespread cybercrime? StaySafeOnline certainly thinks so, and will offer crucial information to the public on ways that they can take an active role in securing our country’s infrastructure: “Our day-to-day life depends on the country’s 16 sectors of critical infrastructure, which supply food, water, financial services, public health, communications and power along with other networks and systems. A disruption to this system, which is operated via the internet, can have significant and even catastrophic consequences for our nation.”

One of the most obvious ways that consumers can protect these necessary resources starts with protecting their own networks. Your home computer, your smartphone, and your Internet-of-Things connected devices are all sources of potential vulnerabilities. If you’re in any way connected to the public utilities—even theoretically something as mundane as paying your electric or water bill online—it could result in fraudulent access to the utilities if hackers gain access through your computer.

By securing your own devices and networks first, you’re possibly preventing a cybercriminal from compromising your device and using that connection to gain access to a “bigger fish.” Third-party attacks, commonly associated with small businesses who have connections to larger corporations, are a recognized avenue of attack. The Black Friday data breach that affected Target in 2013, for example, was eventually traced back to a third-party vendor who worked on the refrigeration units for a small number of Target locations.

Safeguarding your own network and devices is always a smart thing to do, and it can prevent a lot of headaches for you down the road. In today’s connected digital climate; however, your own security steps just might protect us all.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

October is National Cybersecurity Awareness Month, and there’s no bigger “holiday” for those who work in information technology, digital safety and tech security. Okay, that might be a tiny exaggeration; However, it is safe to say this: cybersecurity professionals keep our internet and networks safe from hacking, data breaches, scams and fraud, and there simply aren’t enough cyberheroes doing the job.

Just in 2017, data breaches hit a new record high of 1,579 breaches, indicating a drastic upturn of 44.7 percent increase over the record high figures the year before. Fortunately, there’s never been a better time to pursue a career in computer security or data protection. The theme for week two of NCSAM is to highlight the intense need for highly-skilled, dedicated professionals who are interested in the landscape of modern crime and warfare known as our computers and the internet.

But who has the chance to become a superhero? Anyone! Only two years ago, there were an estimated one million unfilled jobs in the U.S. in the cybersecurity field, and that number is expected to be 3.5 million by 2021. There has never been a better time to consider this field, and there may have never been a more critical need than right now.

1. Middle school and high school – It’s never too early to begin learning about data breaches, information technology, cybersecurity and other tech-related subjects. Unfortunately, you’d be hard-pressed to find more than a few high schools even offering this type of course. There are some really dynamic online sources for teens, though, and the first step is simply to get students interested in the field and talking about the subject.

2. College and career – More and more colleges are offering cybersecurity degrees, and many of those schools even offer a fully online bachelor’s degree in the field (after all, you’re going to be working online a lot, you might as well earn your degree that way!). The programs have grown in number to the point that multiple sources have already ranked colleges’ and universities’ cybersecurity degree programs according to best value, best education, highest number of graduates working in their field and more.

3. Returning learners – For one reason or another, the average person changes careers between five and seven times during the span of their work life. Some of the reasons include better pay or benefits, more flexibility, a lack of opportunity in their previous field, or simply the chance to reinvent themselves after years in a fulfilling career. Cybersecurity is relatively new, it’s constantly evolving, it’s an incredibly high demand, and for some, it’s a job that a professional could do as a freelancer or from home. All of those factors make cybersecurity and information technology exciting possibilities for older, non-traditional or returning students.

No matter why you consider the cybersecurity field, there’s never been a better time to take on the challenge. It’s a widely recognized and highly sought after area of study while also serving the greater good and protecting the public. (The $100,000+ average annual salary doesn’t hurt, either.) If you’re looking for an exciting opportunity that can offer you variety mixed with longevity, talk to a college, university or career counselor about cybersecurity.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: Our Shared Responsibility Begins at Home

National CyberSecurity Awareness Month, an annual cybersecurity experience hosted by Stay Safe Online, has officially kicked off its 15th year. This October event, which brings together stakeholders from every level of online security, is geared towards everyone from top-tier cybercrime analysts to the most vulnerable everyday internet users. The goal remains the same each year: to ensure that the most up-to-date information on cybersecurity is accessible to all users and is at the forefront of their tech decision-making.

This year’s month-long theme is “Our Shared Responsibility,” but the focus of week one is how cybersecurity begins at home. Lessons on every aspect of our physical and emotional safety begin with those who care about us the most, and internet safety is no different. Creating an environment of secure internet access and understanding leads to life-long Cyber Aware users.

To know what lessons to impart, parents and other caregivers need to understand the changing needs for all users within the home. Young children might only enjoy a few minutes of screen time on a tablet with specifically chosen apps, while older teens gain more and more responsibility—and exposure—through social media, browsing, the “latest” app that everyone’s talking about, and more.

At every age and for every user in a household, the privacy and security pitfalls can change. That’s why it’s essential to remain in the know about the kinds of cybersecurity issues that different people may face:

  1. Young children – For most youngsters, it may be up to Mom and Dad to enter their information into an age-appropriate account, so it’s also up to the parents to understand what information they’re sharing, what permissions they’re granting, and where that information can end up. Understanding what kinds of data breaches have taken place in the past can also help, such as the VTech breach or ones involving public schools and doctors’ offices.
  1. Preteens and Tweens – Every generation has thought that kids were growing up too fast these days, but when it comes to technology—especially unsupervised access to it—that may be truer now more than ever before. The average age for US kids to get their first smartphone is now ten years old, and that can mean unprecedented access to the internet, downloadable apps, social media, and more.
  1. Teens and Young Adults – One of the most commonly associated cybersecurity issues for young adults is probably cyberbullying, especially on social media, but that’s just one of the many dangers this age group can face. While it’s important to discuss proper behavior online as well as what to do if they’re targeted, it’s also vital that parents discuss scams, fraud, identity theft, hoaxes, and more. One staggering statistic, for example, has shown that senior citizens may be more likely to be targeted by a scammer, but Millennials are the ones who lose more money to online scams and fraud.

No matter what age your family members may be, NCSAM is an excellent time to explore your privacy, security, and overall digital safety.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Today, Facebook announced a recently discovered security breach that relied on an open vulnerability in the platform’s coding. The “View As” feature, which lets users see their own profiles in the way that others see them—without all of the extra admin sidebar content that lets you control your wall—contained script that allowed hackers to use around 50 million accounts.

Facebook first closed the vulnerability and forced a re-login for the 50 million affected accounts. Then, they repeated the forced login for an additional 40 million accounts that didn’t seem to have been affected but that had used the View As feature.

From there, Facebook shut down the View As feature until they can secure it from further fraudulent use.

According to a report about the incident from Facebook, “Our investigation is still in its early stages. But it’s clear that attackers exploited a vulnerability in Facebook’s code that impacted ‘View As,’ a feature that lets people see what their own profile looks like to someone else. This allowed them to steal Facebook access tokens which they could then use to take over people’s accounts. Access tokens are the equivalent of digital keys that keep people logged in to Facebook so they don’t need to re-enter their password every time they use the app.”

Whether you hear anything official from the company or not, there are some actionable steps you should take. First, change your password—which you really should be doing routinely in order to maintain your privacy and security. Any apps that you’ve connected to Facebook (you’ll know you’ve done this if you are able to log into it with your Facebook account) need to be force closed and logged out; it’s a good idea to a) change your password on those if you have one, and b) revoke the permission for Facebook to connect with it by going into your Facebook settings and removing it. Go into your settings and find all of the current devices you are logged into ( see screenshot above) and click “Log out of all devices” to ensure that no one with bad intentions may still be logged in to your account.

Finally in this case, changing your password means that you are changing the tokens on your devices that allow you to stay logged in. By doing this, it should update the tokens that might have fallen into the hands of bad-actors that might want the valuable personal information that would be in your Facebook profile. Remember, periodic proactive checks to your privacy and security settings will help you stay one step ahead of the identity thieves.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

One of the great mysteries of social media—apart from why people need to share photos of their dinner—is what makes someone post false information without hoping to gain from it. These hoaxes sometimes end up going viral and taking on a life of their own, and the original sender only gets a little temporary boost in their visibility online.

There have been a lot of Facebook scams over the years and more than a few hoaxes, too. The key difference between the two is that scams and fraud seek to steal your identity, your money, access to your computer or account or some other criminal gain. Hoaxes, on the other hand, seem to only bring joy to the creator when they watch how many people share the misleading or false information.

A recently reported double-hoax playoff of changes to Facebook’s algorithms, while also requiring the “copy-paste” behavior to make it spread. Earlier this year, Facebook announced that it would adjust what types of posts and content showed up in your feed to make less relevant, commercially-based posts appear less frequently. It didn’t take long for people to assume Facebook was censoring posts and blocking some of your friends.

This hoax takes that fear to a new level and urges participants to “sneak” into a separate Facebook news feed, accessible only by copying and pasting their message into a new post. The message specifically states that you will be able to “bypass” Facebook’s algorithms and see posts from friends you haven’t heard from in years.

Unfortunately, it’s not true. There is no secret backdoor Facebook newsfeed hidden beneath fancy computer code, and copying the message to share with all of your friends will only highlight the fact that you  fell for a phony message. Sadly, engaging in comments to inform your friends that their post is a hoax will have the same engagement effect and cause the hoax to continue to spread.

Whenever you come across a social media hoax, it’s better left untouched. Don’t click “like” or any of the angry/frustrated emojis, don’t comment on it and don’t share it, even accompanied by a message that warns people of the hoax. Any engagement you give it simply gives it more visibility and power. If there is anything dangerous or compromising about the post that could lead to loss of money or data, try to message the person who shared it privately and explain the issue.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Read next: The Harm in Hoaxes on Social Media

Social media has changed the way people interact with each other in both good ways and bad ways. It’s amazing to connect with people all around the world or to find a long-lost classmate from seventh grade. It’s something else altogether, though, to find yourself in a compromising situation because of something you posted online.

One of the more recent features of different social media sites like Facebook, Instagram or Twitter is the ability to broadcast live video to your followers. This feature can be fun and entertaining or even educational, but if you’re not sure how the platform works or what kind of surroundings you’re broadcasting from, you may be unhappy with the results.

1. How long is my video accessible, and who can see it? – Those questions depend on the platform you’re using. Twitter’s Periscope or the Meerkat platform, for example, are available to anyone who chooses to click on your name. Facebook Live can be limited, meaning you can broadcast to everyone or just to your friend’s list. Instagram Live, though, is by default set to allow anyone to see your video; you have to adjust that setting yourself if you want to keep it private.

As far as how long the video is available, there are key differences you should know before you press the button to go live. Instagram Live videos are gone the moment the camera turns off, but Facebook Live videos can repeatedly be viewed and at a later time.

2. What’s going on around you? – You’ve probably seen some viral videos with hilarious background images, such as an adorable wedding couple sharing the first kiss during their beach ceremony only to have a man in a tiny swimsuit standing behind them. It’s not so funny when the visible area behind your video contains anything incriminating, illegal or simply embarrassing.

Remember, depending on the platform and the settings, you might not control who can see your video. If anything behind you is a dead giveaway for your location, any of your identifying information or even the answers to typical security questions (i.e., posting a video on your birthday and mentioning it), you might be sharing far more than you intended.

3. Is this content allowed? – Each platform has regulations for what is and isn’t permitted, and it’s up to you as the user to know what they are. Obviously, behavior that violates copyright—like broadcasting live from a concert, movie, or other ticket-holder events—is a no-no; even if you don’t necessarily get in trouble, it’s still theft, and it’s wrong. Broadcasting live for anything other than journalistic reasons from a crime in progress can also land you in hot water with both the platform and law enforcement.

If you want to go live on social media, you need to be smart. Know how your platform works, understand your privacy settings and surroundings, and make sure it’s approved, beneficial content… then smile for the camera and enjoy!


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

For years, fraud experts have warned consumers about phishing attempts that try to steal money and identifying information. As people have become more aware of the threat, scammers have had to up the stakes in order to trick users into downloading malicious content to their computers or hand over their sensitive information.

One common approach is the “there’s something wrong with your account” email. These messages appear to come from a well-known company. It might claim your account has been suspended due to strange activity, an order you placed (or possibly didn’t place) is not shipping due to a problem with your credit card, or any other plausible scenario. The goal is to get you to click the link and submit personal information, such as login credentials, passwords or credit card info.

So how is a company supposed to inform you when there really is an issue with your account? A good example may be the one below:

The email informed the recipient of the need to take action on their account by exiting the message and logging in to the account themselves. Rather than the common ploy of having the victim click a button that supposedly redirects to their account, this message plays it safe: Leave this email, go to your account, login for yourself, and make sure your information is accurate.

Also, further below, there is a support number to call for help. That can be indicative of a scam, though, so beware; numerous scams have included phone numbers to call that simply redirect to the scammers, so anyone receiving this email should verify the phone number before calling. However, the information the recipient needs is laid out quite clearly in the email, and hopefully, no further support is even required.

At first glance, this email could look and sound just like any other phishing email, but the difference is in the action the recipient is to take. Instead of falling into a potential trap, the reader is only told to do the very same activity they would do if they had not received the message, namely, log into their account and make sure their profile is up-to-date.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Highly-sophisticated cyberattacks conducted with the help of someone “on the inside” might make for great Hollywood movies, but the reality for most businesses is far more mundane. As the recent data breach of UnityPoint Health proves, the planning might have been sophisticated, but the mechanism was as boring as an email sent to an employee of the company.

The only skillset the hackers needed in this breach was the ability to do some online sleuthing, figure out which executive to mimic, then contact someone within the company while posing as that executive. Unfortunately, “boss phishing,” as this is known, is so easy a middle schooler could do it. It simply means making a fake email account—either masquerading as a company email or even a free throw away account—and contacting someone, asking for login credentials or other data.

In this case, someone at UnityPoint fell for it. A phishing email asking for login credentials was received and responded to, simply because it looked like an email from a boss. From there, the scammer was able to log into the system and access emails, some patient records and more.

UnityPoint investigated the breach and has sent out notification letters to the affected patients, offering a year of credit monitoring for those whose Social Security numbers or drivers licenses were accessed. They’ve also included instructions to all of the affected individuals on how to request a copy of their credit reports and how to place freezes on their credit.

More importantly, the health system is conducting widespread employee training on how to spot a phishing email, how to respond, and how to develop the foolproof, unyielding habit of never giving out sensitive information without confirming the request first.

For the rest of us, the last part is absolutely vital. It doesn’t matter if it’s in the workplace or the living room, all tech users have to learn how to avoid phishing attempts. It does not matter what the mechanism is, such as email or social media message, and it doesn’t matter what the request is. Some messages will claim there’s a problem with your account or payment method on file, while others may accuse you of a crime like failing to pay your taxes or not showing up for jury duty. Whatever the reason, you’ve got to ignore the message and handle it yourself.

Rather than hitting reply or clicking the enclosed link (there’s almost always a link to click!), get out of the message and head directly to your account for whatever company or organization claims supposedly sent the message. Look into your account status there, and if you’re still unsure, contact the company directly through their verified contact method. If you receive any requests for information like bank account numbers, credit card numbers, passwords, or other sensitive data, it’s most likely a scam.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

Reddit is a popular-but-controversial website dedicated to forum threads and messaging groups. Think of it as a giant bulletin board at the end of your driveway where anyone can post a new discussion topic, others can respond, but only a handful of people whom you’ve chosen are allowed to come up to the door and talk to you. Unfortunately, the highly anonymous nature of Reddit has allowed it to become a breeding ground for discussions that range from “how to bathe a poodle” to “where to buy illegal items” and other dangerous content.

Reddit has now disclosed that it suffered a data breach in June, and that login credentials were stolen for everyone who signed up for an account before May 2007. A separate compromise at the same time also accessed all of the daily digest emails, which presents a different kind of privacy problem.

The website is one of the largest in the world, so a hacker who pulled off this feat already gets to brag a little among his cybercriminal contacts. However, what sets this one even further apart is that the hacker was able to bypass two-factor authentication to gain access to employee credentials.

Two-factor authentication is an additional layer of security that denies you access to an account until you have two methods of logging in. It might be sending a one-time use PIN number to your phone, for example, which you need in order to log in alongside your username and password. It may also be answering security questions or providing other details to verify your identity.

Given the highly controversial nature of some content on Reddit, the company’s employees were required to use two-factor authentication in the form of an SMS message, or a text message as it’s more commonly known.

Somehow, the hackers intercepted those text messages and were able to log in under the employees’ stolen credentials.

First, the dire warning to the tech community: don’t be fooled into thinking that two-factor authentication will absolutely keep someone out. Yes, it’s been a great shield so far, but this demonstrates that it can be cracked. Previous data breaches that have leaked cell phone numbers may be to blame, as a hacker can port that number to an additional handset and intercept SMS messages.

Next, for Reddit users: the anonymity that you’ve enjoyed so far may be at risk. The hackers accessed the daily digest subscribers’ emails, so if you’ve subscribed to any Reddit subgroups that are topic-specific—especially ones that could have personal consequences if other people found out—there’s a chance your email address could be shared. If your email address has also been used to log into Reddit and post inflammatory, sensitive or otherwise extremely private content on Reddit, it is possible for the hackers to connect those dots and make that information public.

Reddit will undergo a forced password reset for accessed accounts, but it’s a good idea to log in and change it even if you don’t receive notification from Reddit. Also, if you’ve reused a password from Reddit on another account, you should change that one as well.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

April the Giraffe became an internet sensation in 2017, bigger perhaps than any pop-star-behaving-badly, for her adventure park’s YouTube live stream of her pregnancy and delivery. It took a little longer than expected, but she gained a following of millions of viewers for the birth of her first baby to be born at the park, Tajiri.

At that time, many people had a tongue-in-cheek criticism of the whole sensational affair: how would you feel if someone broadcasted your pregnancy and delivery to the entire internet?! In fact, in recent years, more and more hospitals have instituted policies against this very thing, banning video cameras, digital cameras and even cell phones from the delivery room to give the mom and baby both some privacy.

Obviously, April didn’t seem to mind either the jokes or the constant attention directed towards her medical condition. Hopefully, she’s just as calm about the April Cam going live once again for her next delivery. But that doesn’t mean we should be so laid back about our own privacy and oversharing of personal information.

Oversharing happens when we post more information or content online that might be safe. It could be sharing too many details in your social media profiles, entering information online without finding out where it will end up, even posting photographs that in hindsight probably shouldn’t have been made public. In any event, oversharing is a serious problem that can lead to consequences like identity theft, account takeover, repercussions at school or in the workplace and more.

In order to avoid oversharing, there are a few things to keep in mind:

  1. Social media settings – Who can see your posts? Do you know how to keep others’ prying eyes out? Depending on the platform, such as Facebook versus Twitter versus Instagram, you have options when it comes to keeping your content limited to people you personally know. To check up on your privacy settings, log into your account and go to your profile. Note: that’s not to say everyone must lock strangers out altogether, but it’s good to know how to set up your preferences and change them if you wish.
  2. Locations – If you have location settings turned on for your phone or other devices, you might be handing a criminal the exact location to where you’ve taken a photograph, even down to which room in your house. A concept called geotagging incorporates these coordinates into the digital file for the image, and when you upload that image, you can retrieve the coordinates by someone who accesses the picture. In order to keep your location under wraps, be sure to turn off the location settings for your device’s camera so, anyone with malicious intent doesn’t come looking for the flat-screen TV or MacBook in the background.
  3. Sensitive content – Finally, once you’re certain that the posts aren’t giving away too much, really think about what’s in the post, photo or video. Is this something that paints you in the best light? What will an employer say about it? Is it embarrassing to anyone in your family, including your kids?

Remember, April the Giraffe may not understand that millions of people around the world watched her every move—including an event that most people consider to be very, very private—but you and your friends or family might care a great deal. Protect your privacy and your dignity with safe, smart sharing behaviors.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.