Posts

When new technology comes along, it might take a matter of years or only a matter of days for a highly-skilled hacker to figure out a way to break in. With any luck, the person who breaks into the system is what’s known as a “white hat hacker,” or someone whose expert-level skills are put to use helping stop criminal activity instead of benefitting from it.

When security analyst Ryan Stevenson breached Comcast’s Xfinity website portal, it seemed like a frighteningly easy task. It simply required him to match up readily available IP addresses—basically, your computer’s code name onto the internet—with the in-home authentication feature that lets users pay their bills on the telecom provider’s website without having to go through the sign-in process. Another vulnerability allowed Stevenson to match users to their Social Security numbers by inputting part of their home mailing addresses—something that the first vulnerability exposed—and guessing the last four digits of their SSN.

Guessing the last four digits of someone’s SSN might not sound that easy, but it only takes seconds for a computer to do it with the right software. The flaw in the website allowed the computer to make an unlimited number of guesses for a corresponding mailing address, so it took very little time for the code to reveal complete Social Security numbers.

This vulnerability is believed to have affected around 26 million Comcast customers.

Comcast issued a patch a few hours after the report of the flaws. The company responded to requests from news outlets with an official statement to the effect that they have no reason to believe anyone other than Stevenson accessed this information. They also don’t believe that the vulnerabilities are related to anyone with malicious intent. Just to be safe, though, the company is continuing an investigation into how the flaws originated and how they might possibly have been used.

In the meantime, Xfinity customers would do well to monitor their accounts closely. This could potentially affect other accounts, not just their telecom service accounts, as Social Security numbers, names and mailing addresses were visible.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

It turns out the boogeyman is actually hiding in the deep dark web, not your child’s closet.

Identity theft is often misconstrued as an issue that only adults deal with; however, it’s also something that affects children. According to Javelin Strategy and Research’s 2018 Child Identity Fraud Study, one million child identity theft cases were reported in the U.S. last year.

It is important to note that these are only reported cases, so the actual number of child identity theft victims is likely higher. According to the calls we receive from impacted individuals, many child identity theft cases go underreported because they may have been perpetrated by a custodial or non-custodial parent, a close relative or even family friend, and the victim might not feel comfortable pressing charges.

Criminals see children’s identities as a hot commodity because they’re typically unmonitored and clean. Since children don’t start to establish credit until they are an adult (age 18) and open their first credit card or take out a loan, parents don’t usually think to check their child’s credit history. Unfortunately, criminals see this as the perfect opportunity to use your child’s information to open up several accounts, which may go undetected for years.

After the child’s information is stolen, criminals often turn to the dark web to sell it for as low as one dollar. The Dark Web, which contains some areas that are not accessible by normal internet browsers or are gated, holds a variety of illicit activity. So if you’ve been a victim of a data breach or gave personal information to a scammer, your information might be living there, as well as your child’s information.

Even though your child isn’t opening up new lines of credit at the moment, they are still at risk of having their information exposed. One way this can happen is through a data breach.  You should be aware that accidental breaches do occur and you should be mindful of the consequences. For example, schools, doctor offices and daycares hold your child’s personal identifying information (PII) and could be potentially breached. It’s important to find out how your child’s information is collected, stored and disposed.

Often times, thieves will buy a child’s Social Security number (SSN) from the dark web and combine it with a fake date of birth, address and name to completely fabricate an identity. Considered synthetic identity fraud, this is an increasingly common method that criminals use to commit identity theft.  In order to protect your child from the dark web, it’s important to check if a credit report exists with your child’s SSN regularly, never carry their SSN and only provide their SSN when it’s required.

Checking for the existence of a credit report with each of the three credit bureaus is a leading way to identify child identity theft. There are other indicators including the following:

  • Your child receives offers for pre-approved credit cards.
  • You receive bills in your child’s name.
  • A collection notice arrives with your child’s name on it.
  • Your application for government benefits for your child is refused because benefits are already being paid out to someone using your child’s Social Security number.
  • You receive a letter from the IRS saying your child owes taxes. Be aware, however, that any phone call from someone claiming to be with the IRS is almost certainly fraudulent. The IRS communicates with taxpayers by U.S. mail only.

You can contact the Identity Theft Resource Center for free assistance at 888-400-5530 or through the live chat feature on their website: https://www.idtheftcenter.org/

Experian proudly provides financial support to the Identity Theft Resource Center.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

In a large-scale data breach, hackers may be after a variety of things. It might be sensitive data like personal identifiable information, email addresses and passwords or the answers to common security questions. It can also be slightly less sensitive but still usable information like payment card credentials and home addresses.

But what do hackers actually do with this information? Sometimes they use that data themselves and in other cases, they will sell it or hold it for ransom from the company it was stolen from. Payment card data can have a narrow window of opportunity for use since financial institutions may cancel those account numbers once they discover the breach.

There’s another way that credit cards have been used following a data breach, one that steals additional benefits from the victim. The theft of airline miles or bonus points tied to the victims’ credit cards may go unnoticed because most consumers don’t think to monitor their extra perks; once the hackers have stolen the account credentials, they can use or sell the additional perks on those accounts.

One of the first steps to protecting your perks accounts is to secure it with a strong password, one that you don’t use on other accounts and that you change frequently. By protecting this account and others, you’ll help prevent a breach of your accounts as well as stop a thief who bought old information on the dark web from a database of previously hacked information.

Another key step is to take some time to monitor these accounts from time to time. Thieves get away with it because too often we happily store up those miles or bonus points for a large trip or a major purchase. Monitoring your points from time to time can help you not only keep track of how far you have to go to reach your perks goal, but also lets you stay on top of any problems that arise.

If you do find out that someone has tampered with your perks account, contact your credit card issuer immediately and change your password on this or any account that uses those same login credentials. This could actually be the first sign that someone has accessed your credit card account, so it’s a good idea to order a copy of your credit report, too.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.

What is considered valuable in terms of personal information has continually shifted definition for decades. At the Identity Theft Resource Center, educating consumers about the value of personal information is one of our top priorities. We often find that many consumers are unaware that having your Social Security number (SSN) exposed in a data breach is far more dangerous than having credit card or debit card information exposed. In addition to your SSN, other personal information that is regularly overlooked are login credentials (i.e. usernames and passwords), which can lead to other information being stolen using a method referred to as “credential cracking.”  This form of hacking is very widespread and more insidious than most Americans realize.

The Open Web Application Security Project defines “credential cracking” as a method that cybercriminals use to “identify valid login credentials by trying different values for usernames and/or passwords.” This is important considering that, according to the 2017 Verizon Data Breach Incident Report, 80 percent of hacking related data breaches were carried out using either stolen passwords and/or weak or guessable passwords. This means that cybercriminals attempt to gain access to a consumer’s account using educated guesses. How does someone make an educated guess about another person’s passwords? There are a couple of ways that this is done and it’s a lot easier than one might think. For example, criminals can use software that runs every word in the dictionary through authentication in hopes that a consumer has used a simple word as their login credentials.  Another way that cybercriminals make educated guesses on login credentials is to use common passwords. Unfortunately, this is successful as consumers continue to use passwords such as “password” or “1234567”. Another way that hackers crack credentials, which is the most pertinent to the focus on the value of personal information, is the use of breached login credentials.

In 2017, there were nearly 179 million pieces of personal information stolen, lost or exposed in data breaches. The use of breached login credentials by hackers is pertinent to the value of personal information because it transforms our ideas of what information is the most dangerous to have stolen by hackers or lost in a data breach.  For example, consumers would most likely consider having their tax information lost or stolen in a breach far more dangerous than having their Yahoo or Gmail account credentials stolen. However, the use of “credential cracking” shows us that one can be just as dangerous as the other.

In order to understand why this can be so detrimental, consumers should first think about the login credentials, most commonly this is a username and password, they use on their online accounts. While the best practice is that consumers use different login credentials on each of their accounts, this often isn’t a reality. How many consumers use the same username and password for their Facebook account as they do for their online banking? Even those who may think they are being safe by using different passwords often only use one or two slight modifications, such as the addition of a punctuation mark or another number to their commonly used passwords. When this is the case, all that a cybercriminal has to do is get their hands on the login credentials for one account and they have the key to open many accounts, which may be far more dangerous than the initial account which was compromised. This is crucial for consumers to understand. It shows why each piece of personal information, even something as seemingly useless as the login credentials for an old Twitter account you no longer use can spell big trouble. This is why we stress that consumers need to protect all the components of their personal information because they all have value. Of course, don’t hand out your SSN as you would your email address. The best strategy is to continue to guard that information as incredibly sensitive as well as protecting other personal information.

Our reminder to you is that every single piece of personal information has value. While the login credentials to your social media accounts may not initially cause the damage that an exposed SSN or banking account information will, with a little work from criminals those social media login credentials can lead to exposing more forms of personal information. Each piece of personal information is like a puzzle piece or clue which can be put together to cause serious damage in the form of identity crime.  So, while the value of a SSN, or other sensitive personal information, is far more valuable in the eyes of identity thieves, an email password has value as well. Both can lead to having your identity stolen. Consumers must understand that each piece of personal information or data has value and protect it.


Contact the Identity Theft Resource Center for toll-free, no-cost assistance at (888) 400-5530. For on-the-go assistance, check out the free ID Theft Help App from ITRC.