Tuesday, June 23, 2009

Victims Lose $500K to ATM Skimmers

In an earlier MySecurityIQ post, we talked about the risks of using public ATM machines or other devices that read cards. A recent incident at a New York bank highlights the importance of being aware when you use public ATM machines.

Thieves in Staten Island installed devices on ATMs at several branches of Sovereign Bank that allowed them to harvest account access information. The data were used to steal a total of more than US $500,000 from the accounts of 250 victims. The group used skimmers to gather data from ATM cards and cameras to discover customer's PINs. The information was then used to manufacture phone ATM cards.

See the Related Tip: Watch out for ATM Onlookers

Tuesday, March 17, 2009

Your Cell Phone May Be Tracked

The next time you hit the local mall, you might be followed by some folks who are interested in the way you shop. They might follow along as you move from store to store, making notes as you stop for 5 minutes for a coffee and then spend 30 minutes shopping for electronics. It turns out, this information is extremely valuable to the folks who operate malls and to the stores that rent space within them.

This is all possible since you are carrying around your personal "homing" device. Its called a cell phone. Although you might not realize it, your cell phone is sending out signals as long as it is turned on. Some companies are developing new tools and technology to allow their customers to track cell phone signals throughout any physical space, such as a mall. Using this technology, they can track many different signals at once and build detailed profiles of traffic. Pretty nifty stuff.

Some people may find this tracking an invasion of their privacy. There are certainly a variety of legal issues involved in tracking phone signals to individual users without their consent. Others may think its pretty cool and only serves to make their shopping experience better. I'll let you make the call. The purpose of this tip is to make sure you are aware that this can be happening.

Security Tip: Be aware that your cell phone may be used to track your location and behavior in the physical world. You don't even have to be making a call. If you don't want to contribute to the collective data gathering - you can always turn off your phone!

Tuesday, November 18, 2008

Security and Privacy on Craigslist

Millions of people buy, sell and trade goods on classified ad sites such as Craigslist. Any time there are millions of dollars changing hands between millions of people, there are going to be issues with security and privacy.

Classified ad sites such as Craigslist pose interesting challenges because your physical security could be at risk. Unlike auctions sites like Ebay, most people using classified ads meet in person to deliver the goods or services. So here are a few tips for protecting your personal security and privacy when buying and selling on classified ad sites.

Protect Your Personal Information - One risk of posting on ANY internet site is disclosing too much personal information. Personal information, such as your name, address, email and telephone number can be used by scammers for identity theft.

When posting an ad, use as much information as you can to describe the item, but put only minimal information about yourself. Never put specific information about your location, such as your address. You can do that later over the phone or via private email. The idea is to limit any information that could be used to steal your identity and provide clues to enable someone to actually find you and break in to steal the item.

The most secure way to use sites such as Craigslist is to only accept emails through their system. Never put your personal email address on a post, or it will most certainly get picked up and used by scammers. Many people who post on craigslist put their telephone number to help speed up the selling process. If you must do this, use your cell phone since your home phone also can give up your specific location. When you have sold the item, make sure you delete or remove the ad to limit the amount of time your personal information is posted on the site.

Protect Your Money - Another risk of any online trading site is the monetary scam. Never accept cashiers checks or money orders as payment. They are too easy to counterfeit. Craigslist is very good at providing warnings about this when you view and respond to posts. Always ask for cash. Be especially aware of any "overpayment" scams where someone offers to pay more for your item with a check or money order and takes a portion in cash back from you. This is one of the most common scams used on auction sites such as Ebay.

Protect Yourself - When going to view an item for sale (or when someone comes to your home or office to view an item) always have someone with you. There have already been cases where people have been assaulted after responding to an ad on craigslist. To be completely safe, you can first meet the person outside of their home to get a sense for your personal safety. If they seem suspicious or you get a bad feeling, come up with an excuse and leave. Be aware of suspicious locations, such as remote office buildings, that could put you at greater risk. If you absolutely must meet a person by yourself, tell someone else what you are going to do and when you should be back. And always keep your cell phone handy for an emergency call.

The Bottom Line

Classified ad sites such as Craigslist provide a great way to buy and sell goods and services to a local market. But be aware that meeting in person creates an entirely new set of risks. Be cautious. Reveal person information slowly. Have someone with you when you visit strangers. Sounds a lot like what our parents used to tell us about dealing with strangers. Hmm. Maybe some advice is timeless.

Thursday, September 18, 2008

Ruining Your Career with Social Networking SItes

There is a growing trend of people making career-limiting moves by putting inappropriate information on their personal pages on MySpace or Facebook. As potential employers and college admissions officers increase their use of the internet for recruitment and retention, public embarrasment on the internet can be costly.

There have already been a number of incidents of people being fired for information on social networking sites. Examples include foul language, trashing of employers and not-too-flattering pictures. It is becoming common for organizations to "Google" prospective employees as part of a background check. And certainly a MySpace page with pictures from your last drunken happy hour are not going to help establish you as a viable candidate. It is important to understand that social networking sites are so "new" that there is no established set of "best practices" or case law defining how prospective employers may use the internet to perform research.

Some people are limited themselves even before they start their careers.

A recent report based on 500 top colleges showed that some of them use MySpace and other social networking sites to review college applicants. Of the ones that do, 38% of the respondents indicated that what they saw negatively impacted their view of the candidate.

So far there are no clear policies established around the use of information made public by people on their own web pages. But clearly people are already making mistakes that are very costly.

Of course, the obvious security issue is that people MUST establish privacy settings so that their pages are not available to the general public. As obvious as this sounds, many people are still leaving their sites open.

Security Tip: Establish privacy settings so your posts are not visible to the general public. Even with privacy in place, never put offensive language or pictures on your social networking site. You never know who may be able to see your page through a trusted "friend."

Saturday, August 23, 2008

Has your medical ID been stolen?

One of the newest ways for criminals to wreak havoc on your personal privacy and your pocketbook is called "medical identity theft." As in other forms of identity theft, the basic scheme is that a criminal uses your identity to scam the medical system for either services of money.

In the simplest scam, doctors bill the the medical insurer for procedures that were never performed. In many cases, they split the profits with the patients that come in claiming they have specific ailments that require certain treatments that are ripe for fraud.

One increasingly common scenario is someone who uses your identity to receive an expensive surgery. Medical and security experts are expecting the trend to get worse as more of the 50+ million uninsured become desperate for medical care that they cannot afford. For example, In 2007, authorities say John Parsons, 57, of stole the identity of a mentally disabled friend to pay for heart bypass surgery at Northwestern Memorial Hospital in Chicago. According to a recent article in the Chicago Tribune highlights medical identity theft is one of the fastest growing forms of identity theft.

How Does It Happen?

In many cases, your medical records are actually stolen by employees at firms that provide services or handle medical billing. Often these people sell the records on the black market to criminal rings for anywhere from $5 to $30 a record. Of course, there are a variety of ways for people to forge your identity, including forged medical ID cards. A criminal can look up your personal information through a variety of public-domain sources, and piece together a legitimate looking ID card. But it is much easier and safer for criminals to buy records on the black market.

How can I protect myself?

The first thing you can do is tightly control your personal medical information. That means limiting the number of places that your personal information is stored. You never want to respond to any email or phone call from anyone claiming to be a Doctor of pharmacist and requesting your medical information unless you can verify their true identity. If you switch medical providers or move, see if you can have your records deleted from their system.

Second, you must closely monitor your medical bills. Stay on the lookout for any procedures that you are being billed for that were not performed. The very nature of medical billing makes this a painful chore. This is especially difficult for people who see a lot of different medical providers.
One idea is to maintain copies of your bills and pay attention to the procedure codes.

Third, try to keep your existing records as accurate as possible. The Health Insurance Portability and Accountability Act (HIPAA) of 1996 requires all organizations that hold your medical records to keep them accurate and respond to your requests. You can call any organization and ask for copy of your existing records to verify that they are accurate. The Health and Human Services Department publishes a list of consumer privacy rights under HIPAA.

Finally, if you think you have been a victim address it immediately. Report the problem to your health care provider and the local police. If people are have received care in your name, your medical records will be merged with theirs. Just like credit problems, false medical records can impact your ability to receive care and insurance in the future. Health care expert Judith Graham also provides some excellent Tips to Protect Your Medical Records.

Reporting Medical ID Theft: The Federal Trade Commission handles medical identity theft complaints and can be reached at 1-877-IDTHEFT (438-4338).

Security Tip: Always check your medical bills for accuracy. Look for unusual procedures or treatments that you do not recognize. As always, limit the amount of personal information you give out and give it ONLY to those who need it to provide your care.

Wednesday, October 31, 2007

Callback scam to 809 or other international area codes

Criminals love telephone scams. According to consumer information provided by AT&T, a new scam hitting U.S. consumers may generate hundreds or even thousands of dollars in unwanted phone charges. The basic hook is a phone call saying that the person calling has vitally important information for you, and you must return the call by dialing their number right away. The number will begin with 809, or one of the other international area codes such as 284 and 876 which belong to the U.S. Virgin Islands. According to some sources, the calls can cost as much as $2425 a minute!

The scammers make up any of a number of stories to get you to call, including information about a family member or other close friend who has been arrested, has died, or is in need of dire help. Other stories are the classic “you have won a prize.” In each case, you are told to call the 809 number right away. Since there are so many new area codes these days, people unknowingly return the se calls.

The bottom line here is that there are a number of ways to get scammed over the telephone. And with the ability to fake or “spoof” a caller-ID number, you cannot verify the caller using caller-ID alone.

Security Tip: Never respond to any request for a return call without first verifying the identity of the caller and the purpose of the call. Be cautious about area codes you don't recognize. Check your telephone directory or call the operator to determine where the area code is before making your call. If the call-back number is area code 809, 284, 876 or any international number (starting with 011) and the message is “urgent” you know you are getting scammed.

Related Tips: "International Call Forwarding Scam" and "Beware of Fake Phone Numbers"

International Call Forwarding Scam

Hacking into and messing with phone systems has always been an interest to criminals. There are many scams to try to either get free phone calls, or to trick you into calling pay services. This one comes directly from AT&T. The basic idea is that the criminal tricks you into forwarding your phone to one of their lines. Here’s how it works:

You may receive an automated message on your telephone that says you have won a prize or money. The message directs you to dial a 2-digit code preceded or followed by the * or # key (such as *79 or 72#), and then an 800 number to claim your prize. When you dial the number, you are not connected to anyone. What this procedure has done, though, is program your telephone to forward your calls to a long distance operator. Con artists can then call your number, be forwarded to the long-distance operator and place calls that are billed to your home telephone number.

Security Tip: Know the numbers used for call forwarding from your local telephone company. If you receive a call that requests a two-digit command followed by # or *, simply hang up. If you receive this message on your answering machine, do not place this call. No legitimate sweepstakes or contest would likely contact you in this manner.

Related Tips: "Watch out for fake phone numbers"

Beware of the latest YouTube Video

One thing you can guarantee is that spammers and other internet criminals will always be using the latest techniques to get you to open an email and download some spyware. Security firm Sophos has recently been discovering SPAM messages that claim to be a link to a YouTube video, but in fact is a link to downloading some nasty spyware on your computer.

If there is one thing we need to emphasize over and over, it is to NEVER click on a link within an email unless you can verify that it is legitimate - even if it apparently comes from a “friend.” Many times your friends have their computers infected with a virus or spyware and without knowing it will forward these messages to you so that they seem legitimate.

So how do you know it is safe to click on an email link? (See our Tips for Not Becoming a Phish) First, if the email is “unsolicited” (meaning that you didn’t ask for it) it has a good chance of being dangerous, even if it is from a friend. Second, if the email is from someone you don’t recognize, and they REALLY want you to click on it, then about 99% of the time is it likely something for the trash bin.

Security Tip: Never click on a link in a email message encouraging you to download a cool anything, unless you can verify the sender of the message and the safety of the link.

Thursday, October 18, 2007

Watch for ATM Onlookers

Part of protecting your personal information is to always be alert of your physical surroundings. In many cases, a criminal will use a combination of techniques to steal information. One of the most common methods is called "surveillance" - which is a fancy term for watching. Just like in the spy movies, criminals will often spend time watching a person or place to determine patterns that may give them an advantage.

One common and simple way to steal personal information, such as a PIN number, is to watch people type their password on a keypad. Since for ATM machines the PIN is often only 4 digits, these can be very easy to remember. While there are many sophisticated methods, such as "keystroke loggers" (which monitor your typing) or video cameras, in many real-world cases people are able to steal passwords or PINS simply by watching.

ATM machines are perfect for this crime since it is common for people to be standing in line waiting to use the machine. Some people stand uncomfortably close during these transactions.

Security Tip: Whenever you are using your ATM, or any other keypad where you type in your personal PIN, make sure nobody is watching. If they are watching, more your body in front of their line of site or simply abandon the transaction and return later.

You can use this tip whenever you type any personal login or password information into any keypad that is in view of others.

Fake ATM Readers Steal Your Bank Card and PIN

In the category of "what will they think of next" - a new scam to steal your bank card and PIN number is hitting a lot of people.

Teams of organized criminals are installing equipment on legitimate bank ATMs to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM. The University of Texas Police has an excellent set of pictures to help to recognize these convertee ATMs. Reports are that these false fronts are also being used at gas stations and other outlets. So what can you do to help spot these fake ATM machines?

ATM Security Tips: First, be extra careful using ATM machines that are in poorly secured areas, such as gas stations or grocery stores. Thieves are likely to target these locations because there is much less change of being detected.

Second, examine the ATM machine a look for any suspicious-looking attachments, including the location of mini-cameras on nearby walls or envelope holders (see the pictures).

Finally, always be aware of suspicious-looking vehicles parked nearby, probably in dark or poorly lit areas. In this scam, the perps need to be nearby to receive the data via a wireless link.

According to police, if you see an attachment like this, do not use the ATM and report it immediately to the bank using the 800 number or phone on the front of the ATM.

Related Tips: Watch out for ATM Onlookers

No need to register your cell phone for Do-Not-Call

A number of emails have been circulating that warn you that your cell phone number is about to be released to telemarketers. The email has a number for the Do-Not-Call registry, claims that you must call from the actual cell phone number, and encourages you to forward this to all of your friends.

While the email may be well-meaning, there are several problems to look out for here. First, it is good to be suspicious of any email that tells you you MUST follow a specific procedure that requires giving up personal information. There is a 99% chance that these are "phishing" emails that are tricks to get you to reveal your personal information. Another key to look for is the tell-tale request at the end of the message to "Send this to all your friends." In fact, if I wanted to steal a bunch of cell phone numbers, I couldn't think of a better method than this! Send out a fake email message that looks well-meaning, have everyone call a number and give up some personal information, and BINGO!

Finally this well-meaning email does not have any information that points to the REAL do-not-call registry. A quick check of the FTC web site reveals that there has been an email telling everyong to register their cell phones, and that this is not necessary. In fact, the FTC provides a helpful document called "the truth about cell phones and DO-NOT-CALL."

So in this case, a 5-second validation process allows you to potentially save your personal information once again.

A copy of the email I received is located below:
____________________________________

Subject: Cell phone numbers going public tomorrow

Cell phone numbers going public tomorrow REMINDER....all cell phone numbers are being released to telemarketing companies tomorrow and you will start to receive sale calls....YOU WILL BE CHARGED FOR THESE CALLS. To prevent this, call the following number from your cell phone: 888-382-1222.It is the National DO NOT CALL list.

It will only take a minute of your time It blocks your number for five (5) years. You must call from the cell phone number you want to have blocked. You cannot call from a different phone number.

HELP OTHERS BY PASSING THIS ON TO ALL YOUR FRIENDS. It take about 20 seconds.