So, who’s on your holiday gift list this year? That list is a lot longer than you think; consider all the names of hackers that have not yet appeared on it. Scammers will do whatever it takes to get on your holiday gift list! Here’s how to keep these cyber thieves out of your pocket:

• Before purchasing from a small online merchant, see what the Better Business Bureau says and also search Google for reviews.
• If you see an unexpected e-mail allegedly from a retailer you shop at, don’t open it. Scammers send out millions of trick e-mails that appear to be from major retailers. They hope to trick gullible shoppers into clicking on them and revealing sensitive information. So many of these scam e-mails get sent out that it’s common for someone to receive one that appears to be from a store they very recently purchased from.
• When shopping online at a coffee house or other public spot, sit with your back to a wall so that “visual hackers” don’t spy over your shoulder. Better yet, avoid using public Wi-Fi for online shopping.
• Back up your data. When shopping online it’s highly probable you’ll stumble upon an infected website designed to inject malicious code on your device. Malware called “ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the ransom.
• Save all your financial, banking and other sensitive online transactions for when you’re at home to avoid unsecure public Wi-Fi networks.
• Change all of your passwords to increase your protection should a retailer you shop at fall victim to a data breach. Every account of yours should have a different and very unique password.
• Ditch the debit card; a thief could drain your bank account in seconds. Use only credit cards. Why? If a fraudster gets your number and you claim the unauthorized purchase within 60 days, you’ll get reimbursed.
• Review your credit card statements monthly and carefully. Investigate even tiny unauthorized charges, since thieves often start out small to “test the waters.”

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. 

Define Pwn: Pwn is a slang term derived from the verb own, as meaning to appropriate or to conquer to gain ownership. The term implies domination or humiliation of a rival. And when it’s done by hacking email, the person is effectively pwned. No matter how “private” you are on the Internet, no matter how infrequently you post on your Facebook page—even if you don’t have a Facebook account—your life can be hacked into as long as you own just one password—and the ability to be tricked.

Such was the case of Patsy Walsh, reports an article at bits.blogs.nytimes.com. She gave a few white hat hackers permission to try to hack into her life, and they accomplished this in under two hours, without even entering her house. She figured it would be next to impossible because she had no smart gadgets in the home and rarely posted on her Facebook page.

The “ethical” hackers, part of a security start-up, quickly found Walsh’s Facebook page (which presumably contained personal information such as her town, since there’s many “Patsy Walsh” accounts).

The scarcely posted-to account, however, revealed that she had liked a particular webpage. Based on that information, the hackers phished her and she took the bait, giving up a password, which happened to be for many of her accounts.

The good guy hackers were then invited into her home where they easily obtained her garage door opener code with the brute force attack, but even scarier, cracked into her DirecTV service because it didn’t have a password. Such a breach means that the hacker could control the TV remotely: Running a porn movie while the homeowner’s grandmother is visiting.

They also found Walsh’s passwords tacked onto her computer’s router. The exposed passwords allowed them to get into Walsh’s and her daughter’s e-mail accounts. From that point they got ahold of Walsh’s Social Security number, PayPal account, insurance information and power of attorney form.

She was probably thinking, “Well of course! They’re professional hackers and I let them inside!” But the hackers also discovered that there were about 20 malicious programs running on her computer. Their recommendations to Walsh:

• New garage door opener
• Password for DirecTV
• Password manager to create unique passwords for all of her accounts
• Security software always kept updated
• Two-step authentication when offered
• A nice lecture on phishing attacks

A phishing e-mail is sent by a cyberthief to trick its recipient into revealing sensitive information so that the crook could steal money from the recipient or gain access to a business’s classified information. One way to lure an employee is for the crook to make the e-mail appear like it was sent by the company’s CEO. Often, phishing e-mails have urgent subject lines like “Your Chase Bank Balance Is Negative.”

In its 2015 Data Breach Report, Verizon reported that 23 percent of employees open their phishing e-mails. Eleven percent go further by clicking on something they shouldn’t.

Why do so many employees (and mainstream users) fail to recognize a phishing e-mail? Strong security awareness training at companies is lacking. Perhaps the company simply tosses a few hardcopy instructions to employees. Perching them before videos isn’t enough, either.

Security awareness training needs to also include staged phishing attacks to see which employees grab the bait and why they did so. With a simulated phishing attack approach, employees will have a much better chance of retaining anything they’ve learned. It’s like teaching a kid to hit a homerun; they won’t learn much if all they do is read instructions and watch videos. They need to swing at balls coming at them.

The return on investment from staged phishing attacks will more than offset the cost of this extra training. Living the experience has proven to be a far more effective teacher than merely reading about it or listening to a lecture. As straightforward as this sounds, this approach is not the rule in companies; it’s the exception.

Even rarer is when phishing simulation is ongoing rather than just an annual or semiannual course. But just because it’s rare doesn’t mean it’s not that effective. Companies tend to cut corners any way they can, and foregoing the phishing simulations is often at the top of the list of investments to nickel-and-dime.

If you want to see how gullible your employees (or family and friends) are to phishing e-mails, which again, are geared towards tricking the recipients to click on a malicious link or attachment, pay a visit to Phish.io.

Here you can register, and this free service will send phishing e-mails to your specified recipients. However, these are harmless tests and will not lead to anything negative—other than to reveal who can be duped.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

The Internet has almost as many videos as there are stars in the heavens. And you know that some have to be hoaxes. Sometimes it’s obvious, while other times it’s easy to be fooled. For example, the hoax of the “angel” intercepting a truck just about to run over a bicyclist is obviously fake. Isn’t it?

But what about the video of the man cut in half by a bus while riding a bicycle, lying on the ground, staring at his intestines, talking for a full five minutes, while his pelvis and legs lie catty-corner to him? That video looks eerily real.

And so did the enormously viral one of the Syrian refugees holding the ISIS flags and assaulting German police officers.

There are free, non-techy ways to check if a video or image is a fake, from an article at gizmodo.com:

“Reverse Image”

Simply right-click an image, and a selection box will appear. Click “Search Google for this image.” Different sources for the same image will appear, but this won’t necessarily rule out a hoax.

For example, multiple links to the man cut in half appear, and the dates of postings differ, but there’s no way to rule out a hoax based on just this information.

However, suppose there’s a photo of a female ghost crashing a funeral photo. A reverse image search shows that ghost’s face as identical to the image of a mommy blogger on her blog; it’s safe to assume the ghost image is a hoax (aren’t they all?).

YouTube DataViewer

Go to YouTube DataViewer. Plug in the suspect video’s URL. Any associated thumbnail image plus upload time will be extracted. You now can find the earliest upload and see if anything is suspicious. Alongside that you can do a reverse image on the thumbnails and see what you get.

FotoForensics

FotoForensics can detect photoshopping or digital manipulation. If you want to pursue a video, you’ll need to plug in the URL of a still shot, like the ones you see after a video has ended that clutter up the video space. FotoForensics uses a tool called ELA, and you’ll have to do some reading on it before understanding how it works.

WolframAlpha

WolframAlpha can look at weather conditions at a certain time and location, such as “weather in Davie, Florida at (time) and (date). So if the weather in a suspect image with a date and location doesn’t match what Wolfram turns up, consider it a fake.

Jeffrey’s Exif Viewer

Images taken with smartphones and digital cameras contain tons of data called EXIF, including date, time and location of image shoot. See if the date, time and location don’t jive with what the suspect image conveys. Jeffrey’s Exif Viewer is one such EXIF reader.

Google Street View, Google Earth and Wikimapia are tools for mapping out the truth, such as matching up landmarks and landscapes.

So, did your ex really take a trip to Paris, as she stands there with the Eiffel Tower behind her? And is her new beau for real, or was he “shopped” in off of a male fitness model site?

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

With Cyber Monday, you don’t have to camp outside in the cold overnight so you can be the first person busting through the doors like on Black Friday. But you still may get trampled to a pulpby cyber scammers waiting for their prey.

How can you avoid these predators?

• You know that old mantra: If it’s too good to be true, it probably is. Be highly suspicious of outrageously great deals, and also assume that e-mails that link to unbelievable savings are scams. You may think it won’t hurt to just “check it out,” but consider the possibility that simply clicking on the link will download a virus to your computer.
• Back up your data. Shopping online means it’s inevitable that you’ll stumble upon an infected website designed to inject malicious code into your computer or phone. “Ransomware” will hold your data hostage. Backing up your data in the cloud to Carbonite protects you from having to pay the “ransom.”
• Say “No” to debit cards. At least if you purchase with a credit card, and the sale turns out to be fraudulent, the credit card company will likely reimburse you. Try getting your money back from a scam with a debit card purchase. Good luck.
• If you’re leery about using a credit card online, see if the issuer offers a one-time use credit card. If someone steals this one-time number, it’s worthless for a second purchase.
• Make sure you understand the online merchant’s shipping options.
• When buying online, read up on the retailer’s privacy policy.
• When completing the purchase, if the merchant wants you to fill in information that makes you think, “Now why do they need to know that?” this is a red flag. See if you can purchase the item from a reputable merchant.
• Never shop online using public Wi-Fi such as at a hotel, coffee house or airport.

If the retailer’s URL begins with “https” and has a padlock symbol before that, this means the site uses encryption (it’s secure). If it doesn’t, don’t buy from that merchant if the product is something you can buy from a secure site. Of course, I don’t expect, for instance, Veronikka’s Death by Chocolate Homemade Cookies to have an encrypted site, but if you’re looking for more common merchandise, go with the big-name retailers.

Robert Siciliano is an expert in personal privacy, security and identity theft. Learn more about Carbonite Personal plans. See him discussing identity theft prevention. 

This application for your mobile device will change things in a huge way:

• Locks down smartphones with a finger-based biometric password
• Multi-factor authentication all-in-one
• It’s called BioTect-ID

And why should you consider the world’s first biometric password for your mobile device? Because most smartphone security devices have been cracked by cyber thieves.

Layers of protecting your online accounts have historically involved the password, a PIN, security questions or combinations of these which isn’t that secure. However getting into your devices requires even less – a single password, connecting dots with your finger or nothing at all. Some devices can be accessed with stronger security using your fingerprint or in some cases a combination of biometrics like face scan, voice or fingerprints.

Now you may be convinced that a physical biometric, such as your fingerprint, palm pattern or face scan are so unique that they’re impossible to hack, but guess what: These are all hackable. In fact, a cyber crook could steal, for instance, your face or fingerprint image—for all time—and then what? You’re out of luck.

So why have that possibility looming over you? Why not eliminate it with the BioTect-ID app? You have only one voice, one fingerprint, one palm, etc., but fingering in a hand written password means you can change the gesture biometric or the “drawing” of the password any time—because this is a behavior, not a static physical characteristic. Nobody can steal your gesture, not even your identical twin.

BioTect-ID is also very privacy-conscious because there is nothing invasive about recording a gesture.

The choice of which biometric to use becomes a very important consideration. The Internet of Things (IOS) will see our devices increase in value as they control our home access, record our health scores and process/retain many other aspects of our personal lives. The use of biometrics will increase dramatically to protect our privacy and security. But you want to choose carefully. Remember your unchanging physical body information will be hugely attractive to thieves who can steal your identity or use it for other purposes. But you can’t steal the BioTect-ID information.

Here’s how the BioTect-ID multi-factor authentication works.

• With your mouse or finger, create a four-character password.
• BioTect-ID “learns” your unique finger/hand movements as you do this.
• To access your mobile phone, you “draw” your password into the BioTect-ID application.
• If you are the registered owner, you get access — with bad guys out of luck.

BioTect-ID even solves the big problem of physical data being irreplaceable because it is a gesture biometric also known as a “dynamic” biometric, rather than something like a fingerprint or facial recognition.

This is such exciting news from Biometric Signature ID that we just have to run through it again:

• The first biometric app that does not require invasive information about a body part like your eyes.
• The only privacy-conscious biometric security app in existence.
• Passwords cannot be stolen, not even borrowed, and of course, can’t be lost.
• Just draw your password with your finger, stylus or mouse, and this gesture will be captured.
• Only this gesture will unlock (and lock) your smartphone, and it takes only seconds.
• Easily reset your password at will.
• The strongest identity authentication on the planet.

Don’t wait about getting this kind of protection, because biometrics is increasingly becoming a part of modern day life.

The final frontier of privacy is your body, and by continuing to rely upon body-part biometrics, you keep that door open enough for a hacker to copy and, essentially, retain a part of your body. There goes your privacy, to say the least.

The gesture-based, multi-factor authentication is poised to change the future of cyber protection. But not before this technology gets adequate awareness and support. We need to get this groundbreaking technology out there into the minds of Internet users.

Here is how you’ll benefit with the BioTect-ID:

• Peace of mind, knowing that even the most brilliant hacker will never be able to duplicate or steal your gesture.
• Elimination of having to keep body-part details in files
• Keeping your privacy and security safe from being exposed against your control
• Being the first to benefit from this cutting-edge security technology

You can actually receive early edition copies of the app for reduced prices and get insider information if you become a backer on Kickstarter for a couple of bucks. Go to www.biosig-id.com to do this.

A bug bounty refers to the reward a bad-guy hacker gets upon discovering a vulnerability, weakness or flaw in a company’s system.

This is akin to giving a reward to a burglar for pointing out weaknesses in your home’s security.

But whom better to ask than a burglar, right? Same with a company’s computer systems: The best expert may be the black hat or better, white hat hacker.

An article at bits.blogs.nytimes.com says that Facebook, Google, Microsoft, Dropbox, PayPal and Yahoo are on the roster of companies that are offering hackers bounties for finding “bugs” in their systems.

A “zero day bug” refers to an undiscovered flaw or security hole. Cybercriminals want to know what these zero day bugs are, to exploit for eventual hacking attempts. There is a bustling black market for these non-identified bugs.

Compounding the issue is that it is becoming easier for Joe Hacker to acquire the skills to infiltrate—skills that common hackers never would have had just a few years ago, and especially a decade ago. So you can see how important it is for businesses to hire the best at finding these bugs and rewarding them handsomely.

So yes, hackers are being paid to report bugs. The bits.blogs.nytimes.com article says that Facebook and Microsoft even sponsor an Internet Bug Bounty program. Such a program should have been started long ago, but it took some overlooked bugs to motivate these technology companies to offer the bounties.

Heartbleed is an example. Remember that? It was a programming code mistake that affected certain SSL certificates—which help protect users on a secure website. As a result, over a dozen major tech companies began an initiative to, as the bits.blogs.nytimes.com article says, “pay for security audits in widely used open-source software.”

So as clever as bug bounties sound, it shouldn’t be regarded as the be-all end-all solution. How about an incentive to get developers to implement secure, mistake-free coding practices? Well, companies are trying. And they keep trying. But with humans behind the technology, there will always be mistakes.