REGISTER

email 14 48

The U.S. is no Superpower when it comes to card payments: the card hacking headquarters of the world.

Don’t count on credit card fraud going away too soon. After all, Americans practically sleep, eat and breathe credit card use. And it’s those doggone magnetic strips on the cards that keep getting consumers, retailers, banks and the card companies in a fix. The strips make it so easy for hackers—and they know it.

It’s high time that the U.S. switch to encrypted chips in the cards—ready to be launched soon, but security experts aren’t breathing easy yet. The squabbling among banks, card companies and retailers over who’s responsible for protecting consumers isn’t helping, either.

Recently Congress demanded that the financial and retail industry leaders come up with plans for securing customer data. And they’d better act soon or consumer trust in these cards that drive the U.S. economy will take a big dive.

“This has the potential for people to question the viability of our payment system,” points out Venky Ganesan, venture capitalist with Menlo Ventures. Cards are the bread and butter of America, responsible for about 70 billion payments last year, worth $4 trillion (Nilson Report).

Only 11 percent of merchants are sufficiently compliant with the credit card security standards, says a study from Verizon Enterprise Solutions.

The magnetic strip, as innocuous as it appears to the typical consumer, stores that consumer’s personal financial information. Most other nations ditched this “antiquated” system years ago, using instead the EMV: based on chip technology, securing payment transactions.

The payments industry, however, has named 2015 as a deadline to get the chip technology going. But all things considered, that’s still a long ways off. And retailers are whining over the many billions of dollars it will take to replace point-of-sale technology.

Robert Siciliano is an Identity Theft Expert to AllClearID. 

…think again, even if most of your wireless network activities revolve around your personal and family life. There are seven lies about wireless protection; have you fallen prey to any of them?

#1 “I’m protected with my password.”

Even an amateur hacker can get past a password. Don’t think that WEP (wired equivalent privacy) can keep out hackers. It’s outdated. Its encryption abilities are flawed. Avoid WEP. Use WPA or WPA2. If you are on a free Wifi get Hotspot Shield VPN which protects your entire wireless session.

#2 “My ISP set up my wireless network, so it must be safe.”

Do you really think that big stupid cable company that’s can’t get a simple customer service call right really has your back? Many ISPs and equipment makers often use WEP as default protection—even big ISPs. Technicians who install your service usually do not automatically install a stronger encryption technology, and you end up getting hacked.  

Nevertheless, ISPs and equipment manufacturers are slowly coming around to realizing this problem. More recent wireless gateways and also routers are using WPA for the default. If you have WEP, you may need to change it manually. Don’t assume you automatically have WPA. Find out if you have WEP or WPA. If your router is old, you may need to buy a new one to get WPA.

#3 “Breaking into my wireless is too expensive and difficult.”

Not anymore. A determined hacker can use a plain ‘ol laptop to crack long passwords. Tools are available for free or just a few bucks to do all the dirty work. All Mr Hacker needs to get going is to download free tools to carry out the deed.

#4 “Nobody wants to bother hassling around trying to break into my wireless; it’s not worth it.”

It may seem complicated to you, but not to an experienced hacker. Give him just 5-10 minutes and your wireless network could be in his hands. Even a beginner hacker could crack through your network in under an hour, courtesy of online tutorials. You need superb protection, not just good.

#5 “My credits no good, I’m small potatoes. Nobody is paying attention to me. I’m safe.”

A bored hacker who wants some fun doesn’t care if your data is highly sensitive government information or your kid’s soccer team standings. Just knowing he busted into your private life is enough to thrill him.

#6 “I have firewalls and my computer is patched.”

A “man-in-the-middle” attack can gain a hacker invasion of your communications. This type of attack is stealthy and slick, bypassing the victim’s human radar.

#7 “I’ll see a hacker in front of my house and stop him.”

No, you won’t. Your wireless boundaries don’t stop at your front door; they can extend to neighboring space, meaning that your signal “bleeds” out—horizontally and even vertically. Savvy users know they can stretch the bleed into a few blocks’ distance via cheap antennas. So down your street your attacker may be sitting inconspicuously in his car.

Hopefully your awareness of these lies you tell yourself has prompted you to take measures to upgrade your wireless network’s security with the right design and implementation.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen 

Why would an insurance company be fined for a data breach?

There was a security breach at Triple-S Salud, Inc. (TSS), which is a subsidiary of Triple-S Management GTS. The Puerto Rico Health Insurance Administration plans on imposing a $6.8 million fine on TSS.

The breach involved 13,336 of TSS’s Dual Eligible Medicare beneficiaries. The penalty includes suspending all new DEM enrollments and alerting enrollees of their right to back out.

The PRHIA says that Triple-S failed to implement all the required steps in response to the security breach.

TSS sent out a pamphlet last September that unintentionally showed the Medicare Health Insurance Claim Number of some of the recipients. This is a unique number that’s assigned by the Social Security Administration. It’s considered to be protected health information.

An investigation was carried out by TSS, and this subsidiary did report the incident to federal government agencies and Puerto Rico. TSS complied with the PRHIA’s requests for information pertaining to the DEM beneficiaries. TSS also took additional measures, one of which was that of issuing an alert of the breach through local media; all of the affected beneficiaries were notified by mail of the breach.

In the filing, Triple-S affirms that it takes the matter very seriously and is “working to prevent this type of incident from happening again." However, it’s currently not able to assess the financial impact of the breach on TSS, nor can it estimate the sanctions’ impact.

Triple-S adds that a response is being prepared by TSS to give to the PRHIA, and that TSS has a right to make a request for an administration hearing.

Robert Siciliano is an Identity Theft Expert to AllClearID. 

OK, there’s lots going on here. Read slowly and wrap your brain around this. So which offers more security? Chip-and-PIN or chip-and-signature for your card payments? Chip-and-PIN wins. This is due to two authentication forms: the card and the PIN, which is stored in your head (or should be, anyways, rather than on some small piece of paper crinkled inside your purse).

But chip-and-signature has its virtues for all involved. One reason is that most people don’t know their credit card PIN, something like 5-10 percent knowing it. If credit card payments were only via chip-and-PIN, consumers would memorize their PINs very quickly.

Another issue is that only one-fourth of U.S. POS terminals have a PIN pad. This means a lot of money spent by merchants to accommodate a chip-and-PIN-only environment with updated POS terminals.

On the other hand, this investment can pay off because, says a 2013 Fed Payments Study Summary, PIN debit transactions come with a much lower fraud loss rate than do signature transactions.

A PIN based transaction brings unwanted issues to some merchants, e.g., car rental companies requiring preauthorization transactions prior to the final transaction amount. Car rental and lodging companies, however, better like the signature based transaction because it has a separate authorization and settlement process.

Other merchants, too, must make some big decisions, such as the restaurant industry: To accommodate customers who want to use their mobiles for payments at their table, restaurants will have to pay a pretty penny for terminals.

The chip-and-PIN comes with a human based flaw: If a buyer forgets their PIN, the transaction will be incomplete. The signature based transaction has the signature to complete the transaction.

All of these pros and cons must be carefully considered among consumers, merchants and the card payment industry. But what bankers and merchants seem to agree on is that the magnetic strip is getting very old and needs to be replaced by a more secure technology: the chip.

Robert Siciliano is an Identity Theft Expert to AllClearID. 

Do you offer free WiFi? Put these three safeguards in place to protect your customers and your business.

On a recent trip from Boston to New York on an Acela Express train, I was writing blogs and doing some research using Amtrak’s free wireless Internet. “Free” usually translates to "unsecured," which means a criminal hacker with the right hardware and software could have sniffed out my wireless communications and grabbed my data. That same hacker, depending on my device’s firewall, setup and sharing settings, might also have been able to access my drive and files and even plant a virus on my device.

But I wasn’t worried because I use a virtual private network software that allows me to surf on an unsecured connection.

Amtrak also knows its free wireless is risky for its users, so before you can use it, you have to agree to the terms and conditions of the Wi-Fi’s use that indemnify Amtrak. 

Free wireless is everywhere, because Wi-Fi brings in customers and is a great tool to help create customer loyalty as well. Numerous merchants, including hotels, coffee joints, fast food places and numerous others with a storefront, offer free Wi-Fi to attract people and increase sales.

But it has its downsides, too. If you're offering it in your place of business, you need to understand that your access point can be used for criminal activity—and to hack your own business, too.

So what are criminals looking for? Criminals connect to free Wi-Fi for:

  • Pirating music, movies and software via P2P programs. This criminal activity costs the recording and motion picture industries billions of dollars every year. The Recording Industry Association of America (RIAA) and the Motion Picture Association of America (MPAA) are cracking down on any IP address associated with illegal downloading and will come after your business too.
  • Child pornography. Law enforcement spends lots of time in chatrooms posing as vulnerable kids, chatting it up with pedophiles who buy sell and trade in child pornography. If your IP address is used for this purpose, you will get a knock on the door with a battering ram.
  • Criminal hacking. Bad-guy hackers look for vulnerabilities in others’ devices when using free Wi-Fi networks. They steal keystrokes, usernames, passwords and account info, and install spyware and viruses.

You're not powerless against these hackers. These three safeguards are the first hurdles you can put in place to secure your company’s Wi-Fi:

1. Use a web proxy/filter. IT security vendors sell software that filters out or blocks known websites and prevents the sharing of P2P files. For more details on what kind of information can be accessed, search “internet access control software” to find a suitable vendor.

2. Add an agreeable use policy. There are numerous phrases a small business can incorporate into an agreeable guest use policy. You may want to include such language as “User agrees not to …”

  • Willfully, without authorization, gain access to any computer, software, program, documentation or property contained in any computer or network, including obtaining the password(s) of other persons. Intercepting or attempting to intercept or otherwise monitor any communications not explicitly intended for him or her without authorization is prohibited.
  • Make, distribute and/or use unauthorized duplicates of copyrighted material, including software applications, proprietary data and information technology resources. This includes the sharing of entertainment (e.g., music, movies, video games) files in violation of copyright law.

You may want to search for and read other business's agreeable use policies in order to help you compose your own. And be sure to have your lawyer or legal department review it before you begin having customers agree to it.

3. Implement a secure Wi-Fi. Wi-Fi that requires users to log in with a username and password to charge even a dollar will then have their credit card number on file. This would mostly eliminate any anonymity, thus preventing numerous e-crimes.

Don’t think for a second something bad can’t happen to your business. Performing due diligence, knowing your options and implementing these barriers will keep both you and your customers from legal troubles and from getting hacked.

Robert Siciliano CEO of IDTheftSecurity.com.

You may have heard news reports about popular websites such as CNN, Amazon and Yahoo! being taken down by a DoS attack, but have you ever wondered what DoS means?

This common tech term stands for “denial-of-service,” where an attacker attempts to prevent legitimate users from accessing a website entirely or slowing it down to the point of being unusable.  The most common and obvious type of DoS attack occurs when an attacker “floods” a network with useless information.

When you type a URL for a particular website into your browser, you are sending a request to that site’s computer server to view the page. The server can only process a certain number of requests at once, so if an attacker overloads the server with requests, it can’t process your request. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying access to legitimate users.

A distributed denial-of-service (DDos) attack is one where a site is attacked, but not by just one person or machine. DDos are attacks on a site by two or more persons or machines. These attacks are usually done by cybercriminals using botnets (remote computers that are under their control), to bombard the site with requests. Cybercriminals create botnets by infecting a collection of computers—sometimes hundreds or thousands—with malware that gives them control of the machines, allowing them to stage their attack.

There is also an unintentional DoS where a website ends up denied, not due to a deliberate attack by a single individual or group of individuals, but simply due to a sudden enormous spike in popularity. This can happen when an extremely popular website posts a prominent link to a second, less well-prepared site, for example, as part of a news story. The result is that a significant proportion of the primary site’s regular users–potentially hundreds of thousands of people—click that link in the space of a few hours, having the same effect on the target website as a DDoS attack. When Michael Jackson died in 2009, websites such as Google and Twitter slowed down or even crashed.1

While this can be an inconvenience to you, as you may not be able to complete transactions or access your banking site, there’s no real danger for you. But unbeknownst to you, your computer or mobile device could be part of the botnet that is causing a DDos attack.

To make sure you’re not part of a DDos attack:

  • Pay attention if you notice that your Internet connection is unusually slow or you can’t access certain sites (and that your Internet connection is not down)
  • Make sure you have comprehensive security installed on all your devices, like McAfee LiveSafe™ service
  • Be careful when giving out your email address, clicking on links and opening attachments, especially if they are from people you don’t know
  • Stay educated on the latest tactics that hackers and scammers use so that you’re aware of tricks they use

1“Web slows after Jackson’s death”. BBC News

Robert Siciliano is an Online Security Expert to McAfee.

One of the issues I’m passionate about, as an online-security analyst, is that of banking safely online; so I recommend the following simple tips to help ensure your security in cyberspace.

  1. Wired ethernet link. This offers more security than does a powerline or Wi-Fi network. In fact, the powerline carries your data via electrical wires—not secure at all. Data from wires can leak into adjacent homes, and Wi-Fi signals are out in the open, literally. An ethernet attack, however, may require a home break-in by the crook, and then he has to set up his device.
  2. Nevertheless, powerline and Wi-Fi do come with encryption capabilities; encryption scrambles data for safer online banking. Any attacker would need your password to infiltrate. But remember this: Wi-Fi’s WEP, which is obsolete, can be hacked into, even though it’s still offered as an option for router setup.
  3. Do not leave a router on its default password. Otherwise, crooks can get in and redirect your traffic to who knows where.
  4. Never trust third-party Wi-Fi hotspots.
  5. Make sure that the financial site you visit has a padlock icon and “https” before the URL address; this means it’s secure and legitimate. “Http” (no “s”) is not secure.
  6. Keep up to date on security updates for your browser and operating system. This will protect against a crook who uses a keylogger to track your keystrokes. With a keylogger, a hacker can get your keystroke pattern and will figure out your passwords.
  7. Never click on links in e-mails. Even if it’s supposedly from your bank. Never.
  8. To really beef up online banking security, use a separate computer just for online banking.
  9. Enable your financial institution’s two-step verification. This is typing in a password that’s one-time, that gets texted to you. Unfortunately, many banks don’t have this tactic. But if you’re concerned with banking safely on the Internet, see if your institution does. If you can’t find this information on their web site, call them.
  10. One more simple tip about safe online banking: Hotspot Shield VPN service guards your entire online experience when you’re using unprotected networks, such as at coffee houses, hotels, airports, etc., be they wired or wireless.

You can have peace of mind that your web sessions (downloads, filling out forms, shopping, banking) are safe and secure with the https-protected tool. With Hotspot Shield, all mobile data is encrypted. Hotspot Shield also has a mobile version, and it compresses bandwidth so that you can download nearly double the content at the same cost. This VPN service has saved 102.9 million megabytes.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. 

Medical errors can also mean medical identity theft—accounting for 43 percent of all 2013 identity theft in the U.S., says the Identity Theft Resource Center. Medical identity theft kicks other forms of ID theft to the curb: banking, finance, government, military and education.

Fraudsters invade health data to illegally obtain prescription drugs, services or devices and to get insurance reimbursements.

Making the situation stiffer is the Affordable Care Act, as the implementation of federal and state health insurance exchanges involved malfunctioning online marketplaces. Plus, the Act promotes digitizing medical records, and you know what that means.

What about an honor system?

HIPAA—Health Insurance Portability and Accountability Act (now you know why it’s not “HIPPA”)—and the HITECH Act define what health care providers must do to protect patient privacy. Violations of these acts can net stiff fines including up to 10 years’ prison time.

However, HIPAA has exceptions, such as “public health activities” and “health oversight activities” in which confidential information is shared.  People who know that HIPAA isn’t airtight can be turned off from revealing they have an STD or a psychiatric disorder to their doctor unless absolutely necessary.

Patients must be notified by their health plan, medical institution or medical provider when it’s been determined that their health information has been breached, says HITECH law. The Department of Human Health must also be notified. The Department will reveal breaches that involve at least 500 patients.

The discovery, though, doesn’t solve the problem that has already occurred: the fallout from the leak. It’s fairly straightforward to have the right information put back in a patient’s files, but another story to get the fraudulent information taken out, due to fear of medical liability.

Take action:

The time is now to bring attention to how a business is protecting their clients’ data. The public wants to know their information is safe and the companies they hand it over to are doing everything possible to protect it.

Robert Siciliano is an Identity Theft Expert to AllClearID. 

Banner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

Log in Register

Please Login to download this file

Username *
Password *
Remember Me

Banner

CyberBanner

CyberBanner

CyberBanner

CyberBanner

Banner

CyberBanner

CyberBanner

Go to top