User Blogs

Businesses that focus on the big security breach may very well be missing the smaller threats that can do serious damage.

A human can easily kill a gnat. So how is it that just one gnat can drive you crazy, even though you can kill it in an instant? You are bigger and mightier ... yet one gnat can get the best of you. That’s because you’re too big for the gnat, as it buzzes around your eyes, nose and in your hair.

This is just like when businesses implement giant measures to enhance security and protect themselves against big threats like hacking, or natural disasters like a tornado. The business feels mighty with its extensive video surveillance, steel bolt doors and armed security guards. Yet, it's unable to foresee or handle the small stuff that can have dire consequences.

Some businesses make the mistake of focusing on only a handful of tactics and, as a result, other threats slip in undetected, or if detected, they’re not detected enough to be mitigated. Instead, all the business leaders can do is swat haphazardly, hoping to get a hit.

When businesses zoom in on only a few specific tactics, this results in a rigid plan that can’t adapt, and is useful only if the anticipated threat is precisely how it was envisioned in the first place. Concentrating on just a few selected risks means not seeing the bigger picture—missing greater risks that can come along.

Of course, you can’t possibly anticipate every possible threat. But preparing for just a few isn’t smart, either. What's a business leader to do? Follow this list to prepare smarter.

Make sure all security and continuity plans are adaptable.
Consider the human component, and work it in to the plan. Can IT’s brilliant plan be sustained by a person? Are facilities manned by one person or a team? .
Cover all basics and implement regular updates.
Don’t get sucker punched. Consider a variety of threats (from cyber sources to natural sources), not just a few, and the various ways your organization can respond and resolve.
Be aware. Figure out backup locations for your business to function should you be forced to displace.
Prepare staff. Designate a core team and keep their contact information handy so anyone can reach them anywhere.
Communicate. Design an emergency communications protocol for employees, vendors and customers, etc., for the days post-disaster. Confirm emergency response plans with your vendors and suppliers, and prepare to use alternate vendors.
Keep your data backup tools in excellent condition.
Keep your inventory of assets up to date.
Safely and efficiently store documents. Duplicates of all crucial documents should be kept off-site.
Routinely make data backups, ideally both locally and with a cloud service.
Determine succession of management in case key players can no longer function.
Know the signs of a dying computer. A blue screen can mean a hardware problem or driver conflict. If things are taking way too long, there may be too much software … or a failing hard drive. Strange noises during startup, for instance, can also mean a hardware failure. Consider it your warning.
Set up your backups. You can set up backup protocols with a program like Belarc Advisor, which is free and lets you know what to install and when it’s time to replace a computer.
You may want to consider replacing your computer every two or three years to avoid being stiffed by a computer that’s suddenly gone stiff. Nothing’s more alarming than suddenly losing all your data, and there’s no backup computer that you can just turn on and pick up where you left off.

Robert Siciliano CEO of IDTheftSecurity.com, personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Scammers are at it again, this time with green dot cards: a pre-paid debit card available at stores. It can work like this:

Let’s say you run a small business. You’re out and about, then return to find an employee informing you that the electric company called about an unpaid bill. So you return the call. The person on the other end says you need to pay that electric bill of (fill in the blank) dollars. The stranger on the other end says you can get a green dot card from, say, Walmart, and that you can give that person the number within the next 20 minutes.

Otherwise, the electricity in your business will be shut off. Your business depends on electricity; you have customers; you don’t have time to really think about what just happened over the phone; so you hurry out to Walmart and get that green dot card, call the stranger back and give him the number.

You just got scammed!

There are more and more cases mounting like this, with the scammers tricking victims with an assortment of tall tales, convincing them to obtain the green dot cards. This scam is difficult to trace back to the thief.

Take time to reflect upon a situation before rushing out to do something that involves your money. No legitimate business like a utility company will ever request that you go out and get a prepaid card and then give them the card’s number, especially within the constraints of a very short time period. If it smells fishy, it IS fishy.

The scammers use stories to charge up the victim’s emotions, because they know that people don’t think logically when under the duress of emotions (e.g., fear of electricity shutting down in their shop).

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

No, it’s not some new engineering field to develop social media sites. Social engineering has been around as long as the con artist has been around. The terms stems from the social science world where social engineering is deemed as an act of psychological manipulation.

In our tech-laden world of today, social engineering still involves deceit but it’s used to deceive you into giving up personal or sensitive information for the bad guys’ financial gain. Social engineering can take many forms from an email, phone call, social networking site, text messages, etc., but they all have the same intent—to get you to part with valuable information.

Any one of us can be a target. And social engineering continues to be a tool that cybercriminals use because it works. They play on our emotions and our innate sense to want to trust others and be helpful. The also rely on the fact that many of us are not aware of the value of the information we possess and are careless about protecting it.

For instance, after major natural disasters or major news topics, like a hurricane or earthquake, cybercriminals sent out scores of bogus emails, calling for sympathy and donations for the victims, just so they could line their pockets.

In addition to sympathy, the bad guys also barter in fear, curiosity and greed. From emails offering fake lottery winnings (greed), to dangerous download sites advertising a preview of the latest Lady Gaga song (curiosity), to devious popup messages that warn you that your computer is at risk (fear), today’s cybercriminals are masters at manipulating our emotions.

And because their tricks often look legitimate, it can be hard for you to identify them. You could wind up accidentally infecting your machine, or sharing personal and financial information, potentially leading to monetary loss and even identity theft.

How can you protect yourself?

Never respond to a message from someone you don’t know and never click on a link in an unsolicited message, including instant messages, and any time the phone rings and they are requesting personal information consider it a scam.
Be suspicious of any offer that seems too good to be true, such as the lure of receiving thousands of dollars just for doing a wire transfer for someone else.
If you are unsure whether a request is legitimate, check for telltale signs that it could be a fake, such as typos and incorrect grammar. If you are still unsure, contact the company or organization directly. Financial institutions, and most sites, don’t send emails or text messages asking for your user name and password information.
When using social networking sites, don’t accept friend requests from people you don’t know, and limit the amount of personal information you post to your profile.
Consider using a safe browsing tool such as McAfee® SiteAdvisor® software, which tells you whether a website is safe right in your search results, helping you navigate away from phony sites.
Make sure your all your devices are protected with comprehensive security, like McAfee LiveSafe™ service that protects all your PCs, Macs, smartphones and tablets.

So remember to ask yourself if this is really legit, the next time you get a message that plays on your emotions. Stay safe online!

Robert Siciliano is an Online Security Expert to McAfee. He is the author of 99 Things You Wish You Knew Before Your Mobile was Hacked! Disclosures.

In general, courts don’t tend to side with consumers in data breach incidents. However, a federal court in Florida is the apple among the oranges. It approved a $3 million settlement for victims whose data was on a stolen laptop in December 2009, that contained personal health information.

The laptops belonged to AvMed, a health insurer, and the unencrypted data involved records of tens of thousands of the company’s customers.

Though the consumer-plaintiffs suffered no identity theft or other direct losses, they blamed AvMed of breach of contract and fiduciary duty, negligence and unjust enrichment.

These claims were dismissed by the U.S. District Court for the Southern District of Florida, but the plaintiffs appealed. The U.S. Court of Appeals for the Eleventh Circuit remanded the case.

AvMed’s attempt for another dismissal went down the tubes, prompting the company to enter into settlement talks with the plaintiffs.

The agreement says that each victim will get up to $10 for every year they made an insurance payment to AvMed, with a cap at $30. This is money, say the victims, that AvMed could have spent on better data security. The agreement also requires AvMed to pay damages to anyone who gets stung with identity theft.

AvMed will also employ encryption and new password protocols, plus GPS technology for its laptops.

Apparently, this settlement is the first in which the awarded victims didn’t have to show tangible evidence of loss.

Traditionally, courts nationwide don’t take on such claims, and that a claim lacks merit if it’s based on the possibility of future damages rather than actual concrete losses that have already occurred.

The ruling serves as a precedent for future data breach cases, to support customers’ stance that a segment of their health insurance premiums should fund data security placements.

Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.

Identity theft evolves as technology progresses. The Identity Theft Resource Center explains the future of this crime.

Definition of Identity

The definition will swell up to include biometrics and behavior, not just driver’s license number and SSN. So your identity can be defined by how you move a mouse and your keystroke patterns.

Medical Identity

There’s no focal mechanism for the mitigation of medical identity theft, making it easy for thieves to keep getting medical treatment. Many people get their medical identity stolen without knowing it.

Statistics

Crime rate statistics are not telling the whole story. The illusion is that crime rates are on the decline; this is because statistics do not include all fraud activity. The primary indicator in crime statistics reports doesn’t even include identity theft.

Mobile wallets will not take over the world—at least not soon, anyways.

Though mobile wallets seem to be the next big wave in purchase technology, it’s not going to be easy convincing the masses to store every bit of their financial data in their smartphone. In fact, 64 percent of survey participants said they would not convert to a mobile wallet system (Consult Hyperion).

Affordability

All of these cool developments in the world of cyber communication will not necessarily apply to every single person; products cost money. So no matter how much it seems that times are changing or that people are “switching over” to some new technology, there will still be that demographic that’s seemingly left in the dust.

Finally…

It looks as though federal data breach notification laws will at last become a reality. Or so it seems.

Extra Layers

The dual and even multi-step authentication system will become more common, as more industries pick this up, to verify a user’s identity. And even consumers seem to be warming up to this.

Can’t have it both ways:

That is, security and convenience. With all the big data breaches lately, looks like privacy and security will win over convenience for the consumer.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention. For Roberts FREE ebook text- SECURE Your@emailaddress -to 411247. Disclosures.

The recent major retail breaches have fueled increased interest by the National Retail Federation to push for implementation of a chip and PIN payment card technology. This would make the magnetic strips on payment cards obsolete and no longer a calling card for hackers.

“We’re here today because the question of data security and cyber theft in retail has become a very important debate in Washington,” said David French, the senior vice president of government relations for the NRF.

The U.S. still relies upon the magnetic strip—buyers or employees swipe the card and sign for the transaction. The chip and PIN means a chip is embedded into the card. A “reader” reads the chip but also requires the cardholder to enter a PIN to complete the purchase: a two-ply authentication process.

Magnetic strips allow thieves to make counterfeit cards that work, but the chip technology would prevent this.

“It’s going to be a very expensive transition,” says Mallory Duncan, NRF senior VP and general counsel, referring to the switch from magnetic strip to PIN and chip. A chipped card costs 4-5x as much as a stripped card: a cost that card issuers are not crazy about investing in.

However, the retail industry isn’t off the hook. Duncan notes that “every one of the (payment) terminals has to be replaced and depending on whether you’re counting just retailers or doctors’ offices and other places that are thought of as retail, it’s going to be between nine to 15 million (pieces of point-of-sale) equipment that have to be replaced.”

That’s more than $1,000 per unit, she adds. The migration to chip technology includes software and training, and based on Great Britain’s cost to migrate, the U.S. could be looking at “$20 billion or $30 billion to swap out equipment,” says Duncan. And that’s an under-estimate.

The starting point for the swap is banks issuing the chipped cards, says Duncan. Then the retail industry will know it’s worth it to finish the job by implementing the terminals.

The banking industry isn’t taking well to the retail industry’s stand on who should make the first move. Banking leaders believe that recent big retail breaches were primarily caused by, as they responded to NRF’s media briefing, “failed computer security at major retailers.”

Just about every kind of healthcare related entity—hospitals, rehab centers, pharma companies, insurance carriers and more—have been and continue to be compromised by cyber criminals.

Though your doctor can boost your resistance to heart attack, the hospital he works at remains prone to hack attacks by crooks wanting access to all sorts of data and other sensitive information.

This isn’t just a leak of patients’ personal health information, but the institutions’ billing systems and intellectual property get in the hands of crooks.

Once the hackers are in, they’re in a position to launch more attacks on other networks and commit billions of dollars worth of fraudulent transactions.

Here are some bitter pills to swallow:

Compromised devices include radiology imaging software, Web cameras, firewalls and mail servers.
Quite a few compromises occur due to simple issues like failing to change default credentials on firewalls.
Tens of thousands of malicious events can occur within a healthcare IT environment during the time that intelligence is gathered.
Not only can cyber criminals get ahold of patient addresses, SSNs and medical condition data, but they can manipulate medical equipment.
Healthcare providers accounted for 72 percent of malicious traffic according to the SANS-Norse Healthcare Cyberthreat Report. In addition, healthcare business associates: 9.0 percent; health plans: 6.1 percent; pharmaceutical: 2.9 percent; healthcare clearinghouses: 0.5 percent; miscellaneous healthcare related entities: 8.5 percent.

This all means that patients are getting a big burden financially in that healthcare costs rise in response. For instance, the cost that was related to compromised medical insurance records and files in 2013 was $12 billion. This gets trickled down to patients.

Many healthcare related organizations cannot adequately protect sensitive data; the cyber attacks are like a relentless virus, overtaking its host.

Data brokers have lots of personal information about you; here’s what you can do about that.

Ever hear of the term “data broker”? What do you think that is? Think about that for a moment. Yep, you got it: An entity that goes after your data and sells it to another entity.

The entity that gets the data, the broker, is called a consumer data company. They snatch huge amounts of data from individuals all over the planet and sell it. And who wants your personal information? Your information is of significant value to marketers, companies doing background checks and in some cases, your government.

They want to know what you like to buy, what you’re most likely to buy, if you want to lose weight, build muscle, what kind of cars you like, where you vacation, what you eat, where you shop for clothes, what kind of disease you have, whether or not you’ve been assaulted or if you have committed a crime…all so they can get a solid picture of who you are.

You now know about data brokers: a whole new industry that reflects our evolving technology. Lawmakers have taken notice of this flourishing industry, trying to get companies to give some control to consumers over what becomes of their data.

At least one data broker makes it possible for you to see how much data is out there about you and to possibly edit and update it. But that’s not enough.

Just how much do data broker companies even know about people?

They build you up from the inside out; starting with skeletal information (name, address, age, race) and padding the meat on from there: education level, medical conditions, income, life events, (buying a home, getting divorced), driving record, law suits against you, credit scores and more. One credit reporting agency even sells lists of the names of people expecting babies and who has newborns. They even sell lists of people who make charitable donations and read romance novels. Data brokers can even get ahold of your income information.

This doesn’t mean that any one data broker knows everything about you. It’s just that a heck of a lot of personal information about you is potentially scattered all over the place. Data brokering is legal: a multi-billion dollar industry involving trillions of transactions every day. But this doesn’t mean the consumer is without rights or power. You can, indeed, do some reclaiming of your name from the data brokering industry.

How do you get control and manage your name?

Sit and wait: As mentioned, lawmakers are putting the heat on data companies to make it possible for consumers to have some control over all of this. The FTC recommended in a 2012 report that the data mining industry establish a website that reveals names of U.S. data brokers plus other relevant information.

Got to StopDatamine.me: Data brokers have not responded, so someone else did: a site that tells consumers who the data brokers are and their opt-out links.
Browse “Incognito”: with Googles Chrome browser you can open a “New Incognito Window” once opened, you've gone incognito. Pages you view in incognito tabs won't stick around in your browser's history, cookie store, or search history after you've closed all of your incognito tabs. Any files you download or bookmarks you create will be kept.
However, you aren't invisible. Going incognito doesn't hide your browsing from your employer, your internet service provider, or the websites you visit.
Use a VPN: For the ultimate in masking your webcrumbs use Hotspot Shield VPN which acts as a proxy and covers up your IP address and protects your devices and data from Wifi hackers at the same time.
Plugins: Browsers Chrome and Firefox offer a plethora of addons to mask your browser. DoNotTrackMe is a good one.
Behave: Yes, just be good, don’t commit any crimes, because you can’t erase bad behavior from government records.

Robert Siciliano is an Identity Theft Expert to Hotspot Shield VPN. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him discussing internet and wireless security on Good Morning America. Disclosures.