Is Your Smartphone Safe From Hackers?

July 25th, 2011

With the recent phone-hacking crisis at News Corporation and the emotional testimony of the company’s top executives including Chairman Rupert Murdoch, now might be a good time to do what you can to secure your own cellphone whether it is a  smartphone or not.

Analysts at Gartner estimate that one in six people now own or have access to a smartphone. The importance of protecting and maintaining the integrity and privacy of both your personal and business data cannot be overstated. Once it’s gone, your data takes on a new life of its own on the worldwide underground  black market.

The variety of ways we engage with and consume online entertainment and information has changed in just the past two years, thanks to the demand for and availability of a torrent of on-demand mobile content.

While  the good guys work to develop new feature-rich applications for us to consume, the bad guys are just as busy trying to gain access for a number of reasons:

  • Financial gain : Money transfer by phone is becoming popular. This means that money can be taken from your account and transferred into another by SMS.  Phone hacking gurus can spy and get information required to initiate transactions from your phone.
  • Spying on you: Hackers can also gain access and take over your cell phone for the purpose of spying and remote mobile phone hacking. Once secured, the hacker can actually command your phone to call him. He can then listen to all conversations going on around the owner of the phone.
  • Access your private information: And as noted earlier, phone hackers want to keep ahead of others by gossiping in clandestine underground chat-rooms and bargaining for stolen data on the black market.

The iPhone was the early entry into the smartphone market with it’s user-friendly features and touchscreen capability. Even the release of the phone was interrupted by hackers that sent spam messages promising  non-existent free phones to an eager buying public. The hackers succeeded in upstaging Steve Jobs prior to the public release of the phone.

Google’s Android has tried to keep up with the sales of the more popular iPhone, but Android’s OS is also vulnerable to attack and vulnerabilities. Windows Phone 7 and RIM’s Blackberry round off the list of the largest smartphone operating systems and both systems have their own set of potential security vulnerabilities. Keeping on top of the latest scams remains vital for protection from the latest threats.

What steps can you take?

Here are some password and prevention tips to reduce your chances of being phone hacked:

1. Turn on the password protection for your voice mail
2. Never use the same password for more than one account
3. Change your phone’s default passwords (Thanks to Piers Morgan)
4. Avoid easy passwords,  e.g: your birth year (Easily found on your Facebook page?)
5. Change your phone’s password on a regular basis
6. Passwords with eight or more characters work best
7. Delete your voice mail after you’ve listened to it
8. Consult your carrier for their unique and regularly updated platform protection solutions

The growing numbers of hackers generally work for a combination of fun, notoriety and/or financial gain. Parents should use extra care when considering the degree of digital freedom and internet access they allow their children to have, based on personal parental standards. Phones with a camera and web access are usually equipped with parental privacy controls.

Which strategies are you implementing to slow the hack-attackers down?

Posted in Data security, Smartphones | No Comments »

Man’s Stolen MacBook Phones Home

June 2nd, 2011

As summertime travel approaches, now is a great time for me to remind you to mind your personal electronic portables. According to Gartner, one in six people now have access to a high-tech mobile device, and odds are high that someone has their eyes on your stuff.

A creepy laptop thief hoping to snag some free electronic swag, got way more than he bargained for recently.

The Associated Press reported this week that an Oakland, California man had his apartment burglarized and his MacBook stolen. The good news is that he got it back thanks to an online, viral, one-man crusade. Local police were swamped and unable to assist, so Joshua Kaufman took matters into his own hands. After posting photos of the stranger on Twitter and creating a blog titled “This Guy Has My MacBook”, sweet justice got served.

Kaufman stated: “People who followed me on Twitter retweeted it. It got picked up by social media and the press. It went super viral,” he said. On the same day that he posted his website on Twitter, police came calling.

WVEC in Norfolk, Virginia published a report on their site:

“Kaufman’s case is the latest example of people, not police, using technological tools to help find their own stolen property such as cars, cell phones and digital cameras. Kaufman had just moved to a new apartment in Oakland when a burglar broke in, taking the laptop, a bag, an electronic book reader, and a bottle of gin on March 21. He activated theft-tracking software he had installed, which began sending photos taken by the computer’s built-in camera of the unauthorized user three days later.”

Luckily for Kaufman, the security software he had installed but never tested, began sending grainy photos from the device’s camera to his inbox. The victim observed the thief, posted his photo on the web and voila! After the photos went viral and caught the attention of the media, law enforcement went to work on the case and nabbed the thief.

Many devices equipped with mobile web and geo-tagging technology are literally equipped to “phone home” when properly outfitted with security software.

One of my kids recently went on vacation and left an iPhone in the hotel room upon check-out. A land line call to the hotel got the usual response: “We’re sorry, but your room has been cleaned and no iPhone was turned in.”  From this point the conversation went something like this: “Really? My phone’s tracking locator says the phone is still there, I can see it online!”

Three minutes later, the hotel called back (they never call back) with the good news that the phone had just been located. How do you put a value on that sort of electronic sleuthing capability? ET phoned home alright. Truth is sometimes stranger than science-fiction.


 

Posted in Computer safety, Data security, GPS Tracking | No Comments »

3 Things To Learn About Your Debit Card

May 19th, 2011

The recent security breach at arts-and-crafts retailer Michaels Stores, calls much needed attention to debit cards and their vulnerabilities. In this breach, the thieves not only stole debit card numbers, they actually used them to swipe money from the victims’ bank accounts.

We often consider debit cards a convenient alternative to their look-alike payment tool, the credit card. What many of us fail to remember is that the theft of debit card resources, robs us of our own money and not the bank’s money. Fortunately, there are protections and guidelines in place for victims of debit card scams, but the key lies in understanding the extent of our responsibility for reporting a problem.

Although most debit card issuers offer a brief grace period for reporting a lost, stolen or compromised card, we have specific obligations to our bank that could mean the difference between the protection or the loss of our assets.

According to Bankrate.com, not all debit card issuers play by the same rules:

“Federal law limits personal liability for unauthorized transactions to $50 for credit cards, but offers more limited fraud protection for debit cards. How to protect yourself: Find out if your bank offers theft and fraud protection. Get specific. Under what circumstances is it honored? How do you have to use the card? Whats your timetable for reporting the loss?”

Since each  financial institution varies, you need to know the following for any debit card you carry:

1. What are the specific written rules for my card? Get the rules in writing from your card issuer.

2. Lost, stolen or compromised cards require different time-sensitive responses from you. Get it in writing from your card issuer.

3. Failure to report a problem could result in the loss of all your money. Monitor your debit-card account at least monthly for any irregularities and promptly report them.

The rules above all point to you “promptly reporting” any concerns, though the definition of “prompt” varies. Again, get it in writing.

Jay Foley at the Identity Theft Resource Center reminds consumers to file a police report in the event of a suspicious transaction, which helps document the facts of  your case
for reimbursement with the bank.

By simply keeping a watchful eye on your card’s balances and activity no less than monthly, you can drift off to sleep at night without fear that someone might steal those sheep you’ve already counted.

Posted in Credit card fraud, Data security, Financial Scams, Identity Theft Protection | No Comments »

Global Spear-Phishing: A New Threat

April 7th, 2011

While Charlie Sheen maniacally pronounces his  self induced “winning” status to a saddened, bewildered and exhausted fan base, another  growing menace actually seems poised for “winning”.

Consumers got a wake up call on two fronts with the disclosure of the massive Epsilon Interactive data breach last week.

Our  first wake up call stems from the sheer length of the  list of companies who utilize Epsilon’s email  service to reach their customers.

The second wake up call is the reality that so many trusted brands outsource our names and email addresses to a third party  email service provider (ESP)  who has now been exposed as functionally incapable of protecting the  private personal data that was entrusted to them.

The truth is that there is nothing you or I can do to prevent these leaks when the repository for our data is in the hands of other people.

According to the consumer advocacy group Cauce, the following  financial institutions were affected by the breach:

  • Ameriprise Financial
  • Barclays Bank of Delaware
  • Capital One
  • CITI
  • JP Morgan Chase
  • Moneygram
  • Scottrade
  • TD Ameritrade
  • TIAA-CREF
  • U.S. Bank
  • World Financial Network National Bank (Victoria’s Secret card)

The CAUCE report went on to explain:

“As well, these marketing and retail companies have reportedly had their client email, names and in some cases, other information stolen”:

  1. 1800Flowers.com
  2. AbeBooks (division of Amazon)
  3. Airmiles
  4. Beachbody
  5. Benefit Cosmetics
  6. Best Buy
  7. Best Buy Canada Reward Zone
  8. Brookstone
  9. City Market
  10. CollegeBoard
  11. Dillons
  12. Disney Destinations
  13. Eileen Fisher
  14. Ethan Allen
  15. Food 4 Less
  16. Fred Meyer
  17. Fry’s
  18. Hilton HHonors
  19. Home Shopping Network
  20. Jay C
  21. King Soopers
  22. Krogers
  23. Lacoste
  24. L.L. Bean credit card
  25. Marks and Spencer
  26. Marriott Rewards (Update: Marriottt confirmed NO points totals were taken)
  27. McKinsey Quarterly
  28. New York & Company
  29. QFC
  30. Ralphs
  31. Red Roof Inns
  32. Ritz-Carlton (Update: Ritz-Carlton confirmed NO points totals were taken)
  33. Robert Half
  34. Smith’s
  35. Soccer.com
  36. Target
  37. TiVo
  38. Verizon
  39. Viking River Cruises (unconfirmed)
  40. Walgreens (for the second time)

The impact of the Epsilon breach is expected to cause a sharp, severe and extended series of spear phishing attacks. These phishing attacks will  target and exploit the trusting relationship between the victimized brands and their clients.

It is estimated that tens of millions of people’s names and email addresses have been exposed as a result of this breach. In the past three days, our own household has received at least three notifications from worried banks and retailers.

Consumers should brace themselves for what could be a barrage of incoming phishing attempts, disguised as communication from a trusted vendor. Although most savvy internet users are aware of these ploys, now is a good time for a few timely reminders.

  • Consumers can report attempted phishing attacks to the U.S. Secret Service by emailing them at: phishing-report@uscert.gov
  • Never click on a link in an email, just type the web address into your browser yourself to avoid infectious malware.
  • Security expert Brian Krebs reported that over 100  ESP’s (email service providers) have been under attack by fraudsters in recent months. This is an ongoing, sustained effort to grab your information!
  • Gmail, Earthlink and Yahoo all provide tools to help fight spam and phishing attacks.

An ancient proverb comes to mind: ” Trust in the gods, but tie up  your camel anyway!”

 

Tags: , ,
Posted in Data Breaches, Data security, Financial Scams, Internet, Phishing | No Comments »

Ashton Kutcher Gets Punk’d on Twitter

March 7th, 2011

Have you ever wondered about  Ashton Kutcher’s rather warped sense of humor? The celebrity star of the hit TV show Punk’d was the victim of a deliberate hoax intended to warn the world,  embarrass the star and catch him off guard in a “practical joke” sort of way.  His popular,  high profile, widely read Twitter account got hacked!

The television show has been in re-runs  since the final episode aired in 2007.  The actor (AKA Mr. Demi Moore)  has always claimed that he is “un-punkable”. The basic premise of Punk’d is that an unwitting celebrity is filmed during a staged prank, solely for the entertainment of viewers.

Here’s what happened. Ashton Kutcher has 6.4 million followers on Twitter. A relatively “friendly” hacker compromised the account while Kutcher was attending  a TED speakers conference in Long Beach, California.

According to the Internet Security Firm Sophos, the uninvited visitor’s hijacked message was sent out to Kutcher’s 6.4  million followers. The message stated:

"Ashton, you've been Punk'd. This account is not secure. Dude, where's my SSL?"

Security analysts like those at the security firm Sophos, believe that the hacker exploited the account’s lack of SSL encryption.

A Sophos analyst went on to say:

The insecure Twitter and Facebook accounts of some celebrities offer a very tempting target for cybercriminals who may wish to spread their dangerous or spammy links to millions of followers. We should just be grateful that on this occasion the hack appears to have taken place to promote better awareness of the need for better security, rather than with more malicious intent.”

Relatively unsophisticated tricks like these can easily steal or “sidejack” the credentials of anyone using an unsecured WiFi network (Starbucks anyone?)

This should get Hollywood’s attention. I smell the winning recipe for a new fall TV show in the making. Surely reality television has room for another crowd pleaser.

Lets call the new hit series…… Hack’d!

Tags: ,
Posted in Data security, Personal privacy, Uncategorized | No Comments »

How Egypt Pulled The Internet’s Plug

February 2nd, 2011

The Egyptian government has apparently accomplished what many technology experts said could not possibly happen.

Published reports indicate that the “plug” was pulled on Internet access in Egypt on the evening of January 27th, 2011  at about 6PM local time. According to fraud prevention, monitoring  and analytics company  iovation,  Egyptian use of the internet instantly and almost literally fell off a cliff.

As reported in  the blog of  noted security expert Robert Siciliano:

NPR reports “Egypt has apparently done what many technologists thought was unthinkable for any country with a major Internet economy: It unplugged itself entirely from the Internet to try and silence dissent. Experts say it’s unlikely that what’s happened in Egypt could happen in the United States because the U.S. has numerous Internet providers and ways of connecting to the Internet. Coordinating a simultaneous shutdown would be a massive undertaking.”

The Los Angeles Times confirmed that both Facebook and Twitter were affected by the outage, but that after a week of unrest, access to the Internet has been restored by the Egyptian government:

“Facebook said in a statement, “We’re pleased that Internet service has been restored and the 5 million people who use Facebook in Egypt can continue using our service to connect, learn, and share.”

Twitter was quickly awash in messages from Egypt after it was restored. Some of the messages asked for donations and medical supplies at hospitals.”

As I write this post, I asked my teenage daughter if she knew that the internet was shut down in Egypt. Her answer was revealing;  “Yea we learned that in school today Dad.”

Duh. I guess some news travels pretty fast when Big Brother steps aside.

Tags: , ,
Posted in Internet | 1 Comment »

“Trolls” Attack Rahm Emanuel’s iPad

January 20th, 2011

Internet trolls are lurking in our midst.

Think your iPad is safe from hackers? Think again.

Charges have been filed against a pair of self-described Internet “trolls” who claim responsibility for hacking into AT&T’s servers last summer.

New Jersey District Attorney Paul Fishman has filed charges against two computer hackers who are charged with exposing  over 120,000 names and email addresses.

“The hallmark of this criminal hacker subculture is malicious one-upmanship,” Fishman added. “The more their victims have to scramble to fix the holes and the bigger the humiliation in reputational and actual damage to the corporate victim, the more bragging rights these individuals have in their own community.”

Many of the victims in this case are well known  politicians,  entertainers, and business leaders. Some of the more prominent victims include former White House Chief of Staff Rahm Emanuel, New York Mayor Michael Bloomberg, and ABC News anchor Diane Sawyer.

The “trolls”  bragged about their exploits in order to gain notoriety and street cred, prompting officials to charge them with fraud and conspiracy.

Because consumers have no direct control over the network security of their vendors, remember these tips:

  • Seek, read, print and safely store the privacy notices of your all your electronic and financial service providers.
  • Keep on guard for irregularities on all your monthly statements.
  • Regularly review your free credit report  several times per year at http://www.annualcreditreport.com

The volatile combination of hackers, organized crime, thrill seekers, and technology trolls have morphed into the next generation of  Dorothy’s lions and tigers and bears….oh my!

Tags: , ,
Posted in Data Breaches, Data security | No Comments »

Three Privacy Reminders For 2011

January 5th, 2011

Exhale. With the worst of the financial storms past us, we can finally breathe and begin to rebuild our financial fortifications.

One of the first pieces of business this year should be to put a few strategies in place to protect whats left of your assets and personal privacy. Unfortunately, the fraudsters are still in the game stronger than ever before, due to the relatively risk-free nature of modern financial crime.

The reality is that most financial crimes are under-reported and left unsolved due to a scarcity of investigative resources and the endless supply of fresh target information available to most criminals.

Here are three areas to watch in 2011 according to Bank Info Security:

1. Mobile Banking Risks

“Mobile phones used for banking are on the rise, but mobile security is proving increasingly challenging for banks and credit unions, as controls put in place to protect traditional online banking do not translate well when applied to mobile. Mobile banking applications from Bank of America, Chase, Wells Fargo and TD Ameritrade have all suffered from security flaws, and CitiGroup in 2009 noted vulnerabilities when it learned some banking apps stored sensitive user details in hidden files on smart phones.”

2. Social Networks and Web 2.0

“The connection between mobile phones and social media is growing, with Twitter and Facebook apps offered for mobile users. Institutions embracing mobile also are embracing social networking, says Rasmussen, Internet Identity’s chief technology officer. “With more banks on social networks, expect to see more fake sites using social networks, like Twitter and Facebook, to try and trick people into giving up vital personal information,” including banking login credentials and Social Security numbers, he says.”

3. Malware, Botnets and DDoS Attacks

“Distributed denial-of-service, or DDoS, attacks, as seen in the wake of the recent WikiLeaks incidents, are likely to increase. In fact, the WikiLeaks-inspired attacks against leading e-commerce sites have fueled interest among fraudsters, says RSA’s Rivner. Botnet operators now see opportunity for additional income.”

Smart phones, social networking and sustained attacks on closed systems, leave plenty of room for mischief in the coming year. Stay tuned for ways to short-circuit these uninvited cyber-guests in 2011 and beyond.

Tags: , , , ,
Posted in Cyberwar, Data security, Personal privacy | No Comments »

Tis’ The Season For Ruthless Online Fraud

December 7th, 2010

The most troubling aspect about the newest WikiLeaks breach is the grim realization that our nation’s most sensitive information can be so vulnerable, easily accessed and leaked to the world.

You can’t help but wonder, if the U.S. Defense Department can be hacked and attacked from the inside-out,  just how safe is the personal data belonging to the average U.S. citizen?

Here are 10 tips from the Better Business Bureau to help keep you safe online not just during the holidays, but all year long.

The BBB offers this advice:

1. Protect your computer – A computer should always have the most recent updates installed for spam filters, anti-virus and anti-spyware software and a secure firewall.

2. Shop on trustworthy websites – Shoppers should start with BBB to check on the seller’s reputation and record for customer satisfaction. Always look for the BBB seal and other widely-recognized “trustmarks” on retailer websites and click on the seals to confirm that they are valid.

3. Protect your personal information – BBB recommends taking the time to read the site’s privacy policy and understand what personal information is being requested and how it will be used. If there isn’t one posted, it should be taken as a red flag that personal information may be sold to others without permission.

4. Beware of deals that sound too good to be true – Offers on websites and in unsolicited e-mails can often sound too good to be true, especially extremely low prices on hard-to-get items. Consumers should always go with their instincts and not be afraid to pass up a “deal” that might cost them dearly in the end.

5. Beware of phishing – Legitimate businesses do not send e-mails claiming problems with an order or an account to lure the “buyer” into revealing financial information. If a consumer receives such an e-mail, BBB recommends picking up the phone and calling the contact number on the website where the purchase was made to confirm that there really is a problem with the transaction.

6. Confirm your online purchase is secure – Shoppers should always look in the address box for the “s” in https:// and in the lower-right corner for the “lock” symbol before paying. If there are any doubts about a site, BBB recommends right-clicking anywhere on the page and select “Properties.” This will let you see the real URL (website address) and the dialog box will reveal if the site is not encrypted.

7. Pay with a credit card – It’s best to use a credit card, because under federal law, the shopper can dispute the charges if he or she doesn’t receive the item. Shoppers also have dispute rights if there are unauthorized charges on their credit card, and many card issuers have “zero liability” policies under which the card holder pays nothing if someone steals the credit card number and uses it. Never wire money and only shop locally on sites like Craigslist.

8. Keep documentation of your order – After completing the online order process, there may be a final confirmation page or the shopper might receive confirmation by e-mail – BBB recommends saving a copy of the Web page and any e-mails for future reference and as a record of the purchase.

9. Check your credit card statements often – Don’t wait for paper statements; BBB recommends consumers check their credit card statements for suspicious activity by either calling credit card companies or by checking statements online regularly.

10. Know your rights – Federal law requires that orders made by mail, phone or online be shipped by the date promised or, if no delivery time was stated, within 30 days. If the goods aren’t shipped on time, the shopper can cancel and demand a refund. There is no general three-day cancellation right, but consumers do have the right to reject merchandise if it’s defective or was misrepresented. Otherwise, it’s the company’s policies that determine if the shopper can cancel the purchase and receive a refund or credit.

From our family at Penn and Associates to yours,  enjoy this Christmas holiday season. Expect bigger things from this blog in 2011 !

Tags: , , ,
Posted in Computer safety, Cyberwar, Federal Government, Financial Security, Internet | No Comments »

Fire Insurance For Your Wallet

November 5th, 2010

A recent Forbes magazine article suggested that the impact and ferocity of consumer and commercial identity theft have both quieted down along with the current economic downturn.

Predictably, early  responses to the Forbes article were swift and scathing. The reality is that despite the fact that fewer people  are exposed as a result of any given breach, the actual number of adult victims of financial fraud has not gone down over the past 5 years, it has gone up. Way up.

A 2010 Javelin Strategy & Research report reveals that the number of U.S. adult victims of identity fraud has grown from 8.9 million in 2005 to 11.1 million in 2009.

According to the Identity Theft Resource Center, the number of breaches is difficult if not impossible to nail down with certainty because of  loose reporting requirements in many states. There are many states which legally do not allow public access to reported breaches.

The ITRC reports:

  • paper breaches account for nearly 26% of known breaches (an increase of 46% over 2008)
  • business sector climbed from 21% to 41% between 2006 to 2009, the worst sector performance by far
  • malicious attacks have surpassed human error for the first time in three years
  • Out of 498 breaches, only six reported that they had either encryption or other strong security features protecting the exposed data

The Forbes article correctly points out that breaches the size of the one suffered by Heartland Payment  Systems are quite rare. Heartland’s single breach exposed 130 million records from over 600 entities.

Analogies always break down at some point however, the fire insurance analogy works here. Despite the fact that mortgage companies require the purchase of fire insurance, everyone buys it hoping they will never have to make a claim or use it.  So it is with identity theft products.

Identity theft blogger Denise Richardson explains:

“Americans are accustomed to the idea of purchasing a hedge against something that might happen. Why is it, then, when it comes to identity theft, some people are still saying that protection is unnecessary?

Many consumers are still in the dark about the latest dangers, scams and techniques criminals now use to commit fraud.

Today’s criminals buy, sell, trade and barter personal data on more than 10,000 underground chat rooms. And today’s identity theft protection services have much more to offer than they did just a few short years ago. They utilize the same sophisticate(d) technology to scan public databases, peer 2 peer networks and the very chat rooms where criminal(s) work selling and buying our data.  I can’t do that for myself, and neither can the average consumer.”

Although many identity theft protection firms offer the cool and often pricey chat-room monitoring feature, the real value for victims is found in the underlying resolution services found in most plans.

Because we cannot predict just how complex or time-consuming a financial, medical or criminal identity attack might be, it makes sense to partner with a resolution expert on the other side of the firewall.

Another reason for consumers to consider partnering with a reputable identity theft protection firm is that we cannot control the actions of the businesses and government agencies who hold our information on their servers and inside their portable devices.

Who are you gonna call when a foreign hacker decides to set your wallet on fire, invade your life, steal your assets and ruin your reputation?

Hint: Don’t call anyone at Forbes.

Posted in Data Breaches, Financial Security | No Comments »

« Older Entries