In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell writes about how cyber criminals and identity thieves target small businesses. Why? Because many small businesses do not have substantial security procedures in place, and they make an attractive target for thieves hoping to steal your personal information.

Last night a neighbor of mine called for some advice on identity theft. He’d just received a call from a mortgage broker he hadn’t dealt with in more than two years, who told him that he’d just had a break-in at his office, his computer was stolen, and my neighbor’s personal information was on that computer. Along with the personal information of possibly thousands of other victims who had provided their personal information to that broker over the years.

And because the information was about loan and mortgage applications, it included everything a thief would need to commit devastating identity theft against multiple victims. Information like name and spouse’s name, Social Security number, address and date of birth, earnings and employer, previous addresses and more.

What bothered my neighbor most, apart from the obvious risk to his identity, was why the broker had held on to so much sensitive information for so long. And why it was sitting unprotected on a personal computer for so long.

I had to explain to him that this practice was very common. Small businesses, whatever their nature, tend to be unfamiliar with security procedures and data protection basics. Chances are, this broker has been hanging on to highly sensitive client information for years, maybe even decades, either in the hope that he could do business with those individuals again in the future, or simply because he was too lazy to properly dispose of that information after he no longer needed it.

While something as simple (and often free) as encryption would have made that personal information completely safe from thieves, few small businesses have yet embraced this simple idea.

I’ve been saying for years that one of the biggest identity theft threats for consumers are the small businesses they deal with on a daily basis. I don’t want to be harsh on small business owners – I’ve been one for thirty years – but they’re running out of excuses. There are few small business owners today who have not heard about cybercrime and identity theft and who are not aware that they have a responsibility to protect their customer and employee information from these threats.

Yet there are also very few small business owners, in my experience, who are actually doing anything about it. The most common excuse I hear from small business owners is that they’re just too small for a hacker to bother with. This completely misses the point, because hackers usually work by doing large sweeps or trawls for victims, and are quickly able to identify those businesses that have gaping security holes.

And with identity theft often viewed as the new burglary, small business owners have just as much to fear from local petty criminal as they have from global cyber gangs, because information stolen in burglaries often ends up in the same place.

Which probably explains why the most recent study of data breaches, just published by Verizon’s security division, found that out of the 855 data breaches the company’s security team investigated last year, more than 600 of them were at small businesses. That tally’s with a claim made last year by Visa that approximately 95% of its credit card breaches were at its smallest customers.

If any small business owner is still not convinced that hackers are targeting small businesses, the Verizon report also found that more than 80% of these breaches were as a result of the activity of hackers, and nearly 70% involved the use of malware.

To me there’s little doubt that the small business is squarely in the sights of hackers and cyber criminals around the world, and a single security incident at a small business could be its’ death knell. As public awareness grows about the danger of doing business with small businesses, worried consumers may take their business elsewhere.

And the inevitable result, if small business owners fail to take heed and responsibility, is that some form of legislation will be introduced to force small business owners to do the right thing.

If you are interested in reading the 2012 Verizon Data Breach Investigations Report, you candownload a copy here.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

It seems that not a day goes by when there is not a story about a major data breach in the news. And the reason for that is that in 2011, there were more than 400 major data breaches – more than 1 every day! In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell breaks down the data breach and provides some helpful tips on what you can do to protect yourself should your records be compromised.

Ever wondered why there are so many data breaches and why they keep happening. In 2011 there were more than 420 reported data breaches, or an average of more than one every day. And some of these breaches exposed millions of personal and customer records. What’s more worrying is that in at least 80% of these breaches, Social Security numbers were exposed.

A security firm called Trustwave did an investigation of more than 300 data breaches and exposed some interesting statistics and trends that might help to explain why so many businesses keep losing our personal and private information:

• Personal customer records were the target of hackers in nearly 90% of the breaches.

• Surprisingly, the food and beverage industry made up the majority of investigated breaches (44%), followed by retailers at 33%. Normally the biggest targets for data breaches are educational institutions and healthcare but in this report they only accounted for a combined 2% of investigated breaches

• Also surprising was the focus by hackers on franchised businesses, where the local business is owned by individual business owners. More than a third of the breaches happened at franchised businesses.

• When malware was used in the attacks, it was only detected by anti-malware software in just 12% of the attacks – suggesting the thieves are easily able to get past the most fundamental security defenses.

• But perhaps not that surprising is that the most common password being used by these breached organizations was “Password1”

So how are the attackers breaching security so often and so easily? The report exposed another troubling trend – in more than three quarters of the breaches investigated the access point was traced to third parties, like suppliers, partners, and technology developers. This suggests that while an organization you do business with might be doing all it can to protect your personal information, all the hard work can easily be undone when the partners they rely on are not as focused on protecting you as they should be.

And in more than 80% of the breaches investigated, the biggest weakness identified was poor passwords. Weak passwords continue to be exploited by hackers and intruders, and in spite of endless education on the subject, for some reason employees continue to choose passwords that can be guessed or cracked in seconds. If the most common password found in these attacks was Password1 (it’s a default password that employees obviously couldn’t be bothered to change), it suggests that we shouldn’t give up on educating everyone about the need for stronger and smarter passwords.

And what fixes did the report recommend? The very first recommendation of their report was better user and employee education, saying “The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness education for employees can often be the first line of defense.”

What else can you do?

• Use this as a reminder to beef up your passwords. Imagine how you’d feel if your weak password was cracked by hackers and used to launch a costly attack on your workplace?

• Be vigilant and careful when paying at a fast-food restaurant. Security can be a big problem here because they have limited security, a high staff turnover, and often few background checks on employees. Consider using a credit card instead of debit card when paying at one of these establishments so you’re not giving hackers access to your bank account.

• Spread the word. If you believe in security, and the role of each of us has to play in protecting our little corner of cyberspace, then share that idea with others. If each one of us were to change just a couple of our bad computing or financial habits, these crimes would be much harder to pull off.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

In our post today, Intersections’ Consumer Security Adviser Neal O’Farrell shares the 4 top ways in which you can lose your identity.

A couple of weeks ago I was reading a blog in a well-known computer magazine where a retired police officer was discussing what in his experience were the top ways thieves can steal your identity. I was surprised to see at the top of the list things like skimming, dumpster diving, and Nigerian 419 scams.

Those are certainly ways you can lose your identity, but they’re far from the most common. And the Nigerian 419 scam isn’t identity theft at all, but simply a con job that preys on the gullible and the vulnerable.

I personally handle dozens of identity theft cases every month, and study hundreds of others. That experience has allowed me to see certain patterns about the types of identity theft we’re seeing, and those most likely to trap victims.

Stolen documents
Documents are the lifeblood of identity theft, and the more documentation thieves can get on their victims, the easier it is to commit the crime.

If you have any of these documents in your home (never, ever, leave these documents in your car), and hide them well:

• Social Security cards
• Birth certificates
• Bank and credit card statements
• Pay stubs
• Any correspondence with the IRS or Social Security Administration
• Tax returns

I’ve seen a growing trend in the use of mobile id theft labs, where thieves have everything in their cars or homes to immediately turn this type of stolen personal information into forged documents, fake checks, and brand new credit cards. In one recent case, an officer told me that when he arrested a mail thief he found more than 60 blank credit cards just waiting to be turned into brand new cards using the stolen information the thief would collect that day.

Mail theft
This continues to be one of the easiest ways to start the process of identity theft. And it’s fuelled in part by the uniquely American tradition of delivering mail to a publicly accessible curb sided mailbox. That’s putting temptation right under the noses of thieves, and it’s such an easy opportunity few can resist. Mail thieves are looking for anything they can use or sell to other thieves, even just your name or address.

Mail theft has become such a lucrative business, a thief was recently charged with hiring two people to assault a mail carrier with a Taser so that they could steal the master key used to open those common area mail boxes.

Data breaches
While it’s not always easy to trace identity theft to data breaches, as consumers we can assume that many identity thefts are as a result of this growing crime.

The numbers don’t lie. Over the last five years there have been an average of one new data beach every single day and as a result more than 500 million personal records have been exposed.

That has given thieves around the world a gold mine mixture of personal profiles, shopping and buying habits, personal family information, passwords, Social Security numbers, credit card numbers, home addresses, personal communications and email, corporate and employee information, health records and so much more.

It’s probably safe to assume that at least some of your personal information is in there somewhere, and thieves have so much of it in their possession it may take them some time to get around to you and yours. But only a matter of time.

Family, friends, and neighbors
The most tragic and upsetting type of crime is one committed by those you’d like to trust, and especially family, friends, neighbors, and co-workers. But I see a constant uptick in this type of crime and often with devastating consequences.

In one case a victim found that an identity thief had been using her identity for a decade, accumulating a long criminal history, multiple convictions, and endless frauds and unpaid bills. The victim was unable to get a driver’s license because the thief had so many driving convictions, and without a driver’s license the victim could no longer cash checks. Her Social Security payments were being diverted, and her disability payments stopped because the thief had been working using her Social Security number.

Turns out the thief was an old family friend, and as a gesture of kindness the victim’s mother had given the thief her daughter’s Social Security number in a good-faith effort to help the illegal immigrant obtain a job.

There are now so many ways that your identity can be stolen, it may be safe to assume that your information is already in circulation or in the hands of thieves. So your focus should be on monitoring your name and your credit around the clock so that you’ll get early warning when those thieves finally make it to you.

That doesn’t mean that you should stop protecting your information in the first place. Security is about creating multiple layers of protection around you, and those layers include prevention, monitoring and response. The more you know how to do these, the easier they become.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser, Neal O’Farrell joins us again today with his take on the recent mid-year cybercrime report by the security firm Sophos. Enjoy, but be careful out there!

Hard to believe the year is already half over. Seems like only yesterday we were talking about a spike in identity theft over the Christmas holidays, and warning consumers to be extra vigilant as tax time approaches.

But it’s been such a busy year for scammers and hackers, it almost becomes a blur. To sort through the fog, security firm Sophos recently published their half year summary of threats and trends, and it should stand as a stark warning of the need to be constantly vigilant.

For example, Sophos claims that since the start of 2011 they have recorded an average of 150,000 new malware samples every single day. That’s works out to one piece of malicious software being discovered every single second, and a 60% increase over 2010.

Sophos has also identified an average of 19,000 new malicious URLs each single day in the first half of this year. That’s a stunning 4.5 new web threats detected every second. And, according to Sophos, 80% of those URLs are legitimate websites that were hacked or compromised by crooks.

The two top exploits favored by these crooks were fake anti-virus software and SEO poisoning – manipulating search engine results to drive users to malicious or infected web sites – and it might surprise you that the majority of these malware sites are hosted in the United States. The U.S. accounts for a whopping 37% of malware hosting web sites, while the next nearest culprit is Russia at just 13 percent.

There has also been a big change in the way people communicate, a change that now works even more in the favor of hackers. Sophos recorded a 59% decline in the use of email among 12-17 year olds, and a 34% decline in email use amongst 24-34 year olds. This is mainly due to a switch to texting and social networks as a way to communicate. And hackers love social networks because they make it much easier that email to launch more targeted and effective attacks. Hardly surprising that 81% of computer users surveyed by Sophos believe that Facebook presents the greatest security risk.

On the subject of social networking risks, Sophos also conducted a poll of nearly 2,000 people on their social media habits and worries. 71% reported that they, or one of their colleagues, had been spammed on a social networking site, 46% had been phished and 45% were sent malware.

“Social networking privacy issues have dominated the headlines in the first half of 2011. With most social networks, the default settings share everything and users have to reset their options to make their accounts more private. This opens up a host of security issues because so many people—both friends and not—have access to your information,” according to Sophos.

The report also highlighted a study by the FBI about how one cyber gang was able to dupe 1 million users into buying fake software, and could have made as much as $72 million from the scam. This is a problem for a lot of reasons. It means that not only were 1 million people duped into paying for something fake, they may also believe they have real virus protection on their computers when in reality they have no protection at all.

And that $72 million will be recycled by these gangs into even more sophisticated scams that will entrap even more victims and continue the cycle. Some of this money may even end up in the hands of terrorists who have the skills and resource to launch their own fake virus scams, or partner with organizations that can manage them on their behalf.

Links to videos that hide malware are also on the increase, especially on Facebook and Twitter. According to Sophos, nearly 69 million people have viewed the now-infamous YouTube music video Chocolate Rain, a clear sign that curiosity still trumps caution for most users.

The Mac is no longer a safe haven, and scammers are now firmly focusing on all things Apple to take advantage of the surge in use and adoption of Apple products, driven by the huge popularity of the iPhone and iPad. Apple’s success with these products obviously has a very dark side to it, and yet another reminder that wherever the crowds go, so will follow the crooks. You only have to look over your shoulder to spot one. But if you never bother looking, then don’t be surprised if you don’t spot the scam until it’s too late.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser Neal O’Farrell joins us today with a fascinating look at hackers, hacktivism, and hacker collectives. Read on and enjoy!

As notorious hacker collective Lulz Security claims to be sailing off into the sunset, pursued and taunted by other hacker groups like the A-Team and Web Ninjas, many are wondering who will fire the next salvo in the hacker wars and who will be the next casualty.

And while many were surprised at how quickly Lulz appeared and disappeared, hacker collectives and hacktivists have been living, working, and hacking amongst us for nearly two decades. It’s now nearly ten years since I gave a hacker from notorious hacker collective Cult of the Dead Cow a plane ticket to attend the DEFCON hacker conference in Las Vegas and report back on his thoughts about the differences in thinking and culture between hackers and security professionals – at least those hired to protect.

Cult of the Dead Cow, also known as cDc, is credited with coining the word hacktivism. I was writing at the time for a publication called SearchSecurity.com and working on a story that compared the security skills of hackers to those of the security professional being paid to protect us.

cDc may have been the birthplace of the hacker collective, and that birthplace was a slaughterhouse in Texas in the mid-1980s. cDc eventually launched the careers of many of the world’s most famous and competent hackers, who interestingly enough eventually became some of the most respected and respectable security industry executives.

cDc had a simple goal and slogan at the time – Global Domination Through Media Saturation – and its activities ranged from hacking the Church of Scientology to distributing their own music. OK, they did a lot worse than that but we have only so much space.

Like many hacker collectives, cDc either spawned or embraced a number of other hacking groups, and some of its members went on to create other, equally notorious hacking groups.

For example, cDc hacker Mudge later launched L0pht, another high profile hacking collective active in the 1990s. Unlike many of today’s hackers, L0pht members were pretty much out in the open and even had their own Boston headquarters they hung out in. They famously testified before Congress that if they really wanted to they could take down the entire internet in less than 30 minutes.

And where are they now? Surprisingly legitimate and well respected. L0pht eventually merged with a security consultancy @stake which was later purchased by security firm Symantec. L0pht hacker “Weld Pond” is now Chief Technology Officer of respected security company. “Kingpin,” whose real name is Joe Grand, now lives in San Francisco and hosted the Prototype This program on the Discovery Channel.

And whatever happened to Mudge? His real name is Peiter Zatko, who later went on to serve as an adviser to President Bill Clinton on cyber security and now works for the U.S. Department of Defense Advanced Research Projects Agency (DARPA).

I’ve always maintained that most security professionals can easily be outsmarted by good or even average hackers. It’s not about competence, it’s more about culture. Hackers by their nature are usually more inquisitive and creative, less worried about failing, and of course don’t have corporate security rules or federal guidelines holding them back.

Will we ever see members of Lulz or Anonymous give up their rebellious ways and use their obvious security skills to protect the greater good? Will we ever see one of these hackers emerge as the head of security for a major corporation, the kind of security head these hacktivists say they despise?

Probably.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Neal O’Farrell, Intersections’ Consumer Security Advisor offers up his ten tips to help you steer clear of trouble in light of all the recent data breaches and hacks.

I’ve talked a lot about data breaches in the last few weeks, so maybe it’s time to move on and discuss something else. Or maybe not.

Because in just the last week we’ve seen a massive scaling up of these data breaches, and especially deliberate breaches by skilled hackers. Victims of these breaches range for the CIA and U.S. Senate, to more than half a dozen gaming web sites and companies, and while there’s little you can do to prevent these breaches there are some things you can do to avoid being ensnared in one. Or at least minimize the damage if you are.

1. Sign up for as little as possible. That’s one of the best ways to avoid being victimized by someone else’s mistake. The less information people have about you, and the fewer sites and businesses share it, the less they have to lose – about you.

2. Opt out as much as possible. Check your inbox. If you’re still getting a bunch of regular emails for things you signed up for in the past but don’t really use any more, then opt out or unsubscribe. It may not remove your information completely from that organization’s database, but it could certainly help.

3. Use a low risk and low balance credit card to make payments, and especially reoccurring payments. That way, if your credit card is compromised the damage won’t be too severe and you won’t have much work to do to fix it. Above all, NEVER use a debit card for online purchases.

4. If you’re offered free monitoring, take it and use it. Credit and identity monitoring are a great way to get early warning about the possible misuse of your information after a breach, so use it to its fullest.

5. If you’re not offered monitoring, demand it. After all, you probably deserve it. I sometimes feel badly for organizations that suffer a data breach and end up having to spend millions of dollars as a result. But it’s not your fault that they lost your data and put you at risk.

6. If you still don’t get free credit monitoring, either check your credit reports yourself, or better still, have Identity Guard watch your reports on your behalf.

7. Shields up. Every breach should be a reminder to you of the importance of vigilance. Use these moments (and it looks like there’ll be plenty of them) to watch out for any unusual activities on your credit reports, accounts, email, and even snail mail.

8. Change your passwords and use the moment to change your password habits. It makes sense that if your password is compromised in a data breach you would immediately change it, right? Lots of people do, but to just a slight variation of the password that was just compromised. Some people just like familiar passwords that they have a sentimental attachment to, but a breach is a great time to shake free of the personal connection and create a bulldog of a password that will defend you fearlessly.

9. Don’t use the same password for everything – because a number of recent data breaches found that many users use the same password for multiple web sites. A single password for multiple sites just makes it easier for hackers to create more havoc in your life.

10. Don’t stop thinking about tomorrow. It’s not just a great song, it’s a great rule. There will always be more breaches, and chances are a few dozen (or even a few thousand) are taking place right as I pen this blog. Make sure you have at least something of a plan in place so that as soon as a data breach hits the headlines, you’ll know your very next move.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

The Daily Shield welcomes back Intersections’ Consumer Security Advisor Neal O’Farrell. Today, Neal writes about the disturbing uptick in cybercrime.

Every three months or so, security firm McAfee shares with the world all the trends uncovered and identified by its research labs.

The quarterly results rarely offer any good news, and unfortunately the first three months of 2011 are off to a very troubling start. Unless you’re a cybercriminal.

We went through McAfee’s most recent quarterly threat review and identified a dozen worrying trends you might want to be aware of:

1. There appeared to be a significant reduction in spam although research shows that many others are waiting in the wings to take its place. McAfee worries that the reduction is just as a result of a pause by global cyber gangs as they retool and upgrade their attacks.

2. Historically, Android has been ranked as the third most targeted mobile platform, but in the last three months it has jumped to the number 2 spot overall for mobile malware.

3. Mobile malware will continue to evolve in sophistication and functionality and at a much faster rate than the development of PC-based malware. Criminals are now using everything they’ve learned in developing PC-based malware and quickly adapting those lessons to anything mobile.

4. Hacktivism may be on the rise again, as exhibited by a number of high profile hacks like the Sony PlayStation Network, the Wikileaks saga, and the uprisings around the Arab world.

5. Malware just posted its busiest quarter in history. McAfee Labs identified more than six million unique types of malware in the last twelve weeks, the busiest quarter on record, and adding up to about 75 million different types of malware expected by the end of this year.

6. Fake anti-virus software seems to be on the rise again and password-stealing Trojans are demonstrating a consistent level of activity.

7. Search-term manipulation continues, with criminals talking advantage of vulnerabilities in search rankings to lead users to malicious sites. McAfee found that 49% of the daily search terms in the top 100 results lead to some kind of malicious web site.

8. McAfee identified a new password-stealing Trojan every day of the quarter.

9. Banking stealing Trojans are now commonly being delivered by phishing emails, from UPS and FedEx, the IRS and NACHA.

10. McAfee identified an average of 8,600 new infected web sites every single day during the first three months of the year.

11. Over the last three months, McAfee uncovered an average of 2,500 new phishing sites every day. The most common brands used in phishing emails included Wells Fargo and Paypal.

12. The malicious exploit of Adobe products (more than 36,000 this quarter) topped the number of malicious exploits of Microsoft Office products by a wide margin.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.