Intersections’ Consumer Security Adviser Neal O’Farrell uncovers the secret contained in the recent 2011 Microsoft Intelligence Report. What’s the secret? It’s the user’s fault!

There are two schools of thought on the topic of consumer security awareness. One school suggests that all the malware and scams in circulation are far too advanced for consumers to understand and therefore prevent, and consumers should instead entirely trust technology to protect them. The most vocal proponents of that side of the argument are, not surprisingly, the companies that sell security technologies.

The other side of the house believes that consumer education, awareness, and vigilance are key to preventing or avoiding many, if not most, attacks. That’s the side of the argument I sit on, and so should you. Your vigilance, and your acceptance that you have significant responsibility for your own protection, are key to avoiding some of the most common attacks.

Think about it for a moment. Would phishing emails – the ones that pretend to be from your bank to try and trick you out of your password – even work if people just ignored them? Would infected email attachments work if users never just opened them? And would passwords still be a weak link if people made them stronger.

There are so many examples of just how important user awareness, vigilance, and participation really are. And one of the key words is vigilance. Awareness is no longer enough, because I think it’s safe to assume that most consumers are aware that there are risks and that there are something they should and shouldn’t do.

But vigilance is about being aware at exactly the moment that counts – thinking security before you create or use a password, before you respond to an email, before you open an attachment, or before you visit a web site.

And there’s plenty of evidence out there to how a lack of awareness and vigilance are being exploited. A recent study by Microsoft found that nearly half of all malware Microsoft detected when it scanned more than 600 million computers used tricks on the user in order to succeed. With security firm Trend Micro reporting one new type of malware every half second, that’s a lot of focus on user exploitation.

The study also found that that around 90% of all exploits targeted vulnerabilities that were known about and patched for more than a year. Which probably means that most users are just forgetting to update their software – one of the easiest way to protect yourself. In fact, although users are warned repeatedly about the need to update their browsers, Microsoft reports that nearly half of Internet Explorer users still use vulnerable out-of-date browsers.

And if the security experts recognize this weakness, so do the bad guys. Cybercrooks across the world are experts at social engineering – creating tricks that consumers are likely to fall for. These crooks expect you to make the wrong choice, whether it’s to forget about updating your browser or security software, falling for phony emails or Facebook requests, or letting your caution overcome your curiosity.

They won’t waste a moment taking advantage of a mistake you can make in a split second. So they’re worst fear is that you take a moment – to stop and think before you make a decision and use that pause to make the right decision instead of the wrong one. If you pause, think, and chose the other, safer path, you win and they’ve just wasted all that time and money.

Network World said what many others might want to. In a recent article on Microsoft’s report, they simply concluded “wise up stupid users!”

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

There are news reports almost daily about how hackers are able to gain access to the bank accounts of innocent victims and rip off thousands and thousands of dollars. In today’s article, Intersections’ Consumer Security Adviser Neal O’Farrell explains what you need to do to keep your hard-earned money out of the hands of hackers and criminals. A must read!.

The title of this article could just as easily have been “How to make half a million bucks a month from the comfort of your computer.” I was reading recently about how a twenty-something hacker from Russia managed to steal more than $3.2 million in just six months simply by pushing out malware designed to sneak on to unprotected computers, steal banking passwords, and empty bank accounts. His efforts paid off to the tune of around $17,000 a day, give or take.

The hacker goes by the nickname Soldier, and according to research by security firm Trend Micro, he managed to infect more than 25,000 computers in the three months leading up to June of this year using a malware toolkit that is freely available on the internet.

His success, at infecting so many computers and making so much money in such a short timeframe, should be a warning to every consumer to be ever vigilant when it comes to online banking. Soldier is one only of probably thousands of hackers using the same or similar crime kits to plunder online bank accounts.

So if you want to avoid being Soldier’s next victim, here are some simple tips to beef up your defenses.

1. Lock down your computer. Every computer should be protected by multiple layers of security, including anti-virus and other malware protection, encryption to protect your data, browser security to steer you away from malicious web sites etc.

2. Beef up your passwords. Weak passwords are your worst enemy – make them strong, random, and original. No sense in creating one strong password and then using it for every web site you know.

3. Sign up for alerts. Most financial institutions provide email or text alerts when certain things happen with your account – a transfer is attempted, an ATM withdrawal is made, or a check more than a certain amount is presented. Sign up for these alerts because they can be your earliest warning that something’s not right.

4. Be very careful with the apps you use. Apps are great, especially if they’re free. But apps are the wild west of security, with little control over who makes and sells them, and how securely the code is written. So use as few apps as you need and only from trusted sources.

5. Think twice about mobile banking. While banking from your smart phone sounds like a great idea, it’s still in its infancy and new security holes are being discovered daily. If you’re not completely confident about the security of your smartphone, stick to doing your online banking from a computer you do trust. Or at least trust a little more.

6. Don’t access your bank account over a public Wi-Fi network. It’s very easy to snoop on any computers using Wi-Fi networks in places like coffee shops and hotels. So much better to wait until you get home before checking your balances or paying bills.

7. Limit access to your computer. The fewer people who have access to your computer, the less risk you have of compromise. So it might be smart to ban family members from using the computer you use to bank online. That way, you won’t be at risk from their mistakes or bad habits.

8. Consider using a separate computer just for online banking. That’s the advice of the security expert who discovered the first banking Trojan a couple of years ago. If you use a separate computer just for online banking, you reduce the risk of malware sneaking on to your computer through drive-by downloads, infected attachments etc.

9. Use a keylogger prevention system, like PRIVACYPROTECT® which comes free with your IDENTITY GUARD® TOTAL PROTECTION(SM) membership, to protect your passwords from being snooped upon. Keyloggers are able to sniff and steal logins and passwords by monitoring what you type on your keyboard, but products like ID Vault allow you to bypass the keyboard and enter your login credentials using a virtual keyboard instead.

10. Take Facebook security very seriously. It’s not only an easy way for thieves to deliver the kind of malware that can steal your bank account login and password, it’s also a great way for thieves to find the answers to the most common “secret” questions – like the city you were born, your first pet, favorite teacher, and mother’s maiden name.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser, Neal O’Farrell joins us again today with his take on the recent mid-year cybercrime report by the security firm Sophos. Enjoy, but be careful out there!

Hard to believe the year is already half over. Seems like only yesterday we were talking about a spike in identity theft over the Christmas holidays, and warning consumers to be extra vigilant as tax time approaches.

But it’s been such a busy year for scammers and hackers, it almost becomes a blur. To sort through the fog, security firm Sophos recently published their half year summary of threats and trends, and it should stand as a stark warning of the need to be constantly vigilant.

For example, Sophos claims that since the start of 2011 they have recorded an average of 150,000 new malware samples every single day. That’s works out to one piece of malicious software being discovered every single second, and a 60% increase over 2010.

Sophos has also identified an average of 19,000 new malicious URLs each single day in the first half of this year. That’s a stunning 4.5 new web threats detected every second. And, according to Sophos, 80% of those URLs are legitimate websites that were hacked or compromised by crooks.

The two top exploits favored by these crooks were fake anti-virus software and SEO poisoning – manipulating search engine results to drive users to malicious or infected web sites – and it might surprise you that the majority of these malware sites are hosted in the United States. The U.S. accounts for a whopping 37% of malware hosting web sites, while the next nearest culprit is Russia at just 13 percent.

There has also been a big change in the way people communicate, a change that now works even more in the favor of hackers. Sophos recorded a 59% decline in the use of email among 12-17 year olds, and a 34% decline in email use amongst 24-34 year olds. This is mainly due to a switch to texting and social networks as a way to communicate. And hackers love social networks because they make it much easier that email to launch more targeted and effective attacks. Hardly surprising that 81% of computer users surveyed by Sophos believe that Facebook presents the greatest security risk.

On the subject of social networking risks, Sophos also conducted a poll of nearly 2,000 people on their social media habits and worries. 71% reported that they, or one of their colleagues, had been spammed on a social networking site, 46% had been phished and 45% were sent malware.

“Social networking privacy issues have dominated the headlines in the first half of 2011. With most social networks, the default settings share everything and users have to reset their options to make their accounts more private. This opens up a host of security issues because so many people—both friends and not—have access to your information,” according to Sophos.

The report also highlighted a study by the FBI about how one cyber gang was able to dupe 1 million users into buying fake software, and could have made as much as $72 million from the scam. This is a problem for a lot of reasons. It means that not only were 1 million people duped into paying for something fake, they may also believe they have real virus protection on their computers when in reality they have no protection at all.

And that $72 million will be recycled by these gangs into even more sophisticated scams that will entrap even more victims and continue the cycle. Some of this money may even end up in the hands of terrorists who have the skills and resource to launch their own fake virus scams, or partner with organizations that can manage them on their behalf.

Links to videos that hide malware are also on the increase, especially on Facebook and Twitter. According to Sophos, nearly 69 million people have viewed the now-infamous YouTube music video Chocolate Rain, a clear sign that curiosity still trumps caution for most users.

The Mac is no longer a safe haven, and scammers are now firmly focusing on all things Apple to take advantage of the surge in use and adoption of Apple products, driven by the huge popularity of the iPhone and iPad. Apple’s success with these products obviously has a very dark side to it, and yet another reminder that wherever the crowds go, so will follow the crooks. You only have to look over your shoulder to spot one. But if you never bother looking, then don’t be surprised if you don’t spot the scam until it’s too late.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Neal O’Farrell, Intersections’ Consumer Security Adviser provides the first in a series of security updates for you. Be careful out there!

SC Magazine recently issued a warning about a new approach to phishing that could result in more people falling for a scam that is now more than a decade old. Instead of trying to lure people into clicking on an infected link by pretending to be a bank looking to verify a password, the email pretends to be from a system administrator or other insider and warns the user that their mailbox is full.

Here’s the text of the message:

“Your Mailbox Has Exceeded It Storage Limit As Set By Your Administrator, And You Will Not Be Able To Receive New Mails Until You Re-Validate It. To Re-Validate – > Click Here: [] Note: Do not send email or Password to any one via email. System Administrator.”

It’s a simple but clever tactic. Clever in that uses a phishing lure that is not often used, so users won’t necessarily have their guard up. And who hasn’t received some kind of email from their IT department warning about an email or other technical issue? The “Click here” part could be anything from the download of some malware, to redirection to a fake page where the thief grabs your email and password.

This is a clear sign that scammers recognize how much better users are at recognizing the traditional, badly-written bank password phishing emails that have now been circulating for years. Time may not be far off when those phishing emails are a rarity, and instead we all have to be much more vigilant for phishing emails that are much harder to spot.

And people are still falling for these scams. A very active phisher who was caught last year just received a 12-year sentence. The resident of Long Beach in California had created a network of fake financial web sites that he lured users to using phishing emails.

He then sold the stolen information, including logins and passwords, to criminals in Romania. These individuals used the stolen identities to set up instant lines of credit, and in less than eight weeks stole an estimated $193,000. More troubling was the fact that nearly 38,000 victims fell for the scam.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser Neal O’Farrell joins us today with a fascinating look at hackers, hacktivism, and hacker collectives. Read on and enjoy!

As notorious hacker collective Lulz Security claims to be sailing off into the sunset, pursued and taunted by other hacker groups like the A-Team and Web Ninjas, many are wondering who will fire the next salvo in the hacker wars and who will be the next casualty.

And while many were surprised at how quickly Lulz appeared and disappeared, hacker collectives and hacktivists have been living, working, and hacking amongst us for nearly two decades. It’s now nearly ten years since I gave a hacker from notorious hacker collective Cult of the Dead Cow a plane ticket to attend the DEFCON hacker conference in Las Vegas and report back on his thoughts about the differences in thinking and culture between hackers and security professionals – at least those hired to protect.

Cult of the Dead Cow, also known as cDc, is credited with coining the word hacktivism. I was writing at the time for a publication called SearchSecurity.com and working on a story that compared the security skills of hackers to those of the security professional being paid to protect us.

cDc may have been the birthplace of the hacker collective, and that birthplace was a slaughterhouse in Texas in the mid-1980s. cDc eventually launched the careers of many of the world’s most famous and competent hackers, who interestingly enough eventually became some of the most respected and respectable security industry executives.

cDc had a simple goal and slogan at the time – Global Domination Through Media Saturation – and its activities ranged from hacking the Church of Scientology to distributing their own music. OK, they did a lot worse than that but we have only so much space.

Like many hacker collectives, cDc either spawned or embraced a number of other hacking groups, and some of its members went on to create other, equally notorious hacking groups.

For example, cDc hacker Mudge later launched L0pht, another high profile hacking collective active in the 1990s. Unlike many of today’s hackers, L0pht members were pretty much out in the open and even had their own Boston headquarters they hung out in. They famously testified before Congress that if they really wanted to they could take down the entire internet in less than 30 minutes.

And where are they now? Surprisingly legitimate and well respected. L0pht eventually merged with a security consultancy @stake which was later purchased by security firm Symantec. L0pht hacker “Weld Pond” is now Chief Technology Officer of respected security company. “Kingpin,” whose real name is Joe Grand, now lives in San Francisco and hosted the Prototype This program on the Discovery Channel.

And whatever happened to Mudge? His real name is Peiter Zatko, who later went on to serve as an adviser to President Bill Clinton on cyber security and now works for the U.S. Department of Defense Advanced Research Projects Agency (DARPA).

I’ve always maintained that most security professionals can easily be outsmarted by good or even average hackers. It’s not about competence, it’s more about culture. Hackers by their nature are usually more inquisitive and creative, less worried about failing, and of course don’t have corporate security rules or federal guidelines holding them back.

Will we ever see members of Lulz or Anonymous give up their rebellious ways and use their obvious security skills to protect the greater good? Will we ever see one of these hackers emerge as the head of security for a major corporation, the kind of security head these hacktivists say they despise?

Probably.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Unfortunately, there is a lot of consumer apathy about the topic of identity theft and credit fraud. So, Neal O’Farrell, Intersections’ Consumer Security Adviser is back today with his ten tips that are guaranteed to make you an easy mark for identity theft.

Continue to believe that it can’t happen to you

Apathy is the biggest enemy, whether it’s towards your health, wealth, or security. If you don’t take security seriously, refuse to accept that you could fall victim to identity theft, and fail to take responsibility for your own security, you stand a much greater chance of being victimized.

Assume zero liability means you have nothing to lose

Zero liability has given many consumers a very false sense of security, and the belief that if identity theft costs them nothing, they have nothing to worry about. But zero liability does not mean zero risk, zero responsibility, or zero loss. Zero liability won’t cover your costs, the emotional harm, time off work, or damage to your credit.

And just because your bank or credit card company says you won’t be on the hook for credit fraud losses, that doesn’t mean you won’t fall victim and face losses. Zero liability can be discretionary, and in many cases financial institutions can take weeks and often months before they return any lost funds or wipe away any debts. And when it comes to compromised bank accounts, small business owners don’t enjoy zero liability at all.

Don’t monitor your credit, or watch it constantly

If you’re not watching you credit reports like a hawk, you’re unlikely to spot the tell-tale signs that someone is trying to steal your identity. It could start with a number of applications for new credit, which can be accepted or declined. A determined thief will keep trying, and if you are not watchful, a simple fraud attempt could easily turn into a more serious identity theft.

Surf where and how you like

So many identity thefts are now being triggered by malware that lies in wait on infected web sites. With so many legitimate web sites are now believed to be infected with malware, you need to be ultra cautious where you surf, what you click on, and what you download. If you don’t, you increase the chance that very nasty malware will work its way on to your computer, steal your information, and hijack your identity.

Talk too much, especially on Facebook

Another sure-fire way to lose your identity is blabbing too much. Facebook has become a haven for identity thieves looking for all that personal information that they need to steal your identity and that you might be giving away free. Things like family background and history (your mother’s maiden name), where you were born, where you went to school, where you work and worked, and your date of birth – all of immense value to thieves. Here’s a great article to help keep you safe – Ten Privacy Settings Every Facebook User Should Know.

Get careless with your password

A number of recent high profile attacks have exposed a number of things we’ve known all along – that most users still use very weak and easy to crack passwords, and they use the same passwords for multiple web sites. So if a hacker gets your password in an attack on one site, they could do a lot more damage.

Trust too much, especially when it comes to email

Phishing continues to be a major threat, and getting more sophisticated every day. If you’re not aware of what phishing is, can’t recognize the tell-tale signs of a phishing attempt, and don’t know how to respond (or not respond), you stand a much greater chance of being hooked by “phishy” bait. If you aren’t sure, the Anti-Phishing Working Group has compiled a list of recommendations to help you avoid this type of scam.

Don’t properly protect your credit cards and accounts

Just like with your credit reports, if you’re not watching your bank account and credit card statements constantly and carefully, you won’t spot any signs that your account is being tapped or dripped, or those small test transactions thieves will often use to test your vigilance before launching a major assault.

Don’t manage your personal information properly

A very easy way to fall victim to identity theft is to not protect your paperwork and possessions. That includes hiding personal documentation in the home (especially financial statements, tax returns, and anything with your Social Security number on it), protecting personal documents at work or when travelling, and not protecting your mail.

Don’t Think Security First

The key to staying off the radar and out of the traps of thieves is to think security first. That means constant vigilance – don’t worry, it eventually becomes second nature – so that you think about security before you click on an attachment and not afterwards, think about security before you create or use a password, think about checking your credit reports before you find out there’s something wrong, and so on.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

The Daily Shield welcomes back Intersections’ Consumer Security Advisor Neal O’Farrell. Today, Neal writes about the disturbing uptick in cybercrime.

Every three months or so, security firm McAfee shares with the world all the trends uncovered and identified by its research labs.

The quarterly results rarely offer any good news, and unfortunately the first three months of 2011 are off to a very troubling start. Unless you’re a cybercriminal.

We went through McAfee’s most recent quarterly threat review and identified a dozen worrying trends you might want to be aware of:

1. There appeared to be a significant reduction in spam although research shows that many others are waiting in the wings to take its place. McAfee worries that the reduction is just as a result of a pause by global cyber gangs as they retool and upgrade their attacks.

2. Historically, Android has been ranked as the third most targeted mobile platform, but in the last three months it has jumped to the number 2 spot overall for mobile malware.

3. Mobile malware will continue to evolve in sophistication and functionality and at a much faster rate than the development of PC-based malware. Criminals are now using everything they’ve learned in developing PC-based malware and quickly adapting those lessons to anything mobile.

4. Hacktivism may be on the rise again, as exhibited by a number of high profile hacks like the Sony PlayStation Network, the Wikileaks saga, and the uprisings around the Arab world.

5. Malware just posted its busiest quarter in history. McAfee Labs identified more than six million unique types of malware in the last twelve weeks, the busiest quarter on record, and adding up to about 75 million different types of malware expected by the end of this year.

6. Fake anti-virus software seems to be on the rise again and password-stealing Trojans are demonstrating a consistent level of activity.

7. Search-term manipulation continues, with criminals talking advantage of vulnerabilities in search rankings to lead users to malicious sites. McAfee found that 49% of the daily search terms in the top 100 results lead to some kind of malicious web site.

8. McAfee identified a new password-stealing Trojan every day of the quarter.

9. Banking stealing Trojans are now commonly being delivered by phishing emails, from UPS and FedEx, the IRS and NACHA.

10. McAfee identified an average of 8,600 new infected web sites every single day during the first three months of the year.

11. Over the last three months, McAfee uncovered an average of 2,500 new phishing sites every day. The most common brands used in phishing emails included Wells Fargo and Paypal.

12. The malicious exploit of Adobe products (more than 36,000 this quarter) topped the number of malicious exploits of Microsoft Office products by a wide margin.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Advisor Neal O’Farrell shares his thoughts on the recent cyber security plan proposed by the White House.

In an effort to stem the seemingly endless flow of data breaches exposing personal information to thieves and other risks, the White House is floating a cyber security plan that includes a new Federal standard for how a breached organization or business should respond. And while almost every state in the nation already has some sort of data breach law, this is the first time that a single, federal law has been proposed.

Here are some of the highlights:

• Under the proposed legislation, a breach would be defined as a “compromise of the security, confidentiality or integrity of, or the loss of, computerized data” that results in “unauthorized acquisition of sensitive personally identifiable information or access to that information that is for an unauthorized purpose.”

• Any organization, for profit or not-for-profit, is covered by the legislation if it collects or stores personal information on more than 10,000 individuals over a 12-month period.

• Any breach discovered must reported to the Federal Trade Commission within 60 days of discovery, but breached organizations can be granted an extra 30 days.

• Healthcare organizations would not be covered because they are already covered by pretty comprehensive data breach legislation.

• Some organizations could be completely off the hook in the event of a data breach. For example if the organization conducted a risk assessment that concluded there would be no harm done to the individuals whose information had been exposed or stolen; or if the information had been protected in such a way, like encryption, that it would be of no use to the thieves.

• Civil penalties would be capped at a very low $1 million.

• Data covered by the legislation includes the obvious, like names, addresses, account numbers, passwords and Social Security numbers, but doesn’t seem to include email addresses.

Now while this legislation so far is just a proposal and could be altered, it does seem to be a very weak response to a major security problem.

For example:

• Capping civil penalties at $1 million seems too generous to the offending organizations and does not really punish the most egregious of breaches.

• While the legislation requires that a breached organization must notify the credit bureaus, there’s no mention of whether they must identify to the bureaus which consumers have been affected and what the bureaus should do. So I assume the bureaus will do nothing.

• Because there’s no mention of email addresses as sensitive data, it could mean that some of the biggest data breaches, like the recent Epsilon breach that exposed tens of millions of email addresses, would not be covered by the legislation.

• Up to 90 days to first notify the public seems too long. I understand the need for breached entities to learn as much as possible about the breach but they could easily make a “qualified” early announcement. The legislation should incorporate that.

• There’s no free credit monitoring provision, which means that’s entirely at the discretion of the breached entity. There’s also no education provision and no long term support provisions. We know that many thieves will hang on to data for months after the event, waiting for the fuss and attention to pass. That leaves victims on their own when the thieves finally try to launch their “liquidity event” and cash in the stolen data.

• And I can see all kinds of problems, delays, and even deceit over the ways organizations determine whether the exposed or stolen data can harm victims. Shouldn’t victims have a say in that determination?

In summary, I think the White House is obviously seeking to create a clearer and more defined way for breached entities to respond, but so far they seem to be letting these organizations off way too easy. We’ll see if they change the mind, or maybe read this blog post.

Note: Read what other security experts say about the proposed Federal data breach policy in this article on BankInfoSecurity.com.

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety. Join our Facebook group.

According to a report today in the Wall Street Journal, Sony Corp. said it is unable to say when it can restore partial service to its PlayStation Network online game system, likely adding to pressure from already frustrated customers who have been subjected to stolen personal data as well as missed deadlines for resumption.

With that in mind, the Daily Shield is pleased to welcome back Intersections’ Consumer Security Advisor, Neal O’Farrell to share his additional thoughts on what some people are calling “the most costly data breach in history.”

No sooner had Sony done a major global mea culpa over its massive PlayStation data breach that exposed the personal information of more than 77 million of its customers, it quickly followed with a “mea gulpa” announcement that the completely separate Sony Online Entertainment network also lost more than 25 million additional customer accounts to a breach by hackers.

In an interview with the Christian Science Monitor, Larry Ponemon, founder of the research organization the Ponemon Institute that tracks the cost of data breaches, estimated that this breach alone could represent “the mother of all data breaches” and could end up costing Sony up to $2 billion. He added “In this mobile connected world, everything is connected. Today it’s our PlayStation, tomorrow it might be our refrigerator or our washing machine.”

Naturally there’s been a lot of talk in the past few weeks about this and all the other breaches now announced almost daily. Specifically the conversations have centered on what more we can do to prevent these data breaches in the first place, and if they really make any difference to victims and consumers anyway.

The sad reality is that most businesses are not as scared of data breaches as they used to be. Sure they’re an embarrassment, and can end up costing them a lot of money. And they can do a great deal of harm to some businesses, especially in the short term.

But I detect a growing apathy to data breaches amongst consumers – I call it breach fatigue – and I believe that many businesses are sensing this fatigue and as a result are worrying less about the long term damage. It’s not unusual when a breach happens for the business involved to batten down the hatches, disappear into the bunkers, and leave their PR teams to deflect any questions or criticisms. After a week or two, the fuss has died down, the storm has passed, and executives can emerge from the bunkers.

We need to prevent this slide into indifference before it becomes the norm, and over the coming days and weeks I’ll be sharing some ideas that I think might make a difference.

For example, I think it’s time we considered creating a breach classification system. Just like a hurricane or earthquake classification, data breaches could be classified by severity to make it easier for consumers to understand how worried they should be about a particular breach.

For example, the lowest level of breach could be a Category 1 and assigned to a breach that involves only a handful of records and the least dangerous information, like a name. This could increase to a maximum Category 5, like the Sony breach, where millions of records are exposed and the data involved includes the most sensitive, like account information, credit cards, and Social Security numbers.

I think a classification system like this might at least make it easier to communicate to confused consumers just how serious a particular breach is, so they can focus on the most series breaches and not worry so much about the ones that can do them the least harm.

There are obviously challenges to crating a system, like who would assign the classification and how quickly a breach could be classified in a way that could be useful to consumers. But with data breaches now a daily occurrence, we must find ways to stem the apathy.

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety. Join our Facebook group.

The Daily Shield once again welcomes Neal O’Farrell, Intersections Consumer Security Advisor. In today’s article, Neal updates us on a recent report released by Symantec outlining the latest Internet security threats.

We’re already a third of the way through this year, and while cybercrime and identity theft show no real sign of abating, last year was so bad we’re still trying to get a clear picture.

Earlier this month, security firm Symantec did provide some clarity when it published the latest volume of its Internet Security Threat Report that provided an in-depth view of exactly what the bad guys were up to last year. And maybe what it tells us about this year and next.

There is so much troubling news in the report, I thought it might be easier to highlight a dozen or so of the most important conclusions, so here goes.

1. Symantec identified more than 286 million new threats in 2010, including scams, malware, and new exploits and attacks.

2. The company saw dramatic increases in both the frequency and sophistication of targeted attacks on businesses of all sizes.

3. Social networking sites as well as mobile devices were favorite targets for hackers.

4. In 2010, attackers launched targeted attacks against a surprising number of smaller companies.

5. In many cases, the attackers researched key victims within each business and then tailored their attacks to access company networks.

6. Due to their targeted nature, many of these attacks succeeded even when victim organizations had basic security measures in place.

7. Data breaches caused by hacking resulted in an average of more than 260,000 identities exposed per breach in 2010, nearly quadruple that of any other cause.

8. One of the primary attack techniques used on social networking sites involved the use of shortened URLs. In 2010, Symantec found that 65% of malicious links in news feeds on places like Facebook used shortened URLs. Of these, 73% were clicked 11 times or more, with 33% receiving between 11 and 50 clicks.

9. Most malware attacks in 2010 against mobile devices took the form of Trojan horse programs posing as legitimate applications.

10. Symantec documented 163 vulnerabilities during 2010 that could be used by attackers to gain partial or complete control over devices running popular mobile platforms.

11. The price of bots on the cybercrime underground has gone as low as $15 for 10,000 bots. Bots are compromised computers that can be linked together to steal identities, share and hide stolen data and pornography, and attack other computers. Once under the control of “bot herders” these compromised computers are rented out to other criminals.

12. In the same underground economy, stolen credit cards get fetch as much as $100 each to as little as seven cents. It all depends on how much supporting information is included (like names and addresses), the fund limits and balances available on the stolen accounts, and whether the criminal buyers purchase in bulk.

The report was published at just about the same time that a 26-year-old hacker from Lithonia, Georgia admitted to a variety of identity theft charges after he was arrested in possession of a staggering 670,000 stolen credit card records.

The thief admitted that he was able to steal half of those cards from hacking into just one company, and was only caught after the Secret Service bought some of the stolen cards from him in a sting. According to financial institutions, the cards in his possession had already been used to scam more than $36 million from consumers, banks, and credit card companies.

Want to learn more about identity theft and fraud protection?

Keep informed about the latest threats to your safety. Join our Facebook group.