It seems that not a day goes by when there is not a story about a major data breach in the news. And the reason for that is that in 2011, there were more than 400 major data breaches – more than 1 every day! In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell breaks down the data breach and provides some helpful tips on what you can do to protect yourself should your records be compromised.
Ever wondered why there are so many data breaches and why they keep happening. In 2011 there were more than 420 reported data breaches, or an average of more than one every day. And some of these breaches exposed millions of personal and customer records. What’s more worrying is that in at least 80% of these breaches, Social Security numbers were exposed.
A security firm called Trustwave did an investigation of more than 300 data breaches and exposed some interesting statistics and trends that might help to explain why so many businesses keep losing our personal and private information:
• Personal customer records were the target of hackers in nearly 90% of the breaches.
• Surprisingly, the food and beverage industry made up the majority of investigated breaches (44%), followed by retailers at 33%. Normally the biggest targets for data breaches are educational institutions and healthcare but in this report they only accounted for a combined 2% of investigated breaches
• Also surprising was the focus by hackers on franchised businesses, where the local business is owned by individual business owners. More than a third of the breaches happened at franchised businesses.
• When malware was used in the attacks, it was only detected by anti-malware software in just 12% of the attacks – suggesting the thieves are easily able to get past the most fundamental security defenses.
• But perhaps not that surprising is that the most common password being used by these breached organizations was “Password1”
So how are the attackers breaching security so often and so easily? The report exposed another troubling trend – in more than three quarters of the breaches investigated the access point was traced to third parties, like suppliers, partners, and technology developers. This suggests that while an organization you do business with might be doing all it can to protect your personal information, all the hard work can easily be undone when the partners they rely on are not as focused on protecting you as they should be.
And in more than 80% of the breaches investigated, the biggest weakness identified was poor passwords. Weak passwords continue to be exploited by hackers and intruders, and in spite of endless education on the subject, for some reason employees continue to choose passwords that can be guessed or cracked in seconds. If the most common password found in these attacks was Password1 (it’s a default password that employees obviously couldn’t be bothered to change), it suggests that we shouldn’t give up on educating everyone about the need for stronger and smarter passwords.
And what fixes did the report recommend? The very first recommendation of their report was better user and employee education, saying “The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness education for employees can often be the first line of defense.”
What else can you do?
• Use this as a reminder to beef up your passwords. Imagine how you’d feel if your weak password was cracked by hackers and used to launch a costly attack on your workplace?
• Be vigilant and careful when paying at a fast-food restaurant. Security can be a big problem here because they have limited security, a high staff turnover, and often few background checks on employees. Consider using a credit card instead of debit card when paying at one of these establishments so you’re not giving hackers access to your bank account.
• Spread the word. If you believe in security, and the role of each of us has to play in protecting our little corner of cyberspace, then share that idea with others. If each one of us were to change just a couple of our bad computing or financial habits, these crimes would be much harder to pull off.
It’s that time of the year when we get to polish our crystal ball and take a look at what might happen in 2012. Intersections’ Consumer Security Adviser and master predictor of all things security Neal O’Farrell, dusts off his magic wand, adjusts his turban and takes a peek into the future with his 2012 security predictions.
Christmas is a time for tradition, and in the security world one of those traditions is predicting what’s in store for us next year from hackers, scammers and all the other things that go bump on the net.
Perhaps the best way to summarize next year’s threats is more of the same, and here are just a few of my predictions:
• More friends and family fraud, as continued economic hard times force otherwise honest individuals to exploit family credit to pay bills.
• An increase in existing account fraud as financial institutions get better at preventing new account fraud and force thieves to focus on low hanging fruit.
• An increase in child identity theft as thieves become more aware of how hard it is to stop it, and a similar increase in elder financial exploitation as social services for the elderly are cut back.
• An increase in skimming, especially in supermarkets, as thieves rush to take advantage of this vulnerability before chip-and-pin is more widely adopted and makes skimming more difficult.
• A shift from street-level drug dealing to identity theft. This is a worrying trend because it could fuel the growth in identity theft for another decade. The recent Operation Rainmaker in Florida, where local drug dealers joined forces to learn about identity theft and defraud the IRS out of more than $130 million using stolen identities, is a perfect example of this trend.
• A growth in super thieves – low level thieves, like those involved in mail theft or check washing – who are never arrested or investigated, stay off law enforcement’s radar, and only become better, more sophisticated, and able to steal larger amounts without being caught. They take advantage of the fact that law enforcement has largely given up on identity theft.
• An increase in attacks against small businesses because of the wealth of identity information they possess with little protection.
• An increase in tax-related identity theft, as crooks realize how lax IRS security controls are and how easy it is to get a refund using a stolen or “deceased” identity.
• An increase in identity theft malware especially banking Trojans, keyloggers, and Android malware.
• An increase in legislation to protect consumers, and especially data breach legislation.
• Lots of opportunities for hackers to poison search results and take advantage of some big events next year, especially the 2012 Olympic Games starting in July in London, and of course the Presidential election. Both events will provide hackers and scammers with endless opportunities to trick unwary users into falling for some scam or another.
• More hactivisim, but much of it by copycat hackers rather than by the original Anonymous or Lulz crew.
• More infrastructure attacks, targeted at everything from power stations to water treatment plants. Most of the attacks will be probes to test the resilience of these systems to attack.
In today’s post, Intersections’ Consumer Security Adviser Neal O’Farrell examines the issue of bank security. Are you safer with a small credit union or community bank? That’s a question that’s increasingly being asked by consumers around the country who are considering moving their bank accounts from a large bank to a smaller credit union or community bank.
According to a recent article in CUInfosecurity.com, risk is the top concern as consumers consider moving their accounts from larger banks to credit unions or community banks. The article points out that at least 650,000 Americans have switched to credit unions since Sept. 29, 54 percent of credit unions have reported increases in share growth, and one of the largest credit unions said its new members and checking-account openings are up 70 percent for the months of September and October.
And credit unions aren’t alone. The same article pointed to a recent poll by the Independent Community Bankers of America which found that 60 percent of community banks had picked up new customers as a result of frustrations associated with larger banks.
If you are thinking of switching from a larger financial institution, or from a bank to a credit union, security should always be a concern. Once you’ve done a side-by-side comparison on key features like account fees and features, loan and credit card interest rates, ATMs locations and fees, and customer service, it’s time to think about security.
There is a concern that many smaller financial institutions are still struggling financially, and may not have enough of a security budget to match that of a larger institution. And if they’re lucky enough to be swamped by new customers, will their security budget and preparedness be able to keep pace?
Those are the most common security questions. Can a credit union really protect me – not just my money but all my personal information too? How good and quick are they at detecting a security breach and notifying me? How quickly can they resolve a security issue or fraud? And will my money be any safer there than at a large bank?
Credit unions have long argued that history shows they suffer from fewer attacks than larger banks. Experts on the other hand have argued that’s only because of their small size. It’s like the Windows vs. Apple argument – Apple users claim Apple products have suffered from fewer attacks because they have better security built in, whereas experts argue it’s just about economics. Hackers and malware writers simply ignored Apple for years because it had so few users compared to Microsoft. Writing code to target Apple products just wasn’t economically viable – just not worth the time.
But as the popularity of Apple products has surged, thanks to iPhone and iPad, we suddenly started to see “Mac Malware” emerge and the malware authors just followed the crowds.
That’s what I expect if there’s a major shift from larger banks to smaller and more local banks and credit unions. The hackers will follow the crowds and I’m just not sure that smaller financial institutions are prepared for the risk exposure. Many are still struggling financially and have not been able to make the enormous and endless security investments the bigger banks have been making.
My recommendation? Before you make the big jump, talk to the financial institution you’re thinking about jumping to. Create a list of the security features you may already enjoy, like two (or more) factor authentication, phishing and keylogging protection, account alerts etc. Then compare that to the security features being offered by your new home. At least with a smaller financial institution you’re more likely to be able to meet a real person and get some real answers.
And make the move slowly, by opening up an account with credit union or bank but keeping your original bank account open for a while. At least until you’ve had time to test your new surroundings.
I think credit unions and community banks should also raise the security discussion themselves. Larger banks are notorious about staying tight lipped when it comes to security, worried that the more they talk about things like identity theft, the more their customers will worry. Whereas the opposite is probably true – talk more and customers worry less, because they know the bank is taking it seriously. Talk less and customers have a right to worry more, if the only people who don’t seem to be worried about security are the ones who should be worried most.
In today’s article, Intersections’ Consumer Security Adviser Neal O’Farrell asks the question “is the economy helping cybercriminals?” Read on to find the answer!
A recent report from security firm Panda Labs found that in the last three months alone it has detected more than five million new types of malware. That works out to an average of one new type of Trojan, virus, and other malicious program discovered every 1.5 seconds.
Because of the way most anti-virus programs work, once a virus is discovered the anti-virus companies have to rush to write a piece of code or signature that must then be downloaded as quickly as possible by billions of users around the world in order to keep that particular piece of malware out.
That means that many of these viruses can easily make their way on to unprotected computers before the programmers have time to push out the updates. And with many anti-virus companies struggling to grow their profits, it could mean that as malware grows in volume and sophistication, anti-virus companies may have to spend less on updating their software.
And if you don’t believe in such perfect storms, take a close look at the identity theft wars. As identity theft continues to grow, and become more sophisticated, cash strapped police departments no longer have the resources to investigate these crimes. Which only encourages and emboldens more thieves.
The Panda Labs report seems to support this notion. The most powerful and dangerous type of malware, and the type most favored by organized crime for its ability to steal passwords and break into bank accounts, is the Trojan. And according to Panda three out of every 4 new types of malware discovered in the last three months was a Trojan.
Which probably explains why Trojans were responsible for the majority (63%) of infections in the last three months. Trojans are very efficient bank robbers, and the payoff can be enormous. Two cybercrooks from the Ukraine were just sent to prison in the United Kingdom after they were convicted of using exactly this type of malware to steal more than $4 million from bank accounts in just six months.
On a related note, the Panda Labs report also found that the countries with the worst infection rates were China, Taiwan, and Russia. In China, for example, it’s believed that more than half of all PCs are infected by malware.
And traditional attacks like phishing are not going away. Within days of a warning by the American Bankers Association of an unexplained spike in phishing attacks, security researchers had identified a new type of phishing attack that looks like it comes from a well-known bank and offering recipients $35 to complete an online survey.
According to security firm Sophos, the email asked for so much highly confidential information it should be a warning sign. According to Sophos, the email questionnaire asked for:
• Social Security Number
• Card number
• Card expiration
• CVV
• ATM PIN
• First, Middle and Last name
• Email (ironically they mailed you the form)
• Address
• Mother’s maiden name
• Place of birth
• Birthday
And an increasingly common way to spread phishing emails and infect users with this kind of malware is trusty old spam. The irony is that much of the spam in circulation today comes from the computers of innocent users. Spammers use botnets to infect unprotected computers and use them to relay spam to other users. And unfortunately, it appears that the United States still holds the top spot when it comes to relaying spam.
The bottom line? The easiest way to lose a battle is to just walk off the battlefield. As many companies and industries struggle just to survive, they’re cutting back on security. According to this year’s annual Global Information Security Survey, conducted by PricewaterhouseCoopers, nearly 10,000 executives around the world were asked about their plans to make security a priority. Sadly just 11% said that they planned to make data protection a top priority.
Cyber-crooks are taking full advantage. Not only are they developing even more sophisticated malware, they’re deliberately overloading businesses and consumers with so many attacks, something has to give.
In a recent report by the firm ID Analytics, more than 140,000 children across the United States were found to have been victims of child identity theft. The report supported other studies that have found the same troubling trend, as well as a growing awareness in the cybercrime community of the value of child identities and the ease with which they can be compromised.Today, the Daily Shield welcomes Steve Schwartz, Intersections’ Executive Vice President, Consumer Services. In today’s video presentation, Steve shares some thoughts on the growing problem of child identity theft.
There are news reports almost daily about how hackers are able to gain access to the bank accounts of innocent victims and rip off thousands and thousands of dollars. In today’s article, Intersections’ Consumer Security Adviser Neal O’Farrell explains what you need to do to keep your hard-earned money out of the hands of hackers and criminals. A must read!.
The title of this article could just as easily have been “How to make half a million bucks a month from the comfort of your computer.” I was reading recently about how a twenty-something hacker from Russia managed to steal more than $3.2 million in just six months simply by pushing out malware designed to sneak on to unprotected computers, steal banking passwords, and empty bank accounts. His efforts paid off to the tune of around $17,000 a day, give or take.
The hacker goes by the nickname Soldier, and according to research by security firm Trend Micro, he managed to infect more than 25,000 computers in the three months leading up to June of this year using a malware toolkit that is freely available on the internet.
His success, at infecting so many computers and making so much money in such a short timeframe, should be a warning to every consumer to be ever vigilant when it comes to online banking. Soldier is one only of probably thousands of hackers using the same or similar crime kits to plunder online bank accounts.
So if you want to avoid being Soldier’s next victim, here are some simple tips to beef up your defenses.
1. Lock down your computer. Every computer should be protected by multiple layers of security, including anti-virus and other malware protection, encryption to protect your data, browser security to steer you away from malicious web sites etc.
2. Beef up your passwords. Weak passwords are your worst enemy – make them strong, random, and original. No sense in creating one strong password and then using it for every web site you know.
3. Sign up for alerts. Most financial institutions provide email or text alerts when certain things happen with your account – a transfer is attempted, an ATM withdrawal is made, or a check more than a certain amount is presented. Sign up for these alerts because they can be your earliest warning that something’s not right.
4. Be very careful with the apps you use. Apps are great, especially if they’re free. But apps are the wild west of security, with little control over who makes and sells them, and how securely the code is written. So use as few apps as you need and only from trusted sources.
5. Think twice about mobile banking. While banking from your smart phone sounds like a great idea, it’s still in its infancy and new security holes are being discovered daily. If you’re not completely confident about the security of your smartphone, stick to doing your online banking from a computer you do trust. Or at least trust a little more.
6. Don’t access your bank account over a public Wi-Fi network. It’s very easy to snoop on any computers using Wi-Fi networks in places like coffee shops and hotels. So much better to wait until you get home before checking your balances or paying bills.
7. Limit access to your computer. The fewer people who have access to your computer, the less risk you have of compromise. So it might be smart to ban family members from using the computer you use to bank online. That way, you won’t be at risk from their mistakes or bad habits.
8. Consider using a separate computer just for online banking. That’s the advice of the security expert who discovered the first banking Trojan a couple of years ago. If you use a separate computer just for online banking, you reduce the risk of malware sneaking on to your computer through drive-by downloads, infected attachments etc.
9. Use a keylogger prevention system, like PRIVACYPROTECT® which comes free with your IDENTITY GUARD® TOTAL PROTECTION(SM) membership, to protect your passwords from being snooped upon. Keyloggers are able to sniff and steal logins and passwords by monitoring what you type on your keyboard, but products like ID Vault allow you to bypass the keyboard and enter your login credentials using a virtual keyboard instead.
10. Take Facebook security very seriously. It’s not only an easy way for thieves to deliver the kind of malware that can steal your bank account login and password, it’s also a great way for thieves to find the answers to the most common “secret” questions – like the city you were born, your first pet, favorite teacher, and mother’s maiden name.
Intersections’ Consumer Security Adviser Neal O’Farrell reports on a recent report by Symantec that compares cybercrime to the world wide drug trade. Interesting stuff!.
Is the cybercrime business really bigger than the drug trade?
That’s the claim (sort of) of an eye-opening report recently published by Symantec. According to the Norton Cybercrime Report 2011, the global cost of cybercrime was nearly $388 billion last year. That number is made up of $144 billion in direct financial losses by victims, and another $274 billion in losses due to lost time and other indirect costs as a result of the attacks.
Norton then compared that to a number of United Nations World Drug Reports over the last few years that pegged the black market for marijuana, cocaine and heroin combined at $288 billion, coming to the conclusion that the global cost of cybercrime exceeded the drug market.
Hard to argue with, except that many media outlets have been reporting that Norton’s study claims that cybercriminals make more money than drug distributors. Which is obviously not the case, at least not yet – the report claims that victims lost $388 billion in direct and indirect losses but not that the crooks actually made that money.
But I’m sure it’s only a matter of time before the profits from cybercrime, and especially identity theft, exceed those from the drug trade. Just recently I spoke at a security conference for law enforcement where we discussed a recent case in Florida called Operation Rainmaker, an identity theft and tax fraud scheme that netted street level drug dealers more than $130 million simply by switching from dealing drugs on street corners to committing identity theft with laptops.
Here are some of the other findings of the report:
• More than two thirds of online adults (69 percent) have been a victim of cybercrime in their lifetime.
• Every second 14 adults become a victim of cybercrime, resulting in more than one million cybercrime victims every day.
• 10 percent of adults online have experienced cybercrime on their mobile phone.
• Increased social networking and a lack of protection are the main culprits behind the growing number of cybercrime victims.
• Men between 18 and 31 years old who access the Internet from their mobile phone are most likely to be victims.
• Globally, the most common – and most preventable – type of cybercrime is computer viruses and malware, with 54 percent of respondents saying they have experienced it in their lifetime.
• Viruses are followed by online scams (11 percent) and phishing messages (10 percent). Earlier this year the Symantec Internet Security Threat Report, Volume 16, found more than 286 million unique variations of malicious software (“malware”) compared to the 240 million reported in 2009.
• Forty-one percent of adults indicated they don’t have an up-to-date security software suite to protect their personal information online.
• Less than half review credit card statements regularly for fraud (47 percent), and 61 percent don’t use complex passwords or change them regularly.
Intersections’ Consumer Security Adviser, Neal O’Farrell shares some very valuable social networking safety tips today. He comments on a recently published Facebook security guide.
There is a growing collection of guides, web sites, and even Facebook pages devoted to the evolving topics of Facebook security, safety and privacy. And for good reason. In spite of all Facebook’s efforts to keep their users safe, Facebook is still a haven for all kinds of scammers and scams just waiting for careless or busy users to slip up.
The latest arrival is a concise 14-page guide from Facebook and authored by a team of writers with a mixed background of internet safety, online security, and teaching. It’s called “Own Your Space: A Guide to Facebook Security 13 Top Tips for Staying Secure on Facebook” and you can download the complete guide from the link below. If you’re not familiar with the basics of Facebook security, I strongly recommend that you download and use a copy. And especially if you have kids who are already on Facebook or plan to be soon.
Here’s what the authors of the guide offer as their top tips for staying safe – print them out, keep them close, and consult them often:
• Only “Friend” people you know.
• Create a good password and use it only for Facebook.
• Don’t share your password.
• Change your password on a regular basis.
• Share your personal information only with people and companies that need it.
• Log into Facebook only ONCE each session. If it looks like Facebook is asking you to log in a second time, skip the links and directly type www.facebook.com into your browser address bar.
• Use a one-time password when using someone else’s computer.
• Log out of Facebook after using someone else’s computer.
• Use secure browsing whenever possible.
• Only download Apps from sites you trust.
• Keep your anti-virus software updated.
• Keep your browser and other applications up to date.
• Don’t paste script (code) in your browser address bar.
• Use browser add-ons like Web of Trust and Firefox’s NoScript to keep your account from being hijacked.
• Beware of “goofy” posts from anyone—even Friends. If it looks like something your Friend wouldn’t post, don’t click on it.
• Scammers might hack your Friends’ accounts and send links from their accounts. Beware of enticing links coming from your Friends.
Hard to believe the year is already half over. Seems like only yesterday we were talking about a spike in identity theft over the Christmas holidays, and warning consumers to be extra vigilant as tax time approaches.
But it’s been such a busy year for scammers and hackers, it almost becomes a blur. To sort through the fog, security firm Sophos recently published their half year summary of threats and trends, and it should stand as a stark warning of the need to be constantly vigilant.
For example, Sophos claims that since the start of 2011 they have recorded an average of 150,000 new malware samples every single day. That’s works out to one piece of malicious software being discovered every single second, and a 60% increase over 2010.
Sophos has also identified an average of 19,000 new malicious URLs each single day in the first half of this year. That’s a stunning 4.5 new web threats detected every second. And, according to Sophos, 80% of those URLs are legitimate websites that were hacked or compromised by crooks.
The two top exploits favored by these crooks were fake anti-virus software and SEO poisoning – manipulating search engine results to drive users to malicious or infected web sites – and it might surprise you that the majority of these malware sites are hosted in the United States. The U.S. accounts for a whopping 37% of malware hosting web sites, while the next nearest culprit is Russia at just 13 percent.
There has also been a big change in the way people communicate, a change that now works even more in the favor of hackers. Sophos recorded a 59% decline in the use of email among 12-17 year olds, and a 34% decline in email use amongst 24-34 year olds. This is mainly due to a switch to texting and social networks as a way to communicate. And hackers love social networks because they make it much easier that email to launch more targeted and effective attacks. Hardly surprising that 81% of computer users surveyed by Sophos believe that Facebook presents the greatest security risk.
On the subject of social networking risks, Sophos also conducted a poll of nearly 2,000 people on their social media habits and worries. 71% reported that they, or one of their colleagues, had been spammed on a social networking site, 46% had been phished and 45% were sent malware.
“Social networking privacy issues have dominated the headlines in the first half of 2011. With most social networks, the default settings share everything and users have to reset their options to make their accounts more private. This opens up a host of security issues because so many people—both friends and not—have access to your information,” according to Sophos.
The report also highlighted a study by the FBI about how one cyber gang was able to dupe 1 million users into buying fake software, and could have made as much as $72 million from the scam. This is a problem for a lot of reasons. It means that not only were 1 million people duped into paying for something fake, they may also believe they have real virus protection on their computers when in reality they have no protection at all.
And that $72 million will be recycled by these gangs into even more sophisticated scams that will entrap even more victims and continue the cycle. Some of this money may even end up in the hands of terrorists who have the skills and resource to launch their own fake virus scams, or partner with organizations that can manage them on their behalf.
Links to videos that hide malware are also on the increase, especially on Facebook and Twitter. According to Sophos, nearly 69 million people have viewed the now-infamous YouTube music video Chocolate Rain, a clear sign that curiosity still trumps caution for most users.
The Mac is no longer a safe haven, and scammers are now firmly focusing on all things Apple to take advantage of the surge in use and adoption of Apple products, driven by the huge popularity of the iPhone and iPad. Apple’s success with these products obviously has a very dark side to it, and yet another reminder that wherever the crowds go, so will follow the crooks. You only have to look over your shoulder to spot one. But if you never bother looking, then don’t be surprised if you don’t spot the scam until it’s too late.
Intersections’ Consumer Security Adviser, Neal O’Farrell continues his security update series. Today,he writes about a recent string of Twitter attacks. The moral of the story? Beef up your Twitter and Facebook passwords!
Seems like hackers and scammers are not forgetting about Twitter when it comes to spreading malware, junk and scams. For a while there it seemed like Facebook had become the favorite child but a recent uptick in Twitter scams proves that as long as it’s a popular way to share and communicate, Twitter will always be a target.
In the most recent scam, Twitter scammers are circulating spam offering free iTunes gift cards. And they appear to have even gone to the trouble of actually creating accounts for non-existent users so they can make the scam look as real and convincing as possible. Clicking on the link in the message doesn’t get you to your free gift card, but instead of a variety of web sites, some of them dating sites, that request your personal financial information.
That scam came on the heels of another attack where the scammers used compromised Twitter accounts to spam thousands of users with messages about a get rich quick scam. Clicking on the link in that message took users to web sites designed to look like local newspaper, where fake participants gave glowing testimonials about how much money could be made from these work-at-home schemes.
And only a week ago, thousands of Twitter users received tweets from friends promoting the miracle “beach body diet.” Turns out it was just another Acai berry promo but again it appeared as though many Twitter users had their account passwords compromised.
As usual, these attacks have common threads, and one of the most common in a compromised password. These scams work best when the messages appear to come from friends. And that’s usually achieved by hacking the “friend’s” Twitter account by taking advantage of a weak password.
Lessons learned?
• If you haven’t already done so, beef up your Twitter and Facebook passwords. Ideally they should be 8-12 characters, and a random mix of letters, numbers and even symbols.
• Protect your password at all times and don’t share it with others, even for fun.
• Don’t use the same password for multiple web sites. That’s a common practice and makes it much too easy to exploit mistakes.
It seems that not a day goes by when there is not a story about a major data breach in the news. And the reason for that is that in 2011, there were more than 400 major data breaches – more than 1 every day! In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell breaks down the data breach and provides some helpful tips on what you can do to protect yourself should your records be compromised. 
Saturday, May 25th, 2013