In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell writes about how cyber criminals and identity thieves target small businesses. Why? Because many small businesses do not have substantial security procedures in place, and they make an attractive target for thieves hoping to steal your personal information.

Last night a neighbor of mine called for some advice on identity theft. He’d just received a call from a mortgage broker he hadn’t dealt with in more than two years, who told him that he’d just had a break-in at his office, his computer was stolen, and my neighbor’s personal information was on that computer. Along with the personal information of possibly thousands of other victims who had provided their personal information to that broker over the years.

And because the information was about loan and mortgage applications, it included everything a thief would need to commit devastating identity theft against multiple victims. Information like name and spouse’s name, Social Security number, address and date of birth, earnings and employer, previous addresses and more.

What bothered my neighbor most, apart from the obvious risk to his identity, was why the broker had held on to so much sensitive information for so long. And why it was sitting unprotected on a personal computer for so long.

I had to explain to him that this practice was very common. Small businesses, whatever their nature, tend to be unfamiliar with security procedures and data protection basics. Chances are, this broker has been hanging on to highly sensitive client information for years, maybe even decades, either in the hope that he could do business with those individuals again in the future, or simply because he was too lazy to properly dispose of that information after he no longer needed it.

While something as simple (and often free) as encryption would have made that personal information completely safe from thieves, few small businesses have yet embraced this simple idea.

I’ve been saying for years that one of the biggest identity theft threats for consumers are the small businesses they deal with on a daily basis. I don’t want to be harsh on small business owners – I’ve been one for thirty years – but they’re running out of excuses. There are few small business owners today who have not heard about cybercrime and identity theft and who are not aware that they have a responsibility to protect their customer and employee information from these threats.

Yet there are also very few small business owners, in my experience, who are actually doing anything about it. The most common excuse I hear from small business owners is that they’re just too small for a hacker to bother with. This completely misses the point, because hackers usually work by doing large sweeps or trawls for victims, and are quickly able to identify those businesses that have gaping security holes.

And with identity theft often viewed as the new burglary, small business owners have just as much to fear from local petty criminal as they have from global cyber gangs, because information stolen in burglaries often ends up in the same place.

Which probably explains why the most recent study of data breaches, just published by Verizon’s security division, found that out of the 855 data breaches the company’s security team investigated last year, more than 600 of them were at small businesses. That tally’s with a claim made last year by Visa that approximately 95% of its credit card breaches were at its smallest customers.

If any small business owner is still not convinced that hackers are targeting small businesses, the Verizon report also found that more than 80% of these breaches were as a result of the activity of hackers, and nearly 70% involved the use of malware.

To me there’s little doubt that the small business is squarely in the sights of hackers and cyber criminals around the world, and a single security incident at a small business could be its’ death knell. As public awareness grows about the danger of doing business with small businesses, worried consumers may take their business elsewhere.

And the inevitable result, if small business owners fail to take heed and responsibility, is that some form of legislation will be introduced to force small business owners to do the right thing.

If you are interested in reading the 2012 Verizon Data Breach Investigations Report, you candownload a copy here.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

It seems that not a day goes by when there is not a story about a major data breach in the news. And the reason for that is that in 2011, there were more than 400 major data breaches – more than 1 every day! In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell breaks down the data breach and provides some helpful tips on what you can do to protect yourself should your records be compromised.

Ever wondered why there are so many data breaches and why they keep happening. In 2011 there were more than 420 reported data breaches, or an average of more than one every day. And some of these breaches exposed millions of personal and customer records. What’s more worrying is that in at least 80% of these breaches, Social Security numbers were exposed.

A security firm called Trustwave did an investigation of more than 300 data breaches and exposed some interesting statistics and trends that might help to explain why so many businesses keep losing our personal and private information:

• Personal customer records were the target of hackers in nearly 90% of the breaches.

• Surprisingly, the food and beverage industry made up the majority of investigated breaches (44%), followed by retailers at 33%. Normally the biggest targets for data breaches are educational institutions and healthcare but in this report they only accounted for a combined 2% of investigated breaches

• Also surprising was the focus by hackers on franchised businesses, where the local business is owned by individual business owners. More than a third of the breaches happened at franchised businesses.

• When malware was used in the attacks, it was only detected by anti-malware software in just 12% of the attacks – suggesting the thieves are easily able to get past the most fundamental security defenses.

• But perhaps not that surprising is that the most common password being used by these breached organizations was “Password1”

So how are the attackers breaching security so often and so easily? The report exposed another troubling trend – in more than three quarters of the breaches investigated the access point was traced to third parties, like suppliers, partners, and technology developers. This suggests that while an organization you do business with might be doing all it can to protect your personal information, all the hard work can easily be undone when the partners they rely on are not as focused on protecting you as they should be.

And in more than 80% of the breaches investigated, the biggest weakness identified was poor passwords. Weak passwords continue to be exploited by hackers and intruders, and in spite of endless education on the subject, for some reason employees continue to choose passwords that can be guessed or cracked in seconds. If the most common password found in these attacks was Password1 (it’s a default password that employees obviously couldn’t be bothered to change), it suggests that we shouldn’t give up on educating everyone about the need for stronger and smarter passwords.

And what fixes did the report recommend? The very first recommendation of their report was better user and employee education, saying “The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness education for employees can often be the first line of defense.”

What else can you do?

• Use this as a reminder to beef up your passwords. Imagine how you’d feel if your weak password was cracked by hackers and used to launch a costly attack on your workplace?

• Be vigilant and careful when paying at a fast-food restaurant. Security can be a big problem here because they have limited security, a high staff turnover, and often few background checks on employees. Consider using a credit card instead of debit card when paying at one of these establishments so you’re not giving hackers access to your bank account.

• Spread the word. If you believe in security, and the role of each of us has to play in protecting our little corner of cyberspace, then share that idea with others. If each one of us were to change just a couple of our bad computing or financial habits, these crimes would be much harder to pull off.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

Although it’s barely a month into 2012, there is a lot going on with security and privacy on the world’s most popular social networking site – Facebook. Intersections’ Consumer Security Adviser, Neal O’Farrell is here today to give us an update on several new Facebook security issues.

2012 has already been an interesting year for Facebook security, with the emergence of some dangerous new scams and the unmasking of one of Facebook’s most notorious cyber gangs.

In case you never heard of Koobface, it’s a piece of malware that first emerged in 2008 and quickly infected millions of users. Users were tricked into downloading the malware by clicking on infected links on Facebook pages with messages like “Lol, is this you in this video?” These users were then enlisted into a giant international bot network of hijacked computers, at one point numbering close to one million computers, which in turn were used to engage in a variety of criminal activities that including pedaling fake anti-virus software.

The Koobface gang, as they became known, were able to generate millions of dollars in criminal gains, and all the while working out in the open, in plain sight, in the Russian city of St Petersburg. Until January 16th, when the New York Times and other outlets identified the five members of the gang and posted their photos across the world.

Apparently that did the trick, because Facebook just reported that they had finally wiped all traces of Koobface from Facebook, and that the command and control servers used to manage this massive criminal network appear to have gone silent.

But if everyone knows who these criminal are, and have known for some time, why were they not arrested? In a statement from Russian authorities, the answer is simple – no-one ever bothered to ask them to investigate or arrest them. While that’s probably not the case, and Russian authorities have probably known about and tolerated the gang for years, it reminds us once again why so many of the world’s most notorious hacking gangs work unimpeded from behind the Russian border.

But that might have been the only good news on the security front for Facebook. Just last week we talked about a dangerous new worm called Ramnit, which had apparently been merged with the highly dangerous Zeus banking Trojan and stealing Facebook passwords in the expectation (probably correct) that many Facebook users use the same password on other sites. Like their online banking.

And that was followed by a Facebook ransomware attack, where Facebook users received messages claiming that as a result of some unusual activity their Faceook account had been suspended and they would have to pay a fee of around $30 in order to unlock it.

There are some important lessons to be learned here:

• Probably the only way to defeat all these Facebook threats that keep emerging is for everyone to stop using Facebook. Criminals are only targeting Facebook because it’s easy to pick the pockets of such large crowds.

• It’s like playing whack-a-mole with criminals. As soon as one gang or piece of malware has been neutralized, another takes its place. And often the replacement has learned from its predecessors, adapted itself, and become even more potent.

• It’s still down to users. Facebook is doing all it can (I assume) to counter all these threats. But if you really do love Facebook, you can help – by being more cautious, vigilant, and cynical when it comes to any unusual messages you receive. And of course, a strong and well-protected password would be greatly appreciated too.

You can read details of the compelling Koobface expose here.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

It’s that time of the year when we get to polish our crystal ball and take a look at what might happen in 2012. Intersections’ Consumer Security Adviser and master predictor of all things security Neal O’Farrell, dusts off his magic wand, adjusts his turban and takes a peek into the future with his 2012 security predictions.

Christmas is a time for tradition, and in the security world one of those traditions is predicting what’s in store for us next year from hackers, scammers and all the other things that go bump on the net.

Perhaps the best way to summarize next year’s threats is more of the same, and here are just a few of my predictions:

• More friends and family fraud, as continued economic hard times force otherwise honest individuals to exploit family credit to pay bills.

• An increase in existing account fraud as financial institutions get better at preventing new account fraud and force thieves to focus on low hanging fruit.

• An increase in child identity theft as thieves become more aware of how hard it is to stop it, and a similar increase in elder financial exploitation as social services for the elderly are cut back.

• An increase in skimming, especially in supermarkets, as thieves rush to take advantage of this vulnerability before chip-and-pin is more widely adopted and makes skimming more difficult.

• A shift from street-level drug dealing to identity theft. This is a worrying trend because it could fuel the growth in identity theft for another decade. The recent Operation Rainmaker in Florida, where local drug dealers joined forces to learn about identity theft and defraud the IRS out of more than $130 million using stolen identities, is a perfect example of this trend.

• A growth in super thieves – low level thieves, like those involved in mail theft or check washing – who are never arrested or investigated, stay off law enforcement’s radar, and only become better, more sophisticated, and able to steal larger amounts without being caught. They take advantage of the fact that law enforcement has largely given up on identity theft.

• An increase in attacks against small businesses because of the wealth of identity information they possess with little protection.

• An increase in tax-related identity theft, as crooks realize how lax IRS security controls are and how easy it is to get a refund using a stolen or “deceased” identity.

• An increase in identity theft malware especially banking Trojans, keyloggers, and Android malware.

• An increase in legislation to protect consumers, and especially data breach legislation.

• Lots of opportunities for hackers to poison search results and take advantage of some big events next year, especially the 2012 Olympic Games starting in July in London, and of course the Presidential election. Both events will provide hackers and scammers with endless opportunities to trick unwary users into falling for some scam or another.

• More hactivisim, but much of it by copycat hackers rather than by the original Anonymous or Lulz crew.

• More infrastructure attacks, targeted at everything from power stations to water treatment plants. Most of the attacks will be probes to test the resilience of these systems to attack.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

In today’s post, Intersections’ Consumer Security Adviser Neal O’Farrell examines the issue of bank security. Are you safer with a small credit union or community bank? That’s a question that’s increasingly being asked by consumers around the country who are considering moving their bank accounts from a large bank to a smaller credit union or community bank.

According to a recent article in CUInfosecurity.com, risk is the top concern as consumers consider moving their accounts from larger banks to credit unions or community banks. The article points out that at least 650,000 Americans have switched to credit unions since Sept. 29, 54 percent of credit unions have reported increases in share growth, and one of the largest credit unions said its new members and checking-account openings are up 70 percent for the months of September and October.

And credit unions aren’t alone. The same article pointed to a recent poll by the Independent Community Bankers of America which found that 60 percent of community banks had picked up new customers as a result of frustrations associated with larger banks.

If you are thinking of switching from a larger financial institution, or from a bank to a credit union, security should always be a concern. Once you’ve done a side-by-side comparison on key features like account fees and features, loan and credit card interest rates, ATMs locations and fees, and customer service, it’s time to think about security.

There is a concern that many smaller financial institutions are still struggling financially, and may not have enough of a security budget to match that of a larger institution. And if they’re lucky enough to be swamped by new customers, will their security budget and preparedness be able to keep pace?

Those are the most common security questions. Can a credit union really protect me – not just my money but all my personal information too? How good and quick are they at detecting a security breach and notifying me? How quickly can they resolve a security issue or fraud? And will my money be any safer there than at a large bank?

Credit unions have long argued that history shows they suffer from fewer attacks than larger banks. Experts on the other hand have argued that’s only because of their small size. It’s like the Windows vs. Apple argument – Apple users claim Apple products have suffered from fewer attacks because they have better security built in, whereas experts argue it’s just about economics. Hackers and malware writers simply ignored Apple for years because it had so few users compared to Microsoft. Writing code to target Apple products just wasn’t economically viable – just not worth the time.

But as the popularity of Apple products has surged, thanks to iPhone and iPad, we suddenly started to see “Mac Malware” emerge and the malware authors just followed the crowds.

That’s what I expect if there’s a major shift from larger banks to smaller and more local banks and credit unions. The hackers will follow the crowds and I’m just not sure that smaller financial institutions are prepared for the risk exposure. Many are still struggling financially and have not been able to make the enormous and endless security investments the bigger banks have been making.

My recommendation? Before you make the big jump, talk to the financial institution you’re thinking about jumping to. Create a list of the security features you may already enjoy, like two (or more) factor authentication, phishing and keylogging protection, account alerts etc. Then compare that to the security features being offered by your new home. At least with a smaller financial institution you’re more likely to be able to meet a real person and get some real answers.

And make the move slowly, by opening up an account with credit union or bank but keeping your original bank account open for a while. At least until you’ve had time to test your new surroundings.

I think credit unions and community banks should also raise the security discussion themselves. Larger banks are notorious about staying tight lipped when it comes to security, worried that the more they talk about things like identity theft, the more their customers will worry. Whereas the opposite is probably true – talk more and customers worry less, because they know the bank is taking it seriously. Talk less and customers have a right to worry more, if the only people who don’t seem to be worried about security are the ones who should be worried most.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser Neal O’Farrell shares some security insights into the popular Internet phone service,Skype. Let the caller beware!

If, like me, you’re one of the millions of people who use Skype to make phone and video calls, you might want to be aware of some serious security issues that are emerging.

Researchers at universities in New York, France, and Germany plan to publish a paper called “I Know Where You Are and What You Are Sharing,” at a major internet conference in Berlin next month. The paper promises to outline what many experts believe are major flaws in Skype that could be downright creepy.

The authors claim that the privacy weaknesses they are found are so easy to exploit, a sophisticated high school-age hacker would likely be capable of executing similar attacks.

Here’s just an example of some of those risks:

• When person A calls person B using VoIP, person A is able to determine person B’s IP address, and perhaps even their location and the name of their ISP.

• Attackers can get this information by calling a person and hanging up quickly so the recipient of the call will never even know – there’s no ringing or pop-up window.

• An attacker can make some of these attacks even when they’re not on the other user’s contact list and even when they’ve been blocked from that user’s list.

• By repeating some of the attacks on an hourly basis, the attacker can track the locations and movements of any Skype user over weeks or even months, without the user having any idea that he or she is being tracked.

• Marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

In one demonstration, the researchers tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and were able to construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours.

According to their press release “In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. ‘If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when.’”

The researchers also calculated that it would cost a marketing company just $500 per week to create a database capable of tracking 10,000 Skype users.

Why target Skype? The very same reason hackers have relentlessly targeted Facebook and other social networking sites – because it’s where the crowds are. Skype has more than 500 million registered users and around 170 million active monthly users who use it to make phone and video calls, send text messages, and even use it for corporate video conferencing.

And apparently it’s not just Skype that’s vulnerable but many other VOIP services. The authors of the report claim that “These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services. A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

In today’s post, Neal O’Farrell talks about the importance of keeping on top of your own personal security. And there is no better time to do that than in October, which is National Cyber Security Awareness Month.

It’s October again and you know what that means. No, not just Halloween, although some of the stuff out there is beginning to get scary. It’s also National Cyber Security Awareness Month and a great time for you to review your security, take a close look at your personal habits, and make some of those changes you might have been putting off.

October should be “take another look” month because it’s a great reminder for you to take another look at some of the stuff you might be taking for granted.

Take another look at Facebook

• Have you changed your password recently? If not, do it now.

• Have you removed any personal information that might help a thief learn more about your background, like where you grew up, went to school, date of birth etc.?

• Have you hidden your mobile phone number on your Facebook page? Your bank may use that number to send you alerts and you don’t want thieves intercepting those alerts.

• Have you revisited your privacy settings lately? Because Facebook changes so much, you should check your settings regularly to make sure they’re still doing what you expect them to. Network World has a great slideshow entitled “Facebook Privacy: 11 settings to revisit now.”

Take another look at your computer and device security

• When was the last time you updated your anti-virus software, and is it set to automatically update?

• Have you checked that your anti-virus program is actually in place and turned on? Make sure that it wasn’t disabled accidently by another user or family member, or even by malware.

• Are you protecting valuable information on your computer or laptop with encryption? It’s a great defense against theft and hackers.

• Have you removed any apps from your phone and tablet that you don’t really need?

• Have you installed security software in your smartphone or tablet? Don’t forget that these devices can be just as vulnerable as your computers.

Take another look at your credit reports

• When was the last time you checked your credit reports? If it’s been more than three months, it might be time to check them again. Check your reports free at www.annualcreditreport.com.

• Are you using IDENTITY GUARD®? IDENTITY GUARD® provides one of the most comprehensive collections of security tools to protect your identity from all kinds of attacks and it works best if you take advantage of all its great features.

Take another look at your browser

• Have you updated it lately or set it to automatically update?

• Have you looked at the security of add-ons and extensions to your browser, and uninstalled extensions you don’t need?

• Have you thought about switching or upgrading to Internet Explorer 9 or IE 9? It has a host of new security features that can provide almost as much protection as desktop security software.

Take another look at your kids

• Are they on Facebook? If they are, have you talked to them about dangers and precautions?

• Have you created your own Facebook page so you can friend your kids and keep an eye on them?

• Have you set rules for what they can’t say and send on their phones and computers?

• Have you moved family computers to a family area – meaning no computers where you can’t see them?

Take another look at your passwords

• Have you changed the most important ones lately, like bank accounts, email, and Facebook?

• Have you moved from passwords to passphrases, to make it easier to create and remember complex passwords?

• Have you started using a password manager to keep all those passwords in a safe place?

• Have you talked to your kids or employees about changing and protecting their passwords?

Take another look at your bank accounts:

• Do you have a password management system, like ID Vault® or an anti-keylogger such as PRIVACYPROTECT®, on your computer to protect your bank logins and passwords from thieves?

• Have you opted for e-statements instead of paper statements, to protect your statements from being intercepted in the mail?

• Have you set up account alerts so that your bank or credit union can immediately notify you of any payments, transfers, or withdrawals?

• Have you changed your bank account password recently?

• Have you checked your statements for any unusual transactions?

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

There are news reports almost daily about how hackers are able to gain access to the bank accounts of innocent victims and rip off thousands and thousands of dollars. In today’s article, Intersections’ Consumer Security Adviser Neal O’Farrell explains what you need to do to keep your hard-earned money out of the hands of hackers and criminals. A must read!.

The title of this article could just as easily have been “How to make half a million bucks a month from the comfort of your computer.” I was reading recently about how a twenty-something hacker from Russia managed to steal more than $3.2 million in just six months simply by pushing out malware designed to sneak on to unprotected computers, steal banking passwords, and empty bank accounts. His efforts paid off to the tune of around $17,000 a day, give or take.

The hacker goes by the nickname Soldier, and according to research by security firm Trend Micro, he managed to infect more than 25,000 computers in the three months leading up to June of this year using a malware toolkit that is freely available on the internet.

His success, at infecting so many computers and making so much money in such a short timeframe, should be a warning to every consumer to be ever vigilant when it comes to online banking. Soldier is one only of probably thousands of hackers using the same or similar crime kits to plunder online bank accounts.

So if you want to avoid being Soldier’s next victim, here are some simple tips to beef up your defenses.

1. Lock down your computer. Every computer should be protected by multiple layers of security, including anti-virus and other malware protection, encryption to protect your data, browser security to steer you away from malicious web sites etc.

2. Beef up your passwords. Weak passwords are your worst enemy – make them strong, random, and original. No sense in creating one strong password and then using it for every web site you know.

3. Sign up for alerts. Most financial institutions provide email or text alerts when certain things happen with your account – a transfer is attempted, an ATM withdrawal is made, or a check more than a certain amount is presented. Sign up for these alerts because they can be your earliest warning that something’s not right.

4. Be very careful with the apps you use. Apps are great, especially if they’re free. But apps are the wild west of security, with little control over who makes and sells them, and how securely the code is written. So use as few apps as you need and only from trusted sources.

5. Think twice about mobile banking. While banking from your smart phone sounds like a great idea, it’s still in its infancy and new security holes are being discovered daily. If you’re not completely confident about the security of your smartphone, stick to doing your online banking from a computer you do trust. Or at least trust a little more.

6. Don’t access your bank account over a public Wi-Fi network. It’s very easy to snoop on any computers using Wi-Fi networks in places like coffee shops and hotels. So much better to wait until you get home before checking your balances or paying bills.

7. Limit access to your computer. The fewer people who have access to your computer, the less risk you have of compromise. So it might be smart to ban family members from using the computer you use to bank online. That way, you won’t be at risk from their mistakes or bad habits.

8. Consider using a separate computer just for online banking. That’s the advice of the security expert who discovered the first banking Trojan a couple of years ago. If you use a separate computer just for online banking, you reduce the risk of malware sneaking on to your computer through drive-by downloads, infected attachments etc.

9. Use a keylogger prevention system, like PRIVACYPROTECT® which comes free with your IDENTITY GUARD® TOTAL PROTECTION(SM) membership, to protect your passwords from being snooped upon. Keyloggers are able to sniff and steal logins and passwords by monitoring what you type on your keyboard, but products like ID Vault allow you to bypass the keyboard and enter your login credentials using a virtual keyboard instead.

10. Take Facebook security very seriously. It’s not only an easy way for thieves to deliver the kind of malware that can steal your bank account login and password, it’s also a great way for thieves to find the answers to the most common “secret” questions – like the city you were born, your first pet, favorite teacher, and mother’s maiden name.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser Neal O’Farrell reports on a recent report by Symantec that compares cybercrime to the world wide drug trade. Interesting stuff!.

Is the cybercrime business really bigger than the drug trade?

That’s the claim (sort of) of an eye-opening report recently published by Symantec. According to the Norton Cybercrime Report 2011, the global cost of cybercrime was nearly $388 billion last year. That number is made up of $144 billion in direct financial losses by victims, and another $274 billion in losses due to lost time and other indirect costs as a result of the attacks.

Norton then compared that to a number of United Nations World Drug Reports over the last few years that pegged the black market for marijuana, cocaine and heroin combined at $288 billion, coming to the conclusion that the global cost of cybercrime exceeded the drug market.

Hard to argue with, except that many media outlets have been reporting that Norton’s study claims that cybercriminals make more money than drug distributors. Which is obviously not the case, at least not yet – the report claims that victims lost $388 billion in direct and indirect losses but not that the crooks actually made that money.

But I’m sure it’s only a matter of time before the profits from cybercrime, and especially identity theft, exceed those from the drug trade. Just recently I spoke at a security conference for law enforcement where we discussed a recent case in Florida called Operation Rainmaker, an identity theft and tax fraud scheme that netted street level drug dealers more than $130 million simply by switching from dealing drugs on street corners to committing identity theft with laptops.

Here are some of the other findings of the report:

• More than two thirds of online adults (69 percent) have been a victim of cybercrime in their lifetime.

• Every second 14 adults become a victim of cybercrime, resulting in more than one million cybercrime victims every day.

• 10 percent of adults online have experienced cybercrime on their mobile phone.

• Increased social networking and a lack of protection are the main culprits behind the growing number of cybercrime victims.

• Men between 18 and 31 years old who access the Internet from their mobile phone are most likely to be victims.

• Globally, the most common – and most preventable – type of cybercrime is computer viruses and malware, with 54 percent of respondents saying they have experienced it in their lifetime.

• Viruses are followed by online scams (11 percent) and phishing messages (10 percent). Earlier this year the Symantec Internet Security Threat Report, Volume 16, found more than 286 million unique variations of malicious software (“malware”) compared to the 240 million reported in 2009.

• Forty-one percent of adults indicated they don’t have an up-to-date security software suite to protect their personal information online.

• Less than half review credit card statements regularly for fraud (47 percent), and 61 percent don’t use complex passwords or change them regularly.

Read the full report for more findings from the Norton Cybercrime Report globally and by country.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consume Security Adviser Neal O’Farrell reports on an inventive identity theft scam that was recently uncovered in Florida.

It was addictive. Just like the dope they once sold on the streets, if not more, according to the story in the Seminole Heights newspaper. “The scheme is extremely simple but extremely lucrative,” said the U.S. Secret Service Special Agent in Charge.

They were talking about Operation Rainmaker, an identity theft scheme that was so easy and so lucrative it persuaded drug dealers to abandon their age-old trade and turn instead to identity theft instead. The operation got its name from law enforcement simply because of the vast amounts of money thieves were able to rain down on themselves – about $130 million in fact.

Authorities were only tipped off to the scheme when tax payers began to file complaints that when they went to file their own taxes, they found someone else had filed using their name. And that was the core of the scam.

Here’s what they discovered. The thieves were using public sites like Ancestry.com to assemble the identities of the living and the dead, and were also buying complete identities on the black market – something that’s surprisingly easy for anyone to do.

Once the thieves had assembled enough information about an individual, they used off-the-shelf tax return software like Turbo Tax to file fraudulent tax returns. And that was probably the easiest part of the entire scam. The IRS is unable to thoroughly review or cross-reference every single tax return they receive, or spot any red flags like a sudden change of a taxpayer’s address. And if the amount of the return is under $10,000, it rarely gets scrutinized.

So naturally the thieves kept their returns under the $10,000 threshold and then sat back and watched the IRS rain money down on them. That money came in credit cards or checks issued by the Treasury and sent to a variety of homes, some of them vacant, or deposited electronically into bogus accounts.

Once they had their hands on the funds, the thieves would go on spending sprees. The scheme was so lucrative and widespread, authorities in the area said they noticed a significant reduction in street-level drug dealing. According to the story, informants told police that local drug dealers quickly realized that identity theft was a much more lucrative and safe line of business.

As soon as authorities got wind of the scheme, they assembled a task force that included police and Sheriff’s departments, the United States Secret Service, the United States Postal Inspection Service, State Attorney’s Office, and the United States Attorney’s Office.

But in spite of all the evidence they had gathered, authorities had trouble in filing charges of tax fraud because the IRS refused to share the records they had – apparently the IRS protects the personal information of thieves who are caught committing tax fraud.

Nearly fifty people have been arrested so far, and here’s exactly how law enforcement laid out the multiple steps in this bizarre criminal enterprise:

• Create Fake Identity

• Suspects search the web to find identities of deceased or living victims.

• Defendants buy large volume of identities from suspects who are stealing names and social security numbers from businesses, medical facilities or prisons.

• File Fraudulent Tax Return Online

• Suspects use multiple electronic filing programs including, Turbo Tax, Tax Hawk and Tax Slayer. Turbo Tax is the most commonly used.

• Suspects refer to this tax scam as “doing drops.”

• Request Refund on Green Dot Card, Treasury Check or Direct Deposit

• Suspects have refunds sent to vacant homes, another suspect’s home or an innocent bystander’s home and then intercept the mail.

• Defendants open fraudulent bank accounts to receive direct deposits.

• Cashing in the Refund

• Suspects withdraw money from ATM’s.

• Buy large ticket items or money orders at legitimate businesses.

• Suspects launder the money through illegal businesses.

And apart from how easy it was to pull of the scam – if they’d stuck to victimizing dead people they might never have been caught – the most worrying part of the story is how drug dealers and other criminals are turning away from traditional crimes and to identity theft. And with so few investigations, arrests and prosecutions for identity theft, what have these crooks to worry about?

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.