It seems that not a day goes by when there is not a story about a major data breach in the news. And the reason for that is that in 2011, there were more than 400 major data breaches – more than 1 every day! In today’s article, Intersections’ Consumer Security Adviser, Neal O’Farrell breaks down the data breach and provides some helpful tips on what you can do to protect yourself should your records be compromised.

Ever wondered why there are so many data breaches and why they keep happening. In 2011 there were more than 420 reported data breaches, or an average of more than one every day. And some of these breaches exposed millions of personal and customer records. What’s more worrying is that in at least 80% of these breaches, Social Security numbers were exposed.

A security firm called Trustwave did an investigation of more than 300 data breaches and exposed some interesting statistics and trends that might help to explain why so many businesses keep losing our personal and private information:

• Personal customer records were the target of hackers in nearly 90% of the breaches.

• Surprisingly, the food and beverage industry made up the majority of investigated breaches (44%), followed by retailers at 33%. Normally the biggest targets for data breaches are educational institutions and healthcare but in this report they only accounted for a combined 2% of investigated breaches

• Also surprising was the focus by hackers on franchised businesses, where the local business is owned by individual business owners. More than a third of the breaches happened at franchised businesses.

• When malware was used in the attacks, it was only detected by anti-malware software in just 12% of the attacks – suggesting the thieves are easily able to get past the most fundamental security defenses.

• But perhaps not that surprising is that the most common password being used by these breached organizations was “Password1”

So how are the attackers breaching security so often and so easily? The report exposed another troubling trend – in more than three quarters of the breaches investigated the access point was traced to third parties, like suppliers, partners, and technology developers. This suggests that while an organization you do business with might be doing all it can to protect your personal information, all the hard work can easily be undone when the partners they rely on are not as focused on protecting you as they should be.

And in more than 80% of the breaches investigated, the biggest weakness identified was poor passwords. Weak passwords continue to be exploited by hackers and intruders, and in spite of endless education on the subject, for some reason employees continue to choose passwords that can be guessed or cracked in seconds. If the most common password found in these attacks was Password1 (it’s a default password that employees obviously couldn’t be bothered to change), it suggests that we shouldn’t give up on educating everyone about the need for stronger and smarter passwords.

And what fixes did the report recommend? The very first recommendation of their report was better user and employee education, saying “The best intrusion detection systems are neither security experts nor expensive technology, but employees. Security awareness education for employees can often be the first line of defense.”

What else can you do?

• Use this as a reminder to beef up your passwords. Imagine how you’d feel if your weak password was cracked by hackers and used to launch a costly attack on your workplace?

• Be vigilant and careful when paying at a fast-food restaurant. Security can be a big problem here because they have limited security, a high staff turnover, and often few background checks on employees. Consider using a credit card instead of debit card when paying at one of these establishments so you’re not giving hackers access to your bank account.

• Spread the word. If you believe in security, and the role of each of us has to play in protecting our little corner of cyberspace, then share that idea with others. If each one of us were to change just a couple of our bad computing or financial habits, these crimes would be much harder to pull off.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser, Neal O’Farrell shares his thoughts on keeping yourself safe at work.

While most of the advice we offer on the Daily Shield focuses on protecting your personal space and finances, it’s easy to forget that some of the greatest security vulnerabilities can be found in a place you may spend much of your life – the workplace.

And with an endless stream of data and security breaches being traced back to bad decisions in the workplace, it could help you and your job if you pay a little more attention to workplace security and privacy.

With that in mind, here are a few simple ideas that can protect you and your co-workers in the year to come:

• Know the rules and follow the policies. Security policies sound like a pain, and in some workplaces they’re so long and complex they read like a text book for a law degree. But policies are there for a reason, and even if they’re poorly written or overly complex, you still need to pay attention to them. If properly implemented, they protect data, protect your workplace, and even protect your job.

• Be careful what you bring to work. One of the biggest threats in 2012 is BYOD – Bring Your Own Device. In spite of policies against them, many employees still bring their own smartphones, laptops, and tablets to work. Thumb drives are a particular source of security problems. If you use those devices to store work information or access corporate networks or systems, you risk exposing your workplace to all kinds of threats. If your employer doesn’t know what kinds of devices you’re using, and what kind of security precautions you’re taking, they’re almost defenseless against the risks your devices might pose.

• Keep your personal information hidden or out of the office. A study as far back as 2005 by the University of Michigan found that close to 70% of all identity thefts in the United States might originate in the workplace. Even if the report is only half right, that’s reason enough for you to guard any personal information you bring to the workplace. So hide any personal financial documentation, wallet, purse, personal devices and anything else a co-worker might grab an opportunity to snoop on.

• Be careful with social media. Many workplaces still don’t have clear rules about the use of social media in the workplace, but that doesn’t mean you should ignore the risks. And apart from getting into trouble for checking your Facebook page too often at work, some of the biggest risks when using social networks at work include saying things that could get you or your employer into trouble, giving away corporate secrets or insider knowledge, or clicking on a malicious link that introduces malware into your workplace.

To avoid these dangers (1) stay off Facebook at work as much as possible, (2) if you do use Facebook or Twitter, mind what you say – about yourself, your workplace, your colleagues, and your job, (3) be very careful what you click on.

• Protect your passwords. If your workplace has guidelines or policies on the proper use of passwords, follow them. The rules are there because they work. If your workplace doesn’t have any clear rules, then use common sense. Use long and complex passwords, change passwords often, don’t share them with others, and be wary of calls or emails claiming to be from a colleague and requesting your password.

• Challenge strangers. One of the most common attacks on the workplace is the walk-in, where a complete stranger will simply walk into the business, perhaps posing as a customer, repair technician, or even a janitor, and steal information. If you come across a stranger in your office, don’t simply ignore them. Offer to help them, ask them who are and what they’re looking for, and if they seem suspicious, notify security or your colleagues.

• Think privacy. The root of good security is a respect for privacy. As a consumer you value your privacy and expect it to be respected and protected. So why not expect that for others. If you come across the personal information of others, give it the respect it deserves. Good security flows from a respect and passion for privacy, and if it’s second nature, security breaches are less likely to happen.

• Be an advocate. If you truly believe in security and privacy, and believe that it makes a difference, then speak up. Become a privacy advocate in your workplace. Encourage co-workers to take security and privacy seriously, and if there are no security guidelines or policies in place already, offer to work with your employer to create share, and apply them.

Learn more about identity theft protection.

Keep informed about the latest threats to your safety. Join our Facebook group.

Here are some frightening statistics concerning child identity theft.

• Children are 51 times more likely to have their identity stolen than adults
• The average debt of child identity theft victims is over $12,000
• 70% of thieves use child ID for credit card/loan fraud, while 23% use it for mortgage/utility fraud.

Check out our infographic – how much is a child’s identity worth.

Protecting your children is more important than ever. Learn more about child identity theft protection.

Intersections’ Consumer Security Adviser Neal O’Farrell provides his comments and analysis of the recent privacy settlement between Facebook and the Federal Trade Commission (FTC). A must read!

As a result of numerous complaints from a number of privacy advocates and organizations, the FTC finally launched its own investigation into Facebook’s privacy claims and failings. According to the FTC’s own statement, which announced the settlement on November 29th 2011, Facebook allegedly made many promises that it did not keep:

• In December 2009, Facebook changed its website so certain information that users may have designated as private – such as their Friends List – was made public. They didn’t warn users that this change was coming, or get their approval in advance.

• Facebook represented that third-party apps that users’ installed would have access only to user information that they needed to operate. In fact, the apps could access nearly all of users’ personal data – data the apps didn’t need.

• Facebook told users they could restrict sharing of data to limited audiences – for example with “Friends Only.” In fact, selecting “Friends Only” did not prevent their information from being shared with third-party applications their friends used.

• Facebook had a “Verified Apps” program & claimed it certified the security of participating apps. It didn’t.

• Facebook promised users that it would not share their personal information with advertisers. It did.

• Facebook claimed that when users deactivated or deleted their accounts, their photos and videos would be inaccessible. But Facebook allowed access to the content, even after users had deactivated or deleted their accounts.

• Facebook claimed that it complied with the U.S.- EU Safe Harbor Framework that governs data transfer between the U.S. and the European Union. It didn’t.

Speaking about the issue on his Facebook page the very same day, Facebook founder Mark Zuckerberg insisted that “Overall, I think we have a good history of providing transparency and control over who can see your information. That said, I’m the first to admit that we’ve made a bunch of mistakes.”

At the same time he announced the appointment of two privacy officers – reminds me of Sony’s announcement that after more than half a century in business it finally decided it would be a good idea to hire a head of security, only after hackers stole nearly 100 million user accounts. Better late than never, I suppose.

The settlement requires that Facebook can no longer conduct business as usual when it comes to privacy, cannot make any further deceptive privacy claims, and must get users’ approval before it changes the way it shares their data.

Specifically, under the proposed settlement, Facebook is:

• barred from making misrepresentations about the privacy or security of consumers’ personal information;

• required to obtain consumers’ affirmative express consent before enacting changes that override their privacy preferences;

• required to prevent anyone from accessing a user’s material more than 30 days after the user has deleted his or her account;

• required to establish and maintain a comprehensive privacy program designed to address privacy risks associated with the development and management of new and existing products and services, and to protect the privacy and confidentiality of consumers’ information; and

• required, within 180 days, and every two years after that for the next 20 years, to obtain independent, third-party audits certifying that it has a privacy program in place that meets or exceeds the requirements of the FTC order, and to ensure that the privacy of consumers’ information is protected.

It doesn’t look like Facebook has to pay any fines or suffered any other punishments. It’s simply on privacy probation for at least the next 20 years.

Read the full statement from the FTC.

To keep up to date on Facebook privacy issues, Facebook has its own team and page dedicated to all things security.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

In today’ post, Intersections’ Consumer Security Adviser Neal O’Farrell reminds us that “low-tech” methods used by identity thieves and criminals are sometimes the most effective.

As the busiest season for identity thieves approaches, one of the greatest vulnerabilities for all consumers will be their incoming mail. Mail is a magnet for identity thieves because it usually contains all the ingredients to commit anything from simple fraud to full-out identity theft. And all that priceless information is usually left right at the side of the road for any thief to simply pluck from your mail box.

When an identity thief looks down a street, he or she sees no one watching or protecting the stacks of personal information lining both sides of the streets. Hardly surprising that mail theft is one of the most lucrative forms of identity theft and the most popular for low level or novice identity thieves.

And these thieves know that the Holidays always bring with them a treasure-trove of personal information, and especially financial statements. Mail theft has become so lucrative it’s almost an organized crime with professional mail gangs actively roaming neighborhoods looking for unattended mail that they can grab, run, and sell to other thieves. And we’re already beginning to see a seasonal spike in this kind of crime. Just recently, police in the Northern California city of Chico discovered that mail thieves had ransacked more than twenty seven mail boxes in one spree. And stories like that are now cropping up all around the country.

But it wasn’t on some dark street in an isolated neighborhood under the cover of night. The brazen attack was actually at a Post Office, in plain sight where thieves crashed through a plate glass window, emptied all the mail boxes and sorted out the valuable from the valueless right there on the post office floor.

And some thieves will stop at nothing to get their hands on your mail. One thief was recently charged with hiring two women to attack a postal employee so they could steal the master key he used to open mail boxes. In a vicious assault the thieves actually tazed the postal worker.

So what can you do to protect yourself?

• Collect your mail every day as soon as it arrives.

• Never leave mail out in your mail box to be collected. That’s quite literally a red flag for thieves.

• Consider switching to online banking and bill paying. Most experts believes that online banking is much safer than traditional banking, and by going paperless with your bills and statements you can dramatically reduce the amount of information thieves can steal from you.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser, Neal O’Farrell joins us today. In this article, Neal talks about a disturbing trend – the rise of gang activity and identity theft.

One of my greatest identity theft fears has been the involvement of other criminals in identity theft. By that I mean criminals who have traditionally focused on other crimes, like burglary, switching to identity theft because they realize that identity theft is a much better business opportunity and career path for them.

We do know that burglary and identity theft are already connected, because most burglars realize that a stolen Social Security number or birth certificate is worth far more than a stolen TV or jewelry. Not only is personal information worth more, it can be sold over and over again, and there’s far less risk of being caught. And of course drugs like meth have long been associated with identity theft, in part because in the early days of identity theft the chemicals used to wash stolen checks were also a key ingredient in the synthesizing of meth.

But what if more organized criminals, like street gangs or drug dealers, realized that there was more money to be made in identity theft than selling drugs on street corners? What if they switched business and moved en masse into identity theft? It could spark another massive escalation that would be very hard to stop.

Well, it seems that my worst fears are being realized. A few weeks ago I wrote about Operation Rainmaker, an identity theft scheme busted by law enforcement in Florida. The thieves may have netted as much as $130 million by using stolen identities to file fraudulent tax returns. The most disturbing part, apart from the fact that the thieves managed to pull off such a massive heist so easily, was that the thieves were street level drug dealers who took courses in how to use the internet to commit identity theft.

They realized that if they just learned some basic skills they could make much more money, with much less risk, if they focused on identity theft over drug dealing. Drug dealing is hard work and brings a lot of risk, from arrest to death. And the dealers almost always have to rely on other people – the distributors to provide them with the drugs, the sellers on the streets to move the “product,” and of course customers willing to buy from them instead of their competitors.

But with identity theft these dealers don’t need anyone else. They can commit the crime themselves from the comfort of their own home, there’s a lot less risk, and they don’t need partners or suppliers. Unless of course you count the stolen identities they exploit.

If more drug dealers come to the same conclusion, if could be good news for the fight against drug use but terrible news for identity theft. And signs are other criminals are catching on. According to an analysis just released by the FBI, “gangs are also engaging in white collar crime such as counterfeiting, identity theft, and mortgage fraud, primarily due to the high profitability and much lower visibility and risk of detection and punishment than drug and weapons trafficking.”

And according to the National Gang Intelligence Center (NGIC) many gang members are now using the Internet for identity theft, computer hacking, and phishing schemes. Earlier this year, law enforcement officials arrested dozens of members of the Armenian Power gang on a variety of charges that included including a $2 million credit card scam and a large-scale check fraud scheme.

The FBI estimates that there are around 33,000 known gangs in the United States, with nearly 1.5 million active members. If these gangs start moving seriously into identity theft and other frauds, there’s no telling how bad identity theft will become. And especially with law enforcement already stretched to the limit.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser Neal O’Farrell shares some security insights into the popular Internet phone service,Skype. Let the caller beware!

If, like me, you’re one of the millions of people who use Skype to make phone and video calls, you might want to be aware of some serious security issues that are emerging.

Researchers at universities in New York, France, and Germany plan to publish a paper called “I Know Where You Are and What You Are Sharing,” at a major internet conference in Berlin next month. The paper promises to outline what many experts believe are major flaws in Skype that could be downright creepy.

The authors claim that the privacy weaknesses they are found are so easy to exploit, a sophisticated high school-age hacker would likely be capable of executing similar attacks.

Here’s just an example of some of those risks:

• When person A calls person B using VoIP, person A is able to determine person B’s IP address, and perhaps even their location and the name of their ISP.

• Attackers can get this information by calling a person and hanging up quickly so the recipient of the call will never even know – there’s no ringing or pop-up window.

• An attacker can make some of these attacks even when they’re not on the other user’s contact list and even when they’ve been blocked from that user’s list.

• By repeating some of the attacks on an hourly basis, the attacker can track the locations and movements of any Skype user over weeks or even months, without the user having any idea that he or she is being tracked.

• Marketers can easily link to information such as name, age, address, profession and employer from social media sites such as Facebook and LinkedIn in order to inexpensively build profiles on a single tracked target or a database of hundreds of thousands.

In one demonstration, the researchers tracked the Skype accounts of about 20 volunteers as well as 10,000 random users over a two-week period and were able to construct a detailed account of a user’s daily activities even if the user had not turned on Skype for 72 hours.

According to their press release “In one example, they accurately tracked one volunteer researcher from his visit at a New York university to a vacation in Chicago, a return to a New York university, lodging in Brooklyn, then to his home in France. ‘If we had followed the mobility of the Facebook friends of this user as well, we likely would have determined who he was visiting and when.’”

The researchers also calculated that it would cost a marketing company just $500 per week to create a database capable of tracking 10,000 Skype users.

Why target Skype? The very same reason hackers have relentlessly targeted Facebook and other social networking sites – because it’s where the crowds are. Skype has more than 500 million registered users and around 170 million active monthly users who use it to make phone and video calls, send text messages, and even use it for corporate video conferencing.

And apparently it’s not just Skype that’s vulnerable but many other VOIP services. The authors of the report claim that “These findings have real security implications for the hundreds of millions of people around the world who use VoIP or P2P file-sharing services. A hacker anywhere in the world could easily track the whereabouts and file-sharing habits of a Skype user – from private citizens to celebrities and politicians – and use the information for purposes of stalking, blackmail or fraud.”

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

In a recent report by the firm ID Analytics, more than 140,000 children across the United States were found to have been victims of child identity theft. The report supported other studies that have found the same troubling trend, as well as a growing awareness in the cybercrime community of the value of child identities and the ease with which they can be compromised.Today, the Daily Shield welcomes Steve Schwartz, Intersections’ Executive Vice President, Consumer Services. In today’s video presentation, Steve shares some thoughts on how parents can help protect their children from identity theft. It starts with parents understanding how and why their child’s personal information is used by schools, at the doctors office, etc.

Learn more about the growing problem of child identity theft and what you can do about it.

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consume Security Adviser Neal O’Farrell reports on an inventive identity theft scam that was recently uncovered in Florida.

It was addictive. Just like the dope they once sold on the streets, if not more, according to the story in the Seminole Heights newspaper. “The scheme is extremely simple but extremely lucrative,” said the U.S. Secret Service Special Agent in Charge.

They were talking about Operation Rainmaker, an identity theft scheme that was so easy and so lucrative it persuaded drug dealers to abandon their age-old trade and turn instead to identity theft instead. The operation got its name from law enforcement simply because of the vast amounts of money thieves were able to rain down on themselves – about $130 million in fact.

Authorities were only tipped off to the scheme when tax payers began to file complaints that when they went to file their own taxes, they found someone else had filed using their name. And that was the core of the scam.

Here’s what they discovered. The thieves were using public sites like Ancestry.com to assemble the identities of the living and the dead, and were also buying complete identities on the black market – something that’s surprisingly easy for anyone to do.

Once the thieves had assembled enough information about an individual, they used off-the-shelf tax return software like Turbo Tax to file fraudulent tax returns. And that was probably the easiest part of the entire scam. The IRS is unable to thoroughly review or cross-reference every single tax return they receive, or spot any red flags like a sudden change of a taxpayer’s address. And if the amount of the return is under $10,000, it rarely gets scrutinized.

So naturally the thieves kept their returns under the $10,000 threshold and then sat back and watched the IRS rain money down on them. That money came in credit cards or checks issued by the Treasury and sent to a variety of homes, some of them vacant, or deposited electronically into bogus accounts.

Once they had their hands on the funds, the thieves would go on spending sprees. The scheme was so lucrative and widespread, authorities in the area said they noticed a significant reduction in street-level drug dealing. According to the story, informants told police that local drug dealers quickly realized that identity theft was a much more lucrative and safe line of business.

As soon as authorities got wind of the scheme, they assembled a task force that included police and Sheriff’s departments, the United States Secret Service, the United States Postal Inspection Service, State Attorney’s Office, and the United States Attorney’s Office.

But in spite of all the evidence they had gathered, authorities had trouble in filing charges of tax fraud because the IRS refused to share the records they had – apparently the IRS protects the personal information of thieves who are caught committing tax fraud.

Nearly fifty people have been arrested so far, and here’s exactly how law enforcement laid out the multiple steps in this bizarre criminal enterprise:

• Create Fake Identity

• Suspects search the web to find identities of deceased or living victims.

• Defendants buy large volume of identities from suspects who are stealing names and social security numbers from businesses, medical facilities or prisons.

• File Fraudulent Tax Return Online

• Suspects use multiple electronic filing programs including, Turbo Tax, Tax Hawk and Tax Slayer. Turbo Tax is the most commonly used.

• Suspects refer to this tax scam as “doing drops.”

• Request Refund on Green Dot Card, Treasury Check or Direct Deposit

• Suspects have refunds sent to vacant homes, another suspect’s home or an innocent bystander’s home and then intercept the mail.

• Defendants open fraudulent bank accounts to receive direct deposits.

• Cashing in the Refund

• Suspects withdraw money from ATM’s.

• Buy large ticket items or money orders at legitimate businesses.

• Suspects launder the money through illegal businesses.

And apart from how easy it was to pull of the scam – if they’d stuck to victimizing dead people they might never have been caught – the most worrying part of the story is how drug dealers and other criminals are turning away from traditional crimes and to identity theft. And with so few investigations, arrests and prosecutions for identity theft, what have these crooks to worry about?

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.

Intersections’ Consumer Security Adviser Neal O’Farrell shares some important tips to protect your laptop, smart phone and tablet.

One thing we know about hackers and identity thieves is that they always follow the crowds and the data, and as more people use laptops and tablets to run the personal and professional lives these devices are a major target.

And with so many Android tablets now on the market, Android-powered tablets could be exposed to the very same risks as Android-powered smart phones. A recent report by McAfee found a huge spike in Android malware, and Android devices were the top mobile target for scammers.

Laptop theft and loss are far more common than you might think. Research firm IDC reports that around 90% of U.S. firms have reported losing laptops. And the makers of the LoJack laptop recovery service claim that a laptop goes missing about every 50 seconds.

And the loss of a laptop or tablet can be devastating for your employer and your workplace. According to Data Loss DB, a research project aimed at documenting known and reported data loss incidents and data breaches world-wide, more than 30% of data breaches were the result of a lost or stolen laptop, mobile phone, or other portable media device.

So here are some simple reminders of the steps you can take to protect your device from theft and its consequences.

1. Encrypt it! This should be the fundamental rule for every laptop, and many experts argue that all laptops should be encrypted by default. Encryption locks either the entire hard drive or specific folders with an unbreakable code. So if the laptop is lost, the data is safe.

2. Use strong passwords. The next best layer of security after encryption is the password, and while a determined thief might be able to get past your password, it’s still a powerful defense. So make sure that your laptop is set to request a password every time you want start or use it, and make sure it’s a very strong password.

3. Don’t use a laptop case – it’s a bright red flag to thieves that you’re carrying a laptop. Most laptops and tablets are small enough to carry in a briefcase or backpack.

4. Be careful using Wi-Fi – because they’re supposed to be accessible to the public, Wi-Fi networks are also easily accessible to hackers and eavesdroppers. So if you have to use a Wi-Fi network in a public place like a coffee shop or hotel, don’t use it to access anything sensitive like your bank account.

5. Don’t use your laptop to store or move sensitive information. If you lose it, you only have to worry about the value of the device itself and not the harm the thief can do with it.

6. Treat it like a desktop computer. Make sure you always have layers of up-to-date security, including firewall, virus protection, browser security, keylogger protection, and all the other security software that you would expect on a desktop.

7. Don’t forget tablet security. I’m amazed to see how many people are not aware that there are anti-virus programs available for Android tablets. They’re still pretty rudimentary, in part because tablets don’t have the processing power for conventional anti-virus software. But there are a growing number of tablet security solutions available.

8. Use a tracking and recovery service – services like YouGetItBack.com and Computrace will help you track and recover your laptop, tablet, or smartphone, and often for just a couple of bucks a month.

9. Spare the apps – don’t download endless apps just because they’re cool or free. Only download apps you really need and make sure they’re from trusted sources.

10. Most important of all, be careful where you leave them. Laptops and tablets have become such a familiar accessory, often times they get left behind – at hotels and bars, in taxis, at airports. According to an article in PC World, LaGuardia Airport in New York reports that more than 70,000 laptops and PDAs have been left behind by passengers. Just because they’re portable doesn’t mean they’re forgettable.

Want to learn more about identity theft protection and our credit monitoring services?

Keep informed about the latest threats to your safety. Join our Facebook group.