How consumers feel about retail data breaches

Generali Global Assistance released the findings of its survey which examines consumer sentiment on retail data breaches and the identity theft risks holiday shopping poses.

retail data breaches

Grown comfort with online shopping

Among those who avoided it entirely, comfort with online shopping has grown substantially this year.

  • 30% of Americans surveyed avoided online shopping due to the potential security risks prior to the COVID-19 pandemic
  • 74% of those who avoided online shopping due to security risks say they are using their credit card online more often as a direct result of the pandemic-induced retail lockdowns
  • 73% of those who avoided online shopping in the past agree they have become more comfortable shopping online since the start of the pandemic

Many plan to shop in brick-and-mortar stores

Online shopping dominates this year, but nearly half plan to shop in brick-and-mortar stores.

  • 86% of consumers plan to do their holiday shopping online, up 21 percent from last year, likely due to the pandemic
  • 48% indicated they will shop for the holidays in a brick-and-mortar store, down 15 percent from last year
  • 70% of holiday shoppers plan to shop at two to five brick-and-mortar and/or online stores
  • 18% indicated they will go to more than six stores this holiday season

Growing concern about data breaches

2 in 3 are concerned about data breaches during holiday shopping season; nearly 4 in 5 will think twice before doing business with a breached retailer.

  • 66% of Americans surveyed expressed concern about their financial or personal information being compromised due to a data breach while shopping this holiday season
  • 78% of customers indicated that they would be concerned about doing business with a retailer if they experienced a breach
  • Down a point from last year, the number of customers who expressed concern over retailers who’ve been breached has decreased, continuing a potential trend of consumer apathy toward data breaches that GGA identified last year

Identity protection services are preferred

Most shoppers would feel more secure if a retailer offered them identity protection services.

  • 64% of Americans indicated they would feel more secure doing business with a retailer if that retailer offered them identity protection services
  • Compared to 61% of Americans in 2018 and 55% in the year prior who indicated they would feel more secure if a retailer offered them ID theft protection
  • Revealing that more consumers understand the need for identity theft protection today

Identity theft is viewed as a threat this year by over 2 in 5 Americans

  • 61% of shoppers indicate that data breaches of online merchants or credit card providers is still the biggest threat to their identity, up 14 percent from last year
  • 43% of Americans indicated that identity theft is their greatest threat this year
  • 28% perceive having their identity stolen due to a COVID-19 related scam as the greatest threat to their personal info, whether it be a COVID-related employment scam (20%) or a health scam (17%)
  • Break-in or pickpocket (15%), a tax scam (13%), and to a lesser extent, a puppy scam (7%) were the other types of identity theft considered a danger by respondents

retail data breaches

Big box stores are trusted most with personal data

  • 40% of Americans trust big box stores the most with their personal data this holiday shopping season
  • 36% consider e-retailers the most trustworthy
  • Only 22% of the survey respondents trust their local small businesses with their personal data.

Paige Schaffer, CEO, Global Identity and Cyber Protection Services at Generali Global Assistance, commented on the findings, “Consumers’ shopping behavior has evolved rapidly as a result of the pandemic forcing even the 30 percent of Americans who used to avoid online shopping entirely to take their business online.

“While consumers growing apathy around breaches continued, our survey also showed that more of them understand the need for identity protection. Making sure the average consumer’s personal information is safe and offering them support in the wake of an incident will improve customer loyalty among all retailers from the big box super store to the local mom and pop shop.”

Using drones to improve 5G network security

The introduction of 5G will change the way we communicate, multiply the capacity of the information highways, and allow everyday objects to connect to each other in real time.

drones 5G

Its deployment constitutes a true technological revolution not without some security hazards. Until 5G technology has definitively expanded, some challenges remain to be resolved, including those concerning possible eavesdropping, interference and identity theft.

Unmanned Aerial Vehicles (UAV), also known as drones, are emerging as enablers for supporting many applications and services, such as precision agriculture, search and rescue, or in the field of communications, for temporary network deployment and their coverage extension and security.

Giovanni Geraci, a researcher with the Department of Information and Communication Technologies (DTIC) at UPF, points out in a recent study: “On the one hand, it is important to protect the network when it is disturbed by a drone that has connected and generates interference. On the other, in the future, the same drones could assist in the prevention, detection, and recovery of attacks on 5G networks”.

The study poses two different cases

First, the use of UAVs to prevent possible attacks, still in its early stages of research, and, secondly, how to protect the network when disturbed by a drone, a much more realistic, as Geraci explains: “A drone could be the source of interference to users. This can happen if the drone is very high up and when its transmissions travel a long distance because there are no obstacles in the way, such as buildings”.

The integration of UAV devices in future mobile networks may expose the latter to potential risks of attack based on UAVs. UAVs with cellular connection may experience radio propagation characteristics that are probably different from those experienced by a terrestrial user.

Once a UAV flies well above the base stations, they can create interference or even rogue applications, such as a mobile phone connected to a UAV without authorization.

Using drones to improve 5G security

Based on the premise that 5G terrestrial networks will never be 100% secure, the authors of this study also suggest using UAVs to improve 5G network security and beyond wireless access.

“In particular, in our research we have considered jamming, identity theft, or ‘spoofing’, eavesdropping, and the mitigation mechanisms that are enabled by the versatility of UAVs”, the researchers explain.

The study shows several areas in which the diversity and 3D mobility of UAVs can effectively improve the security of advanced wireless networks against eavesdropping, interference and ‘spoofing’, before they occur or for rapid detection and recovery.

“The article raises open questions and research directions, including the need for experimental evaluation and a research platform for prototyping and testing the proposed technologies”, Geraci explains.

63 billion credential stuffing attacks hit retail, hospitality, travel industries

Akamai published a report detailing criminal activity targeting the retail, travel, and hospitality industries with attacks of all types and sizes between July 2018 and June 2020. The report also includes numerous examples of criminal ads from the darknet illustrating how they cash in on the results from successful attacks and the corresponding data theft.

attacks industries

“Criminals are not picky — anything that can be accessed can be used in some way,” said Steve Ragan, Akamai security researcher and author of the State of the Internet / Security report.

“This is why credential stuffing has become so popular over the past few years. These days, retail and loyalty profiles contain a smorgasbord of personal information, and in some cases financial information too. All of this data can be collected, sold, and traded or even compiled for extensive profiles that can later be used for crimes such as identity theft.”

Recirculating old credential lists to identify new vulnerable accounts

During the COVID-19 pandemic-related lockdowns in Q1 2020, criminals took advantage of the worldwide situation and circulated password combination lists, targeting each of the commerce industries featured in the report.

It was during this time that criminals started recirculating old credential lists in an effort to identify new vulnerable accounts, leading to a significant uptick in criminal inventory and sales related to loyalty programs.

Between July 2018 and June 2020, more than 100 billion credential stuffing attacks ere observed in total. In the commerce category – comprising the retail, travel, and hospitality industries – there were 63,828,642,449 recorded. More than 90% of the attacks in the commerce category targeted the retail industry.

Credential stuffing isn’t the only way that criminals target the retail, travel, and hospitality industries. They target organizations in these industries at the source using SQL Injection (SQLi) and Local File Inclusion (LFI) attacks.

Between July 2018 and June 2020, 4,375,711,860 web attacks against retail, travel, and hospitality were observed, accounting for 41% of the overall attack volume across all industries. Within this data set, 83% of those web attacks targeted the retail sector alone.

SQLi attacks are an evident favorite among criminals, accounting for just under 79% of the total web application attacks against retail, travel, and hospitality.

attacks industries

The holiday shopping season altered by the pandemic

As the global economy prepares for a holiday shopping season, it does so in an environment that has changed radically due to the pandemic. Consumers will not be standing outside of brick and mortar stores waiting for the latest deals in the same way they have in the past. They’re going to log-in, collect their reward points, and maybe use loyalty programs to gain some discounts or other perks just for being a member.

Considering everything that goes into a successful loyalty program, and the information people need to provide in order to take part, the criminals have everything they need to get started in a number of crime-related ventures, from account takeovers, to straight-up identity theft. So, while an individual’s loyalty to a merchant, airline, or hotel chain might not literally be for sale, there’s a good chance the account associated with such programs might be.

“All businesses need to adapt to external events, whether it’s a pandemic, a competitor, or an active and intelligent attacker,” Ragan concluded.

“Some of the top loyalty programs targeted require nothing more than a mobile number and a numeric password, while others rely on easily obtained information as a means of authentication. There is an urgent need for better identity controls and countermeasures to prevent attacks against APIs and server resources.”

Confessions of an ID Theft Kingpin, Part II

Yesterday’s piece told the tale of Hieu Minh Ngo, a hacker the U.S. Secret Service described as someone who caused more material financial harm to more Americans than any other convicted cybercriminal. Ngo was recently deported back to his home country after serving more than seven years in prison for running multiple identity theft services. He now says he wants to use his experience to convince other cybercriminals to use their skills for good. Here’s a look at what happened after he got busted.

Hieu Minh Ngo, 29, in a recent photo.

Part I of this series ended with Ngo in handcuffs after disembarking a flight from his native Vietnam to Guam, where he believed he was going to meet another cybercriminal who’d promised to hook him up with the mother of all consumer data caches.

Ngo had been making more than $125,000 a month reselling ill-gotten access to some of the biggest data brokers on the planet. But the Secret Service discovered his various accounts at these data brokers and had them shut down one by one. Ngo became obsessed with restarting his business and maintaining his previous income. By this time, his ID theft services had earned roughly USD $3 million.

As this was going on, Secret Service agents used an intermediary to trick Ngo into thinking he’d trodden on the turf of another cybercriminal. From Part I:

The Secret Service contacted Ngo through an intermediary in the United Kingdom — a known, convicted cybercriminal who agreed to play along. The U.K.-based collaborator told Ngo he had personally shut down Ngo’s access to Experian because he had been there first and Ngo was interfering with his business.

“The U.K. guy told Ngo, ‘Hey, you’re treading on my turf, and I decided to lock you out. But as long as you’re paying a vig through me, your access won’t go away’,” the Secret Service’s Matt O’Neill recalled.

After several months of conversing with his apparent U.K.-based tormentor, Ngo agreed to meet him in Guam to finalize the deal. But immediately after stepping off of the plane in Guam, he was apprehended by Secret Service agents.

“One of the names of his identity theft services was findget[.]me,” O’Neill said. “We took that seriously, and we did like he asked.”

In an interview with KrebsOnSecurity, Ngo said he spent about two months in a Guam jail awaiting transfer to the United States. A month passed before he was allowed a 10 minute phone call to his family and explain what he’d gotten himself into.

“This was a very tough time,” Ngo said. “They were so sad and they were crying a lot.”

First stop on his prosecution tour was New Jersey, where he ultimately pleaded guilty to hacking into MicroBilt, the first of several data brokers whose consumer databases would power different iterations of his identity theft service over the years.

Next came New Hampshire, where another guilty plea forced him to testify in three different trials against identity thieves who had used his services for years. Among them was Lance Ealy, a serial ID thief from Dayton, Ohio who used Ngo’s service to purchase more than 350 “fullz” — a term used to describe a package of everything one would need to steal someone’s identity, including their Social Security number, mother’s maiden name, birth date, address, phone number, email address, bank account information and passwords.

Ealy used Ngo’s service primarily to conduct tax refund fraud with the U.S. Internal Revenue Service (IRS), claiming huge refunds in the names of ID theft victims who first learned of the fraud when they went to file their taxes and found someone else had beat them to it.

Ngo’s cooperation with the government ultimately led to 20 arrests, with a dozen of those defendants lured into the open by O’Neill and other Secret Service agents posing as Ngo.

The Secret Service had difficulty pinning down the exact amount of financial damage inflicted by Ngo’s various ID theft services over the years, primarily because those services only kept records of what customers searched for — not which records they purchased.

But based on the records they did have, the government estimated that Ngo’s service enabled approximately $1.1 billion in new account fraud at banks and retailers throughout the United States, and roughly $64 million in tax refund fraud with the states and the IRS.

“We interviewed a number of Ngo’s customers, who were pretty open about why they were using his services,” O’Neill said. “Many of them told us the same thing: Buying identities was so much better for them than stolen payment card data, because card data could be used once or twice before it was no good to them anymore. But identities could be used over and over again for years.”

O’Neill said he still marvels at the fact that Ngo’s name is practically unknown when compared to the world’s most infamous credit card thieves, some of whom were responsible for stealing hundreds of millions of cards from big box retail merchants.

“I don’t know of anyone who has come close to causing more material harm than Ngo did to the average American,” O’Neill said. “But most people have probably never heard of him.”

Ngo said he wasn’t surprised that his services were responsible for so much financial damage. But he was utterly unprepared to hear about the human toll. Throughout the court proceedings, Ngo sat through story after dreadful story of how his work had ruined the financial lives of people harmed by his services.

“When I was running the service, I didn’t really care because I didn’t know my customers and I didn’t know much about what they were doing with it,” Ngo said. “But during my case, the federal court received like 13,000 letters from victims who complained they lost their houses, jobs, or could no longer afford to buy a home or maintain their financial life because of me. That made me feel really bad, and I realized I’d been a terrible person.”

Even as he bounced from one federal detention facility to the next, Ngo always seemed to encounter ID theft victims wherever he went, including prison guards, healthcare workers and counselors.

“When I was in jail at Beaumont, Texas I talked to one of the correctional officers there who shared with me a story about her friend who lost her identity and then lost everything after that,” Ngo recalled. “Her whole life fell apart. I don’t know if that lady was one of my victims, but that story made me feel sick. I know now that was I was doing was just evil.”

Ngo’s former ID theft service usearching[.]info.

The Vietnamese hacker was released from prison a few months ago, and is now finishing up a mandatory three-week COVID-19 quarantine in a government-run facility near Ho Chi Minh city. In the final months of his detention, Ngo started reading everything he could get his hands on about computer and Internet security, and even authored a lengthy guide written for the average Internet user with advice about how to avoid getting hacked or becoming the victim of identity theft.

Ngo said while he would like to one day get a job working in some cybersecurity role, he’s in no hurry to do so. He’s already had at least one job offer in Vietnam, but he turned it down. He says he’s not ready to work yet, but is looking forward to spending time with his family — and specifically with his dad, who was recently diagnosed with Stage 4 cancer.

Longer term, Ngo says, he wants to mentor young people and help guide them on the right path, and away from cybercrime. He’s been brutally honest about his crimes and the destruction he’s caused. His LinkedIn profile states up front that he’s a convicted cybercriminal.

“I hope my work can help to change the minds of somebody, and if at least one person can change and turn to do good, I’m happy,” Ngo said. “It’s time for me to do something right, to give back to the world, because I know I can do something like this.”

Still, the recidivism rate among cybercriminals tends to be extremely high, and it would be easy for him to slip back into his old ways. After all, few people know as well as he does how best to exploit access to identity data.

O’Neill said he believes Ngo probably will keep his nose clean. But he added that Ngo’s service if it existed today probably would be even more successful and lucrative given the sheer number of scammers involved in using stolen identity data to defraud states and the federal government out of pandemic assistance loans and unemployment insurance benefits.

“It doesn’t appear he’s looking to get back into that life of crime,” O’Neill said. “But I firmly believe the people doing fraudulent small business loans and unemployment claims cut their teeth on his website. He was definitely the new coin of the realm.”

Ngo maintains he has zero interest in doing anything that might send him back to prison.

“Prison is a difficult place, but it gave me time to think about my life and my choices,” he said. “I am committing myself to do good and be better every day. I now know that money is just a part of life. It’s not everything and it can’t bring you true happiness. I hope those cybercriminals out there can learn from my experience. I hope they stop what they are doing and instead use their skills to help make the world better.”

The benefits of providing employees with an identity compromise solution

Employees find significant value in having access to an identity compromise solution, having an available remediation solution creates a better mindset for those that use it, and there are halo results that benefit others (especially employers), an Identity Theft Resource Center (ITRC) and Aura Identity Guard survey reveals.

identity compromise solution

More reports of identity theft than any other category

In 2019, the Federal Trade Commission (FTC) received over 3.2 million reports of fraud with more reports of identity theft than any other category. There is an opportunity to provide the needed support employees are asking for by giving them access to an identity compromise solution as a component of the benefits suite.

“Cybersecurity is an organizational issue,” said Eva Velasquez, president and CEO of the ITRC.

“Cybersecurity is not only in the hands of an IT or security department. Every employee plays a crucial role in its company’s security network. That is why it is so critical employees are educated on cybersecurity and have the proper cyber-hygiene tools.”

The impact of COVID-19

In some cases, the COVID-19 pandemic has highlighted the importance of offering an identity compromise solution as an employee benefit. COVID-19 forced many employers to rethink how to conduct business when federal and state governments, under the guidance of the Centers for Disease Control (CDC), issued stay-at-home orders for all nonessential businesses.

Many employers were put in an unfamiliar situation of ensuring that their employee’s home environment could sustain their work requirements. Employees had to ensure that their home computing networks, including home routers and modems, had the appropriate security settings in place.

Tessian’s report found nearly half of the people surveyed said they are forced to find workarounds for security policies while working from home to do the work required.

“The results of this study clearly indicate the value employees place on having their personal information protected – especially during this pandemic. Additionally, the results illustrate something we’ve known to be true: by protecting employees, employers are also able to protect themselves from digital malice by instilling a culture of cybersecurity across the enterprise,” said Hamed Saeed, General Manager of Aura Identity Guard.

The need for an identity compromise solution

The findings support that many employees want an identity compromise solution in some manner – from a referral to a free non-profit service, all the way to an employer-paid solution. Over 82 percent of employers surveyed said that offering access to an identity compromise solution did, indeed, provide value to their staff.

In early 2020 Aftermath survey results, 24.6 percent of victims have had issues with their employer as a result of their personal identity compromise and 27.3 percent have had challenges with their boss or coworkers.

27% of consumers hit with pandemic-themed phishing scams

Phishing is the top digital fraud scheme worldwide related to the COVID-19 pandemic, TransUnion reveals.

Among consumers reporting being targeted with digital COVID-19 schemes globally, 27% said they were hit with pandemic-themed phishing scams.

“From the impacts of phishing and other well documented COVID-19 scams like unemployment fraud, it’s clear that fraudsters have the data and increasing opportunities to create synthetic identities and utilize stolen identities,” said Shai Cohen, senior vice president of Global Fraud & Identity Solutions at TransUnion.

Identity fraud is a primary way fraudsters leverage stolen consumer data from phishing and other social engineering schemes. It can have long-term impacts for consumers such as the compromise of multiple online accounts and bringing down credit scores, which we anticipate will increase during pandemic reconstruction.”

To better understand the impacts of COVID-19 on consumers, 7,384 adults in Canada, Colombia, Hong Kong, South Africa, the U.K., and the U.S. have been surveyed between June 30 and July 6, 2020.

It asked the consumers if they had been targeted by digital COVID-19 fraud and if so, which digital fraud scheme(s) related to COVID-19 were they targeted with. Globally, 32% said they had been targeted by digital fraud related to COVID-19 with the below being the top types of COVID-19 fraud they faced:

Top global online COVID-19 scams targeting consumers

pandemic-themed phishing scams

Online COVID-19 scams targeting consumers by country

pandemic-themed phishing scams

“Although the schemes may vary by country, a new approach to identity verification that supplements traditional authentication methods is needed to defend against their impact,” said Cohen. “The key is creating a friction-right experience where consumers are confident they are dealing with a legitimate organization or business.”

Identity fraud: Protecting your customers from the new kids in town

It’s one thing to have your credit card stolen, but your identity is a whole other ball game. The worst thing is, it’s a lot more common than you’d think. Identity fraud affects around one in 15 people in the US and has never been higher in the UK. The fraudsters have built their own subculture as new tools and channels lower the bar for entry. It’s time to strap in, because the challenge will only grow in the next few years.

identity fraud

When a customer calls to say their account has been hijacked, their confidence in you and your security measures is shot. How you respond is vital, but it would’ve been far better if it had never happened in the first place.

While it seems surprising, there is a way to turn identity fraud into a positive customer experience. However, it all depends on your ability to detect and prevent the fraud before it can do any damage. For this, you need an intelligent screening process and the right joined-up systems in place.

Culture shock

Fraud is nearly as old as money itself. The reason we haven’t managed to put a stop to it is because fraudsters have been able to adapt. When we clamp down on one form, the fraudsters have moved to another. In the US, while we were busy tackling cheque fraud, the fraudsters were starting to create synthetic IDs.

To combat fraud effectively, financial companies need to know what they’re up against. Fraud has changed in recent years, and it continues to evolve. Organizations don’t just face isolated lone wolves and criminal outfits, they’re taking on an entire online subculture of fraudsters.

Social media has created countless online communities, some good and some bad. But what we’re seeing now is the rise of the new kids on the block – the next generation of tech-enabled fraudsters. This crowdsourced community is truly international, able to share techniques, tools, warnings and opportunities online. Rap artist Teejayx6 has even been able to hide fraud lessons in his song lyrics, turning him into a fraud folk hero.

What’s happening is that fraud is being democratized. Where resources and experience used to be key to success, anyone with an internet connection can access the dark web tools they need to pull it off. For organizations, this means fraud attacks will be coming from every direction and across every channel non-stop.

The only way to protect yourself and your customers from these new fraud attacks is by having technology in place that lets you adapt. Systems should be integrated and agile, and your methods for fraud detection should be intelligent and dynamic to change.

Knowledge is power

As financial companies have moved online, so have the fraudsters. A criminal doesn’t have to search through garbage bags for bank statements to steal a person’s identity – they can now get all the info they need on social media or even a phone call.

The customer is always the weakest link when it comes to security. It’s no accident that 70% of successful fraud attacks begin on the telephone, and 10% through direct email. Fraudsters will target them relentlessly, tricking them into sharing personal info, passwords and account numbers. They may go as far as stealing victims’ personal devices.

The first line of defense will fail: fraudsters will get what they need from their target and can start and exploiting their online accounts. It’s here that a company has to step in to protect the customer.

To do this, you need a truly intelligent, insight-driven screening process for every channel. Have a way to accurately identify and verify each customer interaction, to ensure the user is who they say they are. Data is the most important thing, but so many authentication systems only make use of a fraction of what’s available.

A secure and efficient verification system needs to assess a lot of different typologies. Only confirming that a user is using a familiar device doesn’t mean they are being honest. You should check them against multiple typologies – like experiential information, user behavior and public records – before you give them access.

Organizations don’t have to check for every data type, but they do need to be exact. Identity fraudsters build entire synthetic identities on top of their victim’s – they’ll change personal details, addresses and public information to make their identity more believable. If you check for more factors, you’re more likely to catch them out.

If the user passes these checks, they can safely be let in. If they don’t, it’s time to give the customer a call, either for further authentication or to tell them their identity is in danger. When you have the data-driven insight to warn a customer about fraud before it happens, you turn it into a positive customer experience. They’ll be sure that their identity and business is safe with you.

New account fraud has more than doubled since 2014

New account fraud increased 27.8% worldwide YTD in 2019, compared to full-year 2018 results, and more than 100% compared to 2014 levels, Jumio reveals.

new account fraud

Surprisingly, attempted new account fraud was 19% less during the Black Friday/Cyber Monday weekend (compared to the average 2019 fraud levels), when fraud attempts normally escalate.

Often, the first step in identity theft starts by creating a new account online. Identity theft is the deliberate use of someone else’s identity (e.g., name, address, Social Security number, bank accounts) to get money and credit and make holiday purchases. But, identity theft is also being used to perpetrate online fraud, steal property, falsify educational and other credentials, access healthcare and launder money.

“As cybercriminals perfect and fine-tune their impersonation efforts, it’s getting more difficult for modern enterprises to distinguish between high-risk from low-risk users — and this is only going to accelerate thanks to large-scale data breaches, the evolution of the dark web and the looming threat of identity theft,” said Philipp Pointner, Jumio’s chief product officer.

“All too often, companies rely on traditional methods of identity verification which are not well equipped to detect sophisticated methods of new account fraud.”

Additional findings:

  • New account fraud increased to 1.8% in 2019, a 106.8% increase over 2014 levels. During this year’s holiday period, new account fraud dipped to 1.5% which was still more than 80% higher than 2014 holiday levels.
  • The Asia-Pacific region experienced the highest rates of full-year fraud at 3.27% while the U.S. had the lowest rates of fraud at 0.88% — a trend which has been pretty consistent over the last six years. While the U.S. experienced lower holiday fraud rates in 2019, new account fraud was still 138% higher in 2019 compared to 2014 levels.
  • Fraud levels in emerging markets, while varied, were significantly higher than developed markets.
  • The cryptocurrency and online gaming/gambling industries experienced higher-than-average fraud levels while the sharing economy and travel and entertainment industries experienced minimal fraud levels (i.e., less than 0.6%).

As the online shopping season begins, consumers worry about cybercrime

A majority of U.S. consumers plan to do most of their holiday shopping online for the first time ever, yet a survey from F-Secure finds that most internet users remain concerned about their exposure to cybercrime. Major consumer trends The survey of shoppers highlighted 3 major trends among American consumers: Bank account hacking and data breaches are the biggest worries on the web. 62% are either worried or extremely worried about a hacker taking over … More

The post As the online shopping season begins, consumers worry about cybercrime appeared first on Help Net Security.

Risky behavior exposes consumers to seasonal security scares

In advance of the peak shopping season, a study from PCI Pal shows that millions of Americans continue to over-indulge in risky behaviors – both online and on the phone, leaving themselves open to seasonal security scares. While 49% of Americans have reportedly been the victims of cybercrime, the study concludes that fears of fraud have not done enough to significantly change consumer behaviors. The data identified the seven seasonal security ‘sins’ more likely to … More

The post Risky behavior exposes consumers to seasonal security scares appeared first on Help Net Security.

Do your infosec habits make you vulnerable to fraud?

A third of Americans have been a victim of information fraud or identity theft. Despite notable data breaches in 2019, when asked if they update or change passwords/PINs after a company they do business with suffers a data breach, more than a quarter (28%) say only sometimes and nearly one in 10 (9%) say they don’t update their passwords at all, according to a Shred-it survey. Safeguarding sensitive data Four in ten (41%) Americans who … More

The post Do your infosec habits make you vulnerable to fraud? appeared first on Help Net Security.

Evaluating cyber risk during the holiday season

Fears of data loss, identity theft and fraud are leaving American consumers on edge this holiday season, and they’re prepared to hold their financial institution responsible for the damages. This is according to a new study released by Terbium Labs, which found that 68 percent of shoppers would hold their bank at least partly responsible for fraudulent activity, regardless of how the compromise occurred. The blame game Americans are on high alert heading into the … More

The post Evaluating cyber risk during the holiday season appeared first on Help Net Security.

Preventing Identity Theft In The Business

Identity Theft And How To Prevent It In the Business

  • How to define identify theft and its causes;
  • What impact identity theft and identify crime have;
  • What eight steps you can take to prevent identity theft in your business;
  • How to avoid becoming a victim of identity theft; and
  • How to help identity-theft victims.
  • Most identity thefts occur in the workplace.
  • Identity theft is not the same as identity crime.
  • Identity theft is the misappropriation of an identity; identity crime is using the stolen identity to perpetrate a theft or other crime.
  • Federal laws require businesses to implement security programs.
  • The Health Insurance Portability and Accountability Act (HIPAA) aims to protect individuals’ personal information, but it may make it even less secure.
  • To prevent identity theft, address both people and processes.
  • Company culture is a critical component of identity-theft prevention programs.
  • Victims of identity theft need help and consolation.
  • Consumers should know the online merchants with whom they deal.
  • Never give your bank account or government identification number, such as a Social Security number, to online vendors.

Identity Theft and Identity Crime

Most identity thefts occur in the workplace. Relatively few involve dumpster diving or burglary. Although personal identity theft has made headlines, businesses can be victims of identity theft – they can also be unwitting accomplices. However, identity theft is preventable. Federal legislation now mandates that all businesses adopt security measures to protect their customers’ personal information, although it does not tell them how to do it.

Identity theft and identity crime are not synonymous. Identity theft is the misappropriation of someone else’s personal or business information, such as name, residential address, workplace location, identification number (such as Social Security number), bank account numbers and mother’s maiden name.

“Financial institutions, retail businesses and service providers bear…the costs for fraudulently purchased merchandise or services using the stolen identity of an employee, customer or patient.”

Identity theft is often the precursor to identity crime – the use of misappropriated information to purchase goods and services, apply for credit or commit other crimes.

“Identity thefts and concomitant crimes [have increased because] investigations are particularly costly and local law enforcement has been stripped of crime-fighting resources.”

Identity crimes have ripple effects on their victims. If the “primary” fraud involves buying things on credit, a “secondary” fraud may involve renting post office boxes in the victim’s name to receive delivery of the fraudulently purchased material.

Outsourced operations are tempting targets for identity thieves, because outsourced credit card operations and other transactions can involve transmitting data to unsecured locations or Web sites in developing countries where people believe all Westerners are wealthy. Problems of jurisdiction, constraints on police resources and the absence of antitheft legislation contribute to these unsafe environments.

“The term ’identity’ is commonly used arbitrarily and imprecisely in popular media and literature.”

Identity theft is an important technological tool for terrorism. Terrorists trained in Afghanistan received as many as five fraudulent identities and directions on how to use them.

“The terms ’identity theft’ and ’identity crime’ are frequently used interchangeably.”

The Consequences of Identity Fraud

Identity theft victims experience three kinds of harm:

  1. Financial losses – Many people discover that they are victims of identity theft and crime only when they receive a call from a credit or collection agency. They find unauthorized telephone calls on their bills or discover that thieves have drained their bank accounts.
  2. Emotional losses – Identity-theft victims experience feelings similar to those of rape victims: a sense of personal violation, fear, shock, helplessness, loss of control, frustration, depression and anger.
  3. Time losses – Victims must spend time putting their affairs back in order, resulting in loss of productivity at work, paranoia, relationship difficulties and loss of trust for co-workers, who may have perpetrated the theft.

“Identity theft, however, is to be distinguished from identity crimes – those offenses committed using stolen personal or business identifying information – or ’identities’.”

Identity theft also has a three-pronged impact on businesses victims:

“Phishing [is] the fraudulent cloning of a legitimate business Web site and sending a fake e-mail letter requesting personal information under the auspices of updating company records.”

  1. Costs – Perpetrators purchase goods or services, or fraudulently obtain credit in the company’s name.
  2. Fraud – Perpetrators defraud individuals and companies.
  3. Deception – Perpetrators misappropriate a business identity to deceive other victims. For example, in so-called “phishing” scams, perpetrators imitate a business’s Web site to collect information from its customers and other stakeholders.

The Legal Requirements

U.S. law requires financial services institutions to take these steps to prevent identity theft and crime:

“The primary asset of every business is people: the employees…the customers…and the suppliers, vendors, contractors, shareholders and other stakeholders, any of whom may have access to employee or customer identities.”

  • They must offer privacy notices to customers. Customers must have the option of refusing to allow the institution to share their information with other parties.
  • They must not release information to unauthorized recipients.
  • When they do release information, they must ensure that it is accurate.
  • They must disclose the recipients of information.
  • They must identify security risks, both internally and externally.
  • They must adopt information security programs.

“Although thefts do occur from…homes, cars and persons, the majority of identity thefts are committed inside the workplace by a relatively few dishonest employees who steal the personal identification data of a company’s most valued assets: customers and co-workers.”

Health care providers also face U.S. legal requirements. Ironically, the Health Insurance Portability and Accountability Act (HIPAA), which was supposed to ensure patients’ privacy, created a massive database that contains information on everyone in the United States who has health insurance or has received medical care. This database will almost certainly become a tempting target for identity thieves.

Securing Your Business

Company culture is the most important constituent of an identity-theft prevention program. A culture of integrity creates the context for information security. To secure your business, evaluate the following four factors:

“Security, [like] quality, must center on both ’people’ and ’work processes’.”

  1. People – Find out who has access to sensitive business information. Analyze all jobs, including their “internal” and “external” functions. When you recruit and hire staff, the applicants’ ability to handle security responsibilities should be as important as their motivation.
  2. Processes – Select a project team of three to five members from various backgrounds, including at least one manager. The team will identify sources of identity information, map the flow of information through the company, identify points of vulnerability and develop security approaches. It can assess information risk using such techniques as cause-and-effect analysis, flowcharts and Pareto charts, which show the relative importance of various factors.
  3. Property – Proprietary information and other intangibles are probably your most valuable assets.
  4. Customers – Customers use Web sites whose security they trust. Supplement your own brainstorming and analyses with surveys of customers and potential customers. Assess their perceptions of your security measures. Make sure your customers understand your security measures.

“For information security, an honest company culture is vital.”

Use “Best Practices” to Protect Your Customers and Yourself

Educate yourself, your staff and your customers about the following “best practices” you – and they – can use to avoid becoming victims of identity theft and crime:

  • Know your vendors – Check their credentials with a business monitoring agency, such as the Better Business Bureau in the U.S, especially if you are doing business with them for the first time.
  • Make sure the Web site is secure – Before making an online purchase, look for a security icon, usually a padlock, on your browser bar.
  • Read the privacy policy – If you don’t see one, be very cautious – or better yet, find another vendor.
  • Never share sensitive personal information online – Keep identifiers such as your bank account or Social Security number to yourself.
  • Use a credit card with a low limit – Obtain one specifically for online transactions.
  • Check the company’s return policy – You should be able to return any products that are unsatisfactory.
  • Check contact information – Look for a toll-free telephone number on the Web site.
  • Understand shipping and handling charges – These can add up quickly.
  • Comparison shop – Check several Web sites to compare costs.
  • Save your receipt – Print out the purchase order that shows your confirmation number in case something goes wrong with your order.
  • Make sure the Web site shows the “Seal of Information Security” – This attests that the vendor protects consumers using Business Information Security Program standards.
  • Check consumer information – Look for the Better Business Bureau OnLine Reliability Seal or the TRUST e-seal.

“For purposes of information process security, the place in the process having the most potential threats is also the most important problem…to be secured.”

Eight Steps toward Healing

In a study of identity-theft victims, researchers found numerous emotional consequences. Women, in particular, often experienced the theft as a personal violation. Most people’s first reaction to the theft was fear, followed by despair and a sense of helplessness. Victims lost trust in their co-workers and in the companies with which they had shared personal information. The following inexpensive, eight-step program can help advocates provide victims of identity theft with the resources they need to recover financially and heal emotionally:

“Inform victims of the importance of obtaining a credit report every six months for at least the next two years, from each of the (U.S.) credit reporting agencies – each report may contain different information.”

  1. Listen – You convey the message that the theft is serious simply by listening to the victim’s story. Show your concern.
  2. Explain – Tell victims what to expect emotionally and financially. Suggest that they buy a notebook and keep a record of any information they discover about the theft.
  3. Recommend action – Victims should file police complaints, contact credit agencies and arrange password protection for bank accounts, credit cards and business accounts.
  4. Reassure – If victims are engaged in recovery actively, the emotional damage will be less severe and will last for a shorter time.
  5. Refer to The Victim’s Assistance Guide – This guide, based on research by the Michigan State University laboratory, lists useful contacts for victims.
  6. Educate victims about credit reports – Victims should check their credit reports at least twice a year for two years. The Victim Assistance Guide teaches victims how to read credit reports.
  7. Correct fraudulent information – Victims should report erroneous information on credit reports and fraudulent charges on accounts. The Victim Assistance Guide provides forms they can use to report security breaches.
  8. Gather information – Police departments often lack the resources to give identity crimes the attention they deserve. Victims can gather and provide useful information to police investigators.

Legislation and Advocacy

Business leaders should develop a legislative agenda for preventing identity theft. Financial institutions and others agencies have first-hand knowledge of identity theft, bear the costs of theft and will undoubtedly bear the costs of legislative compliance. But legislation is not necessarily based on good information and sound analysis. Therefore, business must ensure that any legislation addressing identity theft solves the problem and does not merely raise compliance costs.

Legislation should be preventative but not unduly constraining. Laws that merely react to crimes are not as useful as laws that proactively prevent them. The following bills will have a great effect on the business climate in the United States if they pass:

  • Senate Bill 125 – Requires disclosure to victims of identity theft about the use of their identities.
  • Senate Bill 168 – Prohibits businesses from printing Social Security numbers on certain materials.
  • Senate Bill 222 – Requires the establishment of identity theft units by the Office of Criminal Justice Planning.
  • Senate Bills 661 and 766 – Mandate biometric identifiers on drivers’ licenses and require people to apply in person for duplicate licenses.

Bills in various state assemblies would mandate identification verification for applications for driver’s licenses and credit cards. Others would criminalize the disclosure of driver’s license information by government employees, prohibit certain disclosures by financial institutions, redefine the rules of the game for prosecuting identity theft and mandate notice to consumers of frequent credit inquiries.

March 2017 – List of data breaches and cyber attacks

Woman Hacker

Data Breach Record – 29th March 2017

There have been a lot of data breaches this month, and that’s just considering the ones that I’ve been making a note of throughout the month.

I calculate the number of compromised records this month as 74,643,434. This number should be taken as an estimate and not the definitive number. The real number of compromised records is likely to be much higher.

Remember, this is the list of breaches and attacks that were discovered/announced this month, but did not necessarily take place this month.

Continue reading “March 2017 – List of data breaches and cyber attacks”

One Reason Not To Go Online If You Live In The UK

One Big Reason Not To Go Online Until You Have Read This If You Live In The UK

Not To Go Online
*Please note that this was originally an Advertorial For Saferweb. But, it is still worth reading.

If you live in the UK and have a computer, tablet or smartphone connected to the internet, then this may be the most important news you read all year.

Earlier this month we saw thousands of people across the UK get their hands on the the latest Online ID protection from SaferWeb, after yet another increase in identity theft and web-history monitoring.

We have however been advised that because of its unexpected popularity, availability is very limited and is now on a first come first serve basis.

Experts Are Now Calling SaferWeb, “A Game Changer For Internet Users”

As part of the special promotion due to end May 27, 2016, a group of Microsoft Gold Engineers teamed up with innovative new software provider SaferWeb, to provide the latest ID Protection thats just gone viral.

If you have a desktop, laptop, tablet or smartphone connected to the internet, your activities could be monitored and private information collected when you’re Internet shopping or banking. Even just browsing online is a risk in 2016.

SaferWeb had a primary objective to eliminate this by boosting security and ensure eavesdroppers cannot make sense of your encrypted communications.

Technical Lead John McBride, from SaferWeb explains; Our main objective for creating the app was pretty simple. We wanted to help users protect their Identity & Internet Connection to eliminate the risk of any online, banking or personal information being stolen, monitored or hacked”

The company SaferWeb seemed to deliver on this objective perfectly. Using their technology will give a private tunnel between you and the internet that’s invisible to hackers or any malware, letting you browse the Internet anonymously and securely. Literally anyone can use it and it only takes 5 minutes to set up.

So how can SaferWeb give this away? Apparently this promotional tactic is common among big companies with large marketing budgets. For instance, Burger King launched a similar campaign in 2013, giving away 20,000 free whoppers on Facebook.”

One user we spoke to said, “I came across SaferWeb and decided to give it a go, it’s less than a cup of coffee anyways. I noticed the difference right away and  couldn’t be happier with results. I’ve always been anxious about who watches the sites I use and how safe my information really is and heard countless stories about people having their banking information hacked. This is the perfect solution to eliminate this.

protect-online-identity-1

So, how do you Protect Your Online Identity Today?

Here is the simple 3 click step recommended by SmarterWebLife to get yourself instant protection:

Step 1:Click Here to go to SaferWeb, who are market leaders in securing your ID, and internet connection to make it private

Step 2: Click the “Get a Safer Web” button and enter your name, email and choose a password.

Step 3:Select a package:  I recommend the “Pro” Plan. (Only £5) and  Not only will you be fully protected for life, but you’ll also get discounts on thousands of online purchases,by, accessing local currency rates when connecting your computer to the secure connection

Step 4: Your connection and Online ID are now protected for life One Account for all your devices.. It’s that simple.

SaferWeb Internet Security – Official Website

UPDATE: The promotion is due to end on  May 27, 2016  so we urge you to act fast to avoid disappointment.

Using a SaferWeb VPN server also Unblocks Many Sports And movie Channels. You can even book holidays and flights cheaper simply by connecting in a different location to that of your ISP.

By Alexandra Blackshaw | Smarter Web Life