Tag Archive for: identity theft expert

Is Document Shredding Still a Thing in This Digital Age?

Document shredding seems to have fallen out of favor. I recently received some questions from a client wondering if, in the age of remote massive database breaches by pajama-clad hackers, we should still shred our sensitive documents.  If it is so easy to access it digitally, then why would anyone go through the arduous, dirty work of old-fashioned dumpster diving?

In case you have the same questions, here are my thoughts:

Is Identity theft via paper still an issue in this digital age?

Without even a moment’s hesitation – YES IT IS! It no longer gets the press it used to and dumpster diving, physical file theft and the like never account for the sheer volume of identities stolen (it’s more profitable and efficient to hack a million IDs at a time from Facebook or Equifax), but they are still part of the criminal toolkit, especially for local criminals (who don’t have hacking experience) and especially for organized criminals that need small bits of information from a target before they socially engineer them to hand over the keys to the kingdom (e.g., gaining their trust to manipulate them out of their user login credentials at work based on information from physical documents, embarrassing trash, etc.).

Do people still need to shred all of their paper documents? 

The initial answer is no, because that information is already out there in volumes. The wiser answer, from a habituation perspective, is yes. In 30 seconds a day (if your shredder is convenient), you can shred everything with personal information on it? That way, when it does have something more valuable (account number, last four of your SSN or any of those small bread crumbs that lead to greater levels of trust and access), you have already established a good habit. When users are advised to just shred X or Y, instead of everything personal, they eventually forget or give up because the volume is too low.

Are cross-cut document shredders enough or should we use higher-security micro-cut shredders?

For the average person who doesn’t work in a defense-related, finance-related or health-related job (you get the idea), I think that a simple confetti shredder is plenty sufficient. There is technology out there to recreate documents, but that isn’t really the concern of your average reader. If they have security clearance or deal with highly sensitive information from work in their home, then yes, the higher end are better.

The Achilles heel of shredding is that people don’t take care of them (empty them, oil them, etc.) and they break like a car with no oil, so that is part of the deal – you have to maintain them. I still have a shredder in my home office and several at work. We put all of the documents in a bin next to the shredder and shred them a couple of times per week before the trash goes out. That makes it a bit more efficient.

In other words, how paranoid should we still be about shredding documents?

Paranoid is a touch too strong. Just be smart. Think about unshredded documents as the reconnaissance tools that cyber criminals use to commit larger crimes. If I find your bank statement unshredded in the trash, I can now call you, pretend to be the bank using a caller ID spoofing app, recite the last four digits of your account and get the information I need acting as the bank to close out your account on the very next call. And from a corporate perspective, it’s even more valuable data.

So what are the basic reasons behind document shredding?

  • Prevent identity theft
  • Protect your customers and your employees
  • It’s the law (under the Data Protection Act)
  • It saves space
  • It’s “green”! Shredded paper makes recycling much easier

What documents should you shred?

  • Medical records and bills (keep for at least a year after payment in case of disputes)
  • Old tax returns: after three years of returns you are allowed to throw them away, as long as you aren’t committing fraud – otherwise you can be held liable indefinitely
  • Old photo IDs
  • Bank, investment, medical or insurance statements (or anything else that contains vital identity or account numbers)
  • Credit card offers and expired credit and debit cards
  • Canceled or voided checks
  • Pay stubs
  • Copies of sales receipts
  • Convenience checks (Blank checks your credit card company sends to borrow against your credit line)
  • Junk mail that contains personally identifying information (watch for barcodes)
  • Mail related to your children or their school

Remember, shredding isn’t only for large companies.  As someone who personally was a victim of dumpster diving, trust me and take the extra four seconds to shred that piece of trash; it may save you years of time spent trying to recover from financial devastation.

About Cyber Security Keynote Speaker John Sileo

John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Is CHIP & PIN Credit Card Security Worth $100M? (Are You Serious?)

I’ve had dozens of media requests for interviews and countless more email inquiries from people concerned about the Target data breach.  At first, everyone just wanted to know details of how it happened, how big the breach was, and what they should do about it if their credit cards were at risk.  Now that the initial shock of it is over, we are on to a bigger question:

How do we keep breach from negatively affecting so many Americans? 

Breach will always happen. If it’s digital, it’s hackable. It’s coming to light that the Target breach may have been due to the computer access an HVAC WORKER (no, not an entire company, an individual WORKER) had to Target’s systems. While there is no guaranteed way of preventing fraud, there is a pretty reliable answer out there, and it’s been around for decades.  That answer is for the US to finally catch up to more than 80 countries around the world and start using chip and PIN enabled credit cards, also known as EMV, smart cards, or microchip cards.

By placing microchips in credit cards, it makes it much harder for criminals to clone the cards than the relatively easy-to-crack magnetic stripes.  Chip cards take the cardholder information and turn it into a unique code for each transaction. They also often require additional authentication, such a personal identification number, or PIN. So in the case of the Target breach, the stolen data couldn’t be used to easily create duplicate credit cards, drastically reducing the value of the stolen data. The possibility for online abuse of the numbers (known as Card Not Present transactions) would remain a threat from the breach, but it would be a fraction of the problem (and solvable in other ways).

France has been using this technology since 1982, the UK since 2001, and Canada since 2007. In the first five years after the UK started using chip & PIN, fraud went down 70%.  In that same time period, the cost for fraud in the US had DOUBLED. It’s not that the technology is perfect, it’s that the increased security convinces criminals to target those who don’t use the technology (which to this point has only been, well, the United States). 

If there is such a great guarantee on fraud reduction by switching to chip and PIN cards, why is the US resisting it?  The answer:  MONEY.  Banks, credit card companies, and retailers have been caught in a battle of wills for many years now, with retailers not wanting to spend money on installing new chip-friendly card readers unless banks are committed to spending money on issuing new cards.

The cost of implementing the card system can be staggering. Target is expected to spend around $100 million to install new chip card readers in an effort to protect against cyber theft.

So is it worth $100 million to implement chip and PIN technology?

Without question. And even Target thinks so, or at least it did ten years ago when it was at the forefront of implementing chip & PIN technology.  From 2001-2004 they spent $40 million to adopt chip-based credit-card technology and installed 37,000 new point-of-sale terminals to handle chip cards across its U.S. stores.

Ultimately they backed out because their marketing strategy at the time just didn’t catch on with consumers and because it was taking “A FEW SECONDS” longer per customer to get through the line.  I don’t know about you, but I’d wait an extra two seconds in order to know my data is secure.  And I bet Target victims would take back the time it is taking them to change their credit card information with every online site or monthly automatic payment company their now-compromised card was used for.

To put the cost in perspective, $100 million is about $1.00 per Target breach customer. I bet the average credit card holder would be willing to foot the $1 bill to dramatically reduce their risk (even if it’s not a perfect solution). In fact, the cost of fraud gets passed on to customers anyway (higher credit card rates, higher retail prices), so why not spend that same money (or far less, in fact) on securing the transactions in the first place? 

  • A survey of 936 credit unions indicates the Target breach has cost credit unions an average of about $5.10 per card affected by the security lapse.  The Credit Union National Association said these costs most likely do not include any fraud losses, which are likely to occur later.
  • In 2012, the Ponemon Institute’s annual study showed the average cost of a data breach in the US is $188 per person notified.
  • For credit issuers, the average cost per record breached is set at $280.
  • Aite Group reports that card fraud in the U.S. already costs the card payment industry (primarily issuers) $8.6 billion a year.

 You tell me if it’s worth it! (Seriously, I want your thoughts and comments below)

How do we get there?

It seems crystal clear to me that fraudsters have gotten so sophisticated that we either need to join together (retailers, banks, and credit card companies) or we will fail to stop this trend of Mega-Breaches.  Pardon the pun, but clearly we have put the “target” on our own backs; criminals have increasingly focused on the US because we are so far behind.

James Dimon, CEO of J.P. Morgan Chase sees this as an opportunity for real change.  He said,  “All of us have a common interest in being protected, so this might be a chance for retailers and banks to for once work together, as opposed to sue each other like we’ve been doing the last decade.”

I see 4 overarching steps that need to be taken:

  1. Retailers, credit card processors, banks, VISA, MasterCard and American Express need to stop focusing on their own self-interest (profit) and start to work together for the common good. Of course, they won’t do this without incentive, so…
  2. Congress should create  a U.S. equivalent of the U.K. Card Association that sets policy and has the authority to fine those stakeholders who fail to act.
  3. In other words, we will need legislation to ensure that the “liability shift” dates projected for 2015 are met.  This means that if credit card companies have issued chip and PIN cards, but retailers have not installed machines to read them, the merchants would be held accountable for any losses due to fraud.
  4. Everyone needs to understand that there will be costs associated with the change, just like there are costs when you install a security system, a lock on a door or a vault in a bank.

Will chip and PIN cost retailers? Yes. Will chip and PIN cost banks? Yes. Will it cost consumers? Yes. Will it cost (in total) as much as the fraud resulting from even a single major breach like Target. NO. It’s time to start thinking about security from a long-term perspective, and long-term profitability will follow.

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on Rachael Ray, 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Over 90% of Rachael Ray Show Audience Faces Identity Theft Risks

Recently, I was asked to do a segment for The Rachael Ray Show that demonstrated very visually how many audience members face immediate identity theft risks. Watching them move across the stage as we exposed two or three common sources of identity theft was remarkable. Once we had experienced the numbers, we ventured into the house of one of Rachael’s audience members to see how to mitigate the risk. Watch the video to see if you would have joined the “at risk” group, or read the transcript below:

Rachael: We had the audience stand back here because we all carry several items on any given day, EVERY given day, that put us at risk.  So John, you’re going to weed out our audience so we can all learn in how many areas we are seriously at risk if we have certain items on us, correct?

John: Perfect.

Rachael: Okay, how are we going to get them started?

John: The first one is your Social Security card. If you carry your Social Security card.

Rachael: If you have your actual your Social Security card, I’d like you to cross the room and come to this side of the studio.  (Audience members cross.)  A few people–not many.  I don’t carry mine, either.

John: A few have got it.  A lot of us do it.

Rachael: To me, Social Security numbers- they ask for them everywhere. The bank, the doctor–everywhere.  I know the number.  I don’t carry the card, but it is like your signature.

John: It is.  It’s your net worth.  It’s your future buying power, so a thief with a Social Security number–they can buy a home as you.  That’s what happened in my case.  They purchased a home.  They go bankrupt as you.

Rachael: A house?

John: Yes, she bought a house.  It was a woman.

Rachael: Just like in the movie! That is amazing.  And a woman took your Social Security number and it didn’t even occur to anybody- it’s not a man named John?

John: I know and then went bankrupt-as me.

Rachael: Oh my God–I just want to feed you spaghetti!  Okay, I think we’re going to move a lot of people on this next item.  Tell them the next item.

John: Yes.  If you have a smartphone without a passcode on it.  So without the four digit code or some sort of a passcode.

Rachael: If you have an unprotected phone, move it.  (Many audience members move.)  I knew we’d get a lot of them on that one.  Okay, now explain why you’re even more at risk without a passcode, even though it’s fairly obvious.

John: You bet.  So the smart phone is part of who we are, right?  It’s become an extension of ourselves.  It’s literally part of our identity.

Rachael: Access to everything.

John: Let me give you an example of how easy it is.  The thief takes it off the table at a cafe, right?  They walk outside- no passcode on it.  So they quickly surf through your websites or your contacts.  They see where you bank.  Then they go, ON THAT PHONE, to the bank’s login page and they hit the “forgot my password” link…

Rachael: And it sends it to you!

John: And it emails it to the thief!

Rachael: AGGGHHH!

John: They’re right in your account.  Bam! It’s that easy.

Rachael: One more thing.  We’ve gotta move more people.  Give us one last item that puts us at risk that you think most, if not all, of these people have.

John: If you have a debit card or bank card. (Almost everyone else crosses room.)

Rachael: Now everybody has to have their bank card with them.  I carry mine, too.  Don’t you carry one?

John: I don’t.  I’m not saying you can’t carry a debit card or a bank card.  It’s how you carry it.  It’s that you’re smart with it.  Your debit card, your checkbook, connects directly to your bank account.

Rachael: (Looks at remaining audience members who didn’t move.)  We have about ten/twelve people left.  You guys don’t have any bank or debit cards on you?  Wow, That’s amazing!

John: It’s doable.  Use your credit card.  I realize it’s a great budgeting tool, but if you can get it out of your purse when you don’t need it…lock it up at home- just like you do your Social.

Rachael: Get cash once or twice a week.  Leave the card at home and carry credit cards that have protection.

John: Yes, you have much better protection liability-wise.  The money doesn’t come directly out of your  account when it’s stolen.

Rachael: It’s amazing.  I love the visual of watching the risk factor.

New segment 

Rachael: We wanted to take this a few steps further.  We didn’t have time to go to every single person’s home here, so we sent you to one of our viewer’s homes to find the places in our homes where we’re putting ourselves at even more risk, right?

John: Yes, at Lisa’s.

Rachael: So, he went to Lisa’s house.  We’re going to have these guys take a seat.  You check out what happened at Lisa’s and we’ll meet back here.

Video

(Shows family activities at Lisa’s house.)

Lisa:  I’m a wife and a mother of three and I just want to do everything I can to protect my family.  About a year and a half ago we were victims of identity theft.  You feel like your whole life has been stolen from you. At first when that identity theft happened, we were taking steps.  We put alerts on with credit reporting agencies, but I think I fell back into being more lax about it.

(John arrives at Lisa’s house.)

John:  So our plan of attack today with Lisa is to take her around the house and we’re just going to look at the different ways her data might be exposed.

(In her office)

We’ve got a file cabinet…a locking file cabinet that undoubtedly is …unlocked.   (It is. John looks through items) Birth certificates…

Lisa:  I try to hide it.

John: You try to hide it, yeah, but we all hide it in the same way.  What I really suggest is a locking fire safe.  You can buy these big, heavy safes that protect against water and fire, but they also allow you to store these documents in a really safe way.

(On to Kitchen)

Lisa:  My purse is over here.

John: Wow.  What is this, an organizer?  (Huge, overflowing wallet)  You keep your life in here, don’t you?  Let’s see what we’ve got.  Debit cards, multiple credit cards…I would get in the habit of thinking, “Okay, I’m going out to do this shopping.  What cards do I need?  Take the cards that you use most often and get in the habit of leaving the rest at home.  On a credit card or debit card, one thing that I recommend is that you simply write Photo ID Required on it.  It lets the retailers know, “Hey, my identity matters.  Ask for it.”  It makes it harder for someone to shop and impersonate you. (Continues to look through wallet) Cash-we don’t worry too much about that.  It’s really the data that we’re looking at. And a lot of times the thieves will take the cash, they’ll take photos of this (other cards/data), and they’ll put it all back.  They don’t want you to know they’ve taken it.

Lisa: I didn’t even think of that.

(They head outside to Lisa’s trash can.)

John: You have to be really mindful of what we leave outside of the door.  We put things in our trash that are incredibly valuable.  This is called dumpster diving.   (John looks through trash.) This looks good here.  Looks like a bank statement, we’ve got an insurance statement.  We’ve got a credit card statement.  It has your full account number on it-right there. Bonanza!  You also need to shred anything with any identity on it.

(Moves to mailbox- unlocked out on the street)

Do you mind if I go through your mail a bit?

Lisa: Not at all.

John: Allright, so here’s a pre-approved credit card offer.  This makes it really easy for somebody to apply for a credit card in your name.  There’s an easy solution.  It’s called opting out.  You can opt out of financial junk mail so it’s never in your mailbox in the first place.

Lisa: I didn’t even know you could do it.

John: You should take this now and shred it.  Everything that you can shred, you shred.

(Moves to Lisa’s computer.)

John: I love talking to people about their computers because it is the jackpot in the house of all our financial information.  I was glad to see that you have a password to get in.  That way if somebody walks out with the box, it’s a little more protected.  Do you shop online at all?

Lisa: Yes, I do.  I shop online a lot.  I’ve been using my debit card a lot more lately.

John: Okay, shopping online- I’m totally good with.  Using your debit card is risky.  It’s connected to your bank account.  I recommend you use a credit card and, in fact, I think it’s smart to have a separate credit card you use online and a credit card you use out and about.  That way if something happens online, you can shut down the one card and you’ve kind of cordoned it off.

(Back to studio.  Rachael welcomes Lisa and introduces Privacy Means Profit.)

Rachael: The biggest thing that I got out of that segment that I want to do immediately when the show is over–putting the stickers on every single front of my credit card or debit card (that says) “Ask for Photo ID”.  You said everyone ignores it on the back, but everyone demands it on the front.

John: That’s exactly right.

Rachael: Everyone could buy “stickems” and that’s a really good one.  That’s so easy and fantastic.  So Lisa, that was enlightening. Thank you for letting us into your home.  What did that feel like from your side of it?  Did you feel like “Uh!” (slaps forehead) “I can’t believe I did that”?

Lisa:  I couldn’t believe everything I was doing wrong.  John gave me such great tips- just little things you can do to protect your identity.  It was scary because I thought I was being more diligent than I was.

John:  We all do.

Rachael: That’s the thing. It seems so obvious when he puts a highlighter pen over it.   Then we all say “I do that, I do that, too.”  I love that sticker thing though.  Isn’t that a great tip?

Lisa: Yes.  Actually  I started to implement that.  That was the first thing I did.

Rachael: (To John) So, who are identity thieves?  What are the most popular types of identity thieves?

John: It breaks down into three big categories.  The first is friendly fraud.  It’s the people that we know.  I see these every week.  It happens constantly.  It’s the college roommate who visits who has fallen on hard times so they sneak a check out of the middle of your checkbook.  The second is the local.  This is the person in your neighborhood who is a drug addict, a gambling addict, they need a little extra money and they’re willing to filter through your trash or your mail to get it.  The third, the fastest growing one, is organized crime.  These are international people who have huge resources to hack into very secure databases.  These are not poor databases.

Rachael: They’re really investing in their crime with top quality computer programmers.

John: Absolutely, that’s exactly what they do.

Rachael: So, tell us about medical identity theft.

John: It’s so quickly growing because health insurance is really expensive, right?  Here’s one we see a lot of right now.  They wear a pair of Google Glass glasses that record, or they have an iPhone.  They walk through the emergency room where people are totally stressed out and they’re filling out forms and they’re looking at them.

Rachael: That is so creepy!

John: And listen to this one: photocopiers.  You have your doctor photocopy stuff- that has a hard drive in it and when someone services it…

Rachael: You’re giving me hives!

John: So you photocopy it at home.

Rachael: So how do you protect yourself from it?

John: Number one-those benefits statements that we get? Review them, just like you would your credit card statement.  If something is wrong, you shut it down.  You call them immediately.

Rachael: Pay more attention.

John: Yes, pay more attention.

Rachael: And guard what you’re writing.

John: Yes, they can be snapping photos.  A lot of times what I’ll do is put it on a sticky note and I’ll take it off after.  It doesn’t stay on their records, but it stays in the system.  It’s  a little bit better protection.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Biometrics are Like Passwords You Leave EVERYWHERE

Biometrics are like passwords, but worse.

Biometrics are like passwords that you leave everywhere (fingerprints, facial recognition, voice patterns), except that unlike passwords, you can’t change them when they’re lost or stolen. It’s easy to change your password, a bit harder to get a new retina. Like passwords, risk goes up as they are stored globally (in the cloud) versus locally (on a physical device).

In addition to the biometrics mentioned above that most of us have come to accept as commonplace, there are many other methods in use or under exploration:

  • hand geometry
  • vascular pattern recognition (analyzing vein patterns)
  • iris scans
  • DNA
  • signature geometry (not just the look of the signature, but the pen pressure, signature speed, etc.)
  • gait analysis
  • heartbeat signatures

At the 2014 Annual International Consumer Electronics Show, inventors displayed dozens of devices using biometrics, some of which will become just as commonplace as fingerprints in the near future, some of which will not catch on and be replaced by something even more amazing.  Some of the hot biometrics items this year:

  • Tablets that measure pupil ­dilation to determine whether you’re in the mood to watch a horror movie or a comedy.
  • Headbands, socks and bras that analyze brain waves, heart rates and sweat levels to help detect early signs of disease or gauge a wearer’s level of concentration.
  • Cars that recognize their owner’s voice to start engines and direct turns and stops, all hands-free.

(Do a search for “current biometric uses” if you want to be entertained for a while!)

Some less outlandish examples that are currently in place:

  • Barclays Bank in Britain utilizes a voice recognition system when customers call in.
  • Some A.T.M.s in Japan scan the vein pattern in a person’s palm before issuing money
  • World Disney World in Orlando, Fla., uses biometric identification technology to prevent ticket fraud or illegitimate resale as well as to avoid the time-consuming process of photo ID check.
  • Biometric passports contain a microchip with all the biometric information of holders as well as a digital photograph
  • Law enforcement agencies, from local police departments, to national agencies (e.g., the FBI) and international organizations (including Europol and Interpol) use biometrics for the identification of suspects. Evidence on crime scenes, such as fingerprints or closed-circuit camera footage, are compared against the organization’s database in search of a match.
  • Child care centers are increasingly requiring parents to use biometric identification when entering the facility to pick up their child.
  • And, of course, the most popular example has to be the use of fingerprint sensors on the iPhone to unlock the devices.  It will also increasingly be linked to mobile payment services.

So, the million-dollar question is: Are Biometrics a Better Way to Protect Your Personal Identification?

The answer is yes…and no.

  • Biometrics are hard to forge: it’s hard to put a false fingerprint on your finger, or make your iris look like someone else’s.

BUT…

some biometrics are easy to steal.  Biometrics are unique identifiers, but they are not secrets. You leave your fingerprints on everything you touch, and your iris patterns can be observed anywhere you look.  If a biometric identifier is stolen, it can be very difficult to restore.  It’s not as if someone can issue you a new thumbprint as easily as resetting a new password or replacing a passport. Remember, even the most complex biometric is still stored as ones and zeros in a database (and is therefore imminently hackable). 

  • A biometric identifier creates an extra level of security above and beyond a password

BUT…

if they are used across many different systems (medical records, starting your car, getting into your child’s day care center), it actually decreases your level of security.

  • Biometrics are unique to you

BUT…

they are not fool-proof.  Imagine the frustration of being barred by a fingerprint mismatch from access to your smartphone or bank account.  Anil K. Jain, a professor and expert in biometrics at Michigan State University  says (emphasis mine), “Consumers shouldn’t expect that biometric technologies will work flawlessly… There could and will be situations where a person may be rejected or confused with someone else and there may be occasions when the device doesn’t recognize people and won’t let them in.”

The scariest part of the biometrics trend is how and where the data is stored.  If it is device specific (i.e. your fingerprint data is only on your iPhone), it’s not so bad.  But if the information is stored on a central server and unauthorized parties gain access to it, that’s where the risk increases.  A 2010 report from the National Research Council concluded that such systems are “inherently fallible” because they identify people within certain degrees of certainty and because biological markers are relatively easy to copy.

I also feel compelled to mention the inherently intrusive nature of biometrics.  While it’s true that using facial-recognition software can help law enforcement agencies spot and track dangerous criminals, we must remember that the same technology can just as easily be misused to target those who protest against the government or participate in controversial groups.  Facebook already uses facial recognition software to determine whether photos that users upload to the site contain the images of their friends.  Retailers could use such systems to snoop on their customers’ shopping behavior (much like they do when we shop online already) so that they could later target specific ads and offers to those customers.

How long before we have truly entered into Tom Cruises’s Minority Report world where we are recognized everywhere we go?   “Hello Mr. Yakamoto and welcome back to the GAP…”

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Identity Theft Expert John Sileo on The Rachael Ray Show

John Sileo appeared on CBS’s The Rachael Ray Show on January 29, 2014 to talk about the latest identity theft trends and threats.

Rachael asked John to go into one of their audience members homes and pick it apart from a privacy standpoint. John took a look at everything, from items hidden under the mattress to filing cabinets, trash cans, computers, mobile devices and more. Take a look to learn how to bulletproof your home and self against identity theft.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

10 Times NOT To Use Your Debit Cards this Holiday Season!

As you head into the holiday season, one of the best steps you can take to protect your bank account is to eliminate the use of your debit card. While delivering a keynote speech in Washington DC last week, someone asked me if I could name ten times when you should NOT use a debit card.  I replied, “It’s a trick question because the answer is NEVER!” I seriously do feel that way, but I know there are people who either need to or prefer to use a debit card rather than a credit card or cash, so I want you to be informed about how to use it wisely.

First, make sure you understand the difference between a credit and debit card.  While they appear identical and can often be used interchangeably, remember that a debit card is a direct line to your bank account.  If a thief gets ahold of your debit card information, they essentially have access to your account.  One of the biggest differences comes to light when fraud occurs.  Credit card users can simply decline the charges and not pay the bill.  Debit card fraud comes straight out of your bank account and is much harder to fight or reclaim the money that as been debited. In the meantime, while you prove it was fraud, you’re out the cash.

Here is a Top Ten List of times to choose credit over debit.

10. Booking future travel

If you book your travel with a debit card, they debit your account immediately,. So if you’re buying travel or making a reservation that you won’t use for several months, you’ll be out the money immediately.  Also consider that many large hotels have suffered data breaches.

9. Hotels

Many hotels follow the practice of using your debit card to place a hold on your money (sometimes hundreds of dollars) to make sure you don’t run up a long distance bill, empty the mini bar or trash the room. The practice is almost unnoticeable if you’re using credit, but can be problematic if you’re using a debit card and have just enough in the account to cover what you need.  Be sure to ask about their “holding” policy if you are using a debit card.

8. Expensive purchases

This one is simple.  If something goes wrong with the merchandise or the purchase, a credit card offers rights to dispute and stop payments much easier than a debit card. You have a much shorter window for reporting and resolving an issue and may even be responsible for all charges if you wait too long.

7. Rental or security deposits.

Say you want to rent a car or borrow a Bobcat from your local home improvement store.  Remember that when you use a debit card to put down a deposit, that money is temporarily unavailable to you.  Of course, you’ll get the money back when you return the car or equipment, so this is no big deal if you have the money to spare until that time. But with a credit card, the money is just “frozen” and not actually charged so you won’t ever notice it’s gone.

6. Regular/recurring payments

You’ve heard about someone who quit a gym or discontinued a magazine subscription only to find that they kept getting billed. If you used a debit card for those payments, they’ll just keep coming right out of your bank account.  (Using a credit card is also a good way to ensure you don’t forget to make that monthly debit in your check register!)

5. Wi-Fi hot spots

Never use your debit card for an online purchase while at a coffee shop or other business that offers free wi-fi access.  Many of those businesses have unsecured wireless connections, so it’s much easier for hackers and scammers to log on and steal your data.

4. Restaurants

Anytime the card leaves your sight, you should NOT use your debit card. The waiter coming to your table has alone time with your card, giving them the opportunity to copy your card information.

This also applies to ordering food for delivery.  Restaurants that deliver tend to keep customer payment information on file in order to make future orders more convenient.

Another problem with using a debit card at restaurants is that some establishments will approve the card for more than your purchase amount because, presumably, you intend to leave a tip. So the amount of money frozen for the transaction could be quite a bit more than the amount of your tab. And it could be a few days before you get the cash back in your account.

3. Outdoor ATMs

Outdoor ATM machines provide the perfect opportunity for thieves to skim users’ debit cards.  Skimming is the practice of capturing a bank customer’s card information by running it through a machine that reads the card’s magnetic strip. Criminals place these machines over the real card slots at ATMs and other card terminals.  If the public has access to it, so do data criminals.  Use the ATM just inside the bank where it is under constant surveillance. And no matter what, look for devices or cameras on the ATM machine that aren’t normally there.

2. Gas stations

Every gas pump asks, “Credit or Debit?” these days.  Don’t choose the debit option!  Go inside and pay cash if you choose not to use your credit card!  There are three reasons.  One, it’s fairly easy for a thief to insert a skimmer and then sit nearby with a laptop accessing your information.  Even if the thief doesn’t manage to get your debit card personal identification number, or PIN, from such a device, he still may be able to duplicate the card’s magnetic strip and use it for “sign and swipe” Visa or MasterCard transactions.

Thieves can also sit nearby using small cameras to capture footage of debit card users entering their PINs. Finally, similar to the hotel example above, your debit card may be used to place a hold for an amount larger than your actual purchase.   So, even though you only bought $10 in gas, you could have a temporary bank hold for $50 to $100, says Susan Tiffany, director of consumer periodicals for the Credit Union National Association.

1. Online

Using you debit card online is like asking for your bank account to be emptied. There is just way too much potential for hacking at many different points in a transaction.  It could occur due to malware on the computer, someone could be “eavesdropping” via a wireless network, or it could happen once in the hands of the merchant due to a data breach.  If you have a problem with the purchase or your debit card number is stolen, it’s a huge hassle to get the money restored to your account and make your card number safe and secure again.

Keep it simple and just always use a credit card. I realize that it is easier to spend more money when it’s not coming directly out of your account, but it’s better to resist the temptation to spend for the added security provided. 

John Sileo is an author and highly engaging keynote speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Can Medical Identity Theft Really Kill You? [Burning Questions Ep. 2]

There has been a great deal in the news about medical identity theft leading to death. Is it possible? Yes. Is it likely? Less likely than dying of a heart attack because you eat too much bacon. But let’s explore the possibility of death by medical identity theft (below, in this article), and why the threat gets sensationalized (in the video).

Read more

Baby Cam Hacked: What You Can Do To Protect Yourself and Your Children

The story about the Texas parents who were terrified when their child’s video baby monitor was hacked struck me at first as a minor incident when viewed in the whole scheme of the world of hackers.  After all, it is a rare event, no one was hurt, no threats were overtly made, and the child herself even slept through the event.  But when I read more about it, I became increasingly bothered by the fact that I was not initially bothered by it!  I mean, is that the creepiest of all feelings, to know that a stranger is watching your kids?

Here’s the summary for those who missed the story.  Marc and Lauren Gilbert were in another room when they heard strange sounds coming from their daughter’s monitor.  When they went into her room to investigate, they realized it was a strange man’s voice coming through the monitor and saying disturbing things, even using the child’s name, which could be seen above her bed.  The child, who was born deaf and had her cochlear implants turned off, slept through the entire incident.  Gilbert immediately disconnected the device, which was hooked up to the home’s wireless Internet system.

It is believed the webcam system, Foscam wireless camera, was compromised.  In April, a study was released revealing potential vulnerabilities; in it the researchers said the camera would be susceptible to “remote Internet monitoring from anywhere in the world” and that thousands of Foscam cameras in the U.S. were vulnerable.  A glaring flaw (which has since been “fixed” by a firmware update in June) is that users were not encouraged to have strong passwords and were not prompted to change from the default admin password.  Gilbert said he did take basic security precautions, including passwords for his router and the IP cam, as well as having a firewall enabled.

For an interview with Fox and Friends, they asked me to consider the following questions.  I’d like to share my answers with you in case you missed it.

How easy is it to hack a baby monitor?

It’s probably an apt cliché to say it’s as easy as taking candy from a baby. Just like with any device, an iPhone, laptop, home Wi-Fi, it’s only as secure as you make it. If you’ve taken no steps, it’s relatively easy to hack. You don’t make the problem go away by ignoring it.

Why would someone do this?

Some do it for the challenge, some for the thrill of controlling other people’s lives, and unfortunately, others do it because they are sick individuals that want to watch what you do in the privacy of your home.

Is this one of the more scary cases of hacking a household device you’ve seen?

This one hits close to home because it takes advantage of our kids, but I’ve seen pacemakers turned off, blood pumps shut down, brakes applied in cars, and all of it done remotely by outsiders who are never even seen. If the device is connected to a network, I guarantee you it can be hacked, and in most cases, you never know the bad guys are in control.

How can we avoid this type of hacking of our personal devices, whether it’s a video baby monitor, an iPhone or a pacemaker?  

The good news is that’s it’s the same steps you probably already take on your other devices, like laptops, smartphones and iPads:

  1. Buy Digital. Only buy a digital monitor that is password protected, not an analog version that operates on an open radio frequency.
  2. Change Default Passwords. During setup, change the factory defaults on the monitor so that the password is long, strong and device specific. This case we are talking about probably had a default password in place, making it easy to hack.
  3. Firewall Your Privacy. Install a firewall between your Internet connection and ALL devices to keep the peeping Toms out. Hire a professional to set it up properly.
  4. Lock Down Wi-Fi. Make sure your Wi-Fi network is locked down properly with WPA2+ encryption and SSID masking so it can’t be hacked.
  5. Turn Devices Off. If you are not using the device, turn it off, as hackers can more easily crack devices that are up 24/7.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Check washing & check fraud can dirty your spring cleaning

Check washing is so simple, you must learn to prevent check fraud

Are check fraud and check washing still relevant in the age of digital payments? If you’re like the average person, chances are you don’t write too many checks anymore. With the convenience of online payment options, nearly universal acceptance of credit and debit cards, and the proliferation of ATMs offering you easy access to money at every turn, why resort to the archaic, labor-intensive method of writing a check?

The simple answer—sometimes we have no other choice!  Some places still don’t accept credit cards (Costco if you don’t have an American Express), or they charge an extra fee for them.  Some retailers don’t offer online payment options.  And frankly, sometimes it’s just an old habit and we haven’t made the effort to find a safer option because we’re stuck in the mindset of “it’s never happened to me” when thinking about check fraud.

Yet, according to a recent AFP Payments Fraud and Control Survey, checks remain the payment type most vulnerable to fraud attacks. In an American Bankers Association Deposit Account Fraud Survey, 73% of banks reported check fraud losses totaling approximately $893 million. And perhaps scariest of all, the imprisonment rate for check fraud is only 2% according to a statement made by the Department of Justice.  So although it’s not as glamorous or high tech as some other forms of fraud, check fraud is very tempting to criminals. It’s often as easy as taking an afternoon stroll down a street looking for vulnerable mailboxes, and then doing a little bit of “laundry”.

Check Washing Check Fraud

One form of check fraud that hits home for businesses and individuals alike is check washing.  It is the practice of removing legitimate check information, especially the “Pay To” name and the amount, and replacing it with data beneficial to the criminal (his own name or a larger amount) through chemical or electronic means. We conducted our own experiment to see just how easy it is to alter a check.  Take a look at our results in the video above.

What can you do to prevent this form of check fraud from happening to you?  There are many steps you can take:

  • Always use high security checks with multiple check fraud and check washing countermeasures
  • Use security gel-based pens with dark ink 
  • Don’t leave mail containing checks in an unattended or unlocked mailbox  (i.e. w/ red flag up)
  • Buy a locking mailbox (one large enough for a postal carrier to put mail through, but not large enough for a hand)
  • Shred voided checks
  • Check your bank statements regularly and immediately when you receive them.  You have a limited time in which to report check fraud.
  • Put clear tape over important fields when mailing a check
  • Do not leave blank spaces on payee or amount lines
  • Have new checks delivered to your bank if possible so they are not sitting in your unattended mailbox

Businesses are highly susceptible to massive check fraud via check washing, because the balances in their accounts tend to be higher and more vulnerable. This simple change from regular checks to high security checks can drastically reduce your risk of check washing and check fraud.

John Sileo is CEO of The Sileo Group, and a  keynote speaker on cyber security, identity theft and business fraud prevention. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.

Stop Check Fraud with Security Checks

How to Stop Check Fraud and Check Washing

Check washing, a highly common form of check fraud, is the practice of removing legitimate check information, especially the “Pay To” name and the amount, and replacing it with data beneficial to the criminal (his own name or a larger amount) through chemical or electronic means.  One of the many ways to protect yourself against check fraud is so important that it deserves its very own article.

A foolproof way to protect your checks from being altered, whether by washing or by electronic means, is to use security checks offered by most companies.

Here are some of the features to look for when you’re purchasing High Security Checks.  These features will safeguard you not only against check washing, but other high tech forms of check fraud as well:

  • Safety security paper (visible and invisible fluorescent fibers, chemical-sensitive)
  • Foil hologram (cannot be reproduced by copiers or scanners)
  • High resolution border elements (intricate design is difficult to reproduce)
  • True watermark (cannot be reproduced by copiers or scanners)
  • Toner adhesion  (damage is visible if toner is lifted or scraped)
  • Void element (the word void appears if photocopied or chemically altered)
  • False positive test area (instant authenticity test with black light or counterfeit pen)
  • Complex pantograph background pattern and high-security colors
  • Thermochromatic ink (reacts to heat to deter copying)
  • Original document backing (deters cut and paste alteration attempts)
  • Chemical wash detection area (shows chemical alteration attempts)
  • Security warning box (becomes visible when photocopied)
  • Padlock icon (signifies that checks meet industry standards)

One more vital tip to foil the check washers: use a dark ink, gel-based pen, preferably one that states it is a security pen. Take a look at the video to the left to see how easy it is to wash a check if you are not using a high security gel-based pen. 

Yes, you may spend a few extra dollars for security checks and pens, but compared to the staggering cost of recovering from check-washing schemes (small businesses lose more than 7%  of their annual revenue to check fraud  – over $600 billion), it’s a drop in the bucket!  Your peace of mind and saved recovery time are worth it.

Checks Unlimited provides personal Securiguard checks with 7 advanced security features including chemical protective paper, microprint signature lines, and a 2 dimensional holographic foil that is irreproducible on copiers or scanners.  Their Security Center also offers fraud prevention tips and security products!

John Sileo is CEO of The Sileo Group, and a  keynote speaker on cyber security, identity theft and business fraud prevention. His clients included the Department of Defense, Pfizer, and Homeland Security. See his recent media appearances on 60 Minutes, Anderson Cooper and Fox Business.