When I first learned of the use of this technology, I thought, "Wow, straight out of "Star Trek." I am not the only one. John Chambers (of Cisco Systems) explained that he wanted technology straight out of Star Trek, and Emerging Technology Group and Marthin De Beer made it happen. During a presentation by John Chambers discussing this innovative technology, he and De Beer give a "virtual" presentation, with a presenter on one continent and one on another.
What are some possible uses for virtual presentation or holographic imagery?
- Education: Could professors perform lectures from the comfort of their offices? Or possibly students attend classes from the comfort of their homes?
- Business Travel: Could holograms be the next alternative to business travel, meetings, presentations and conferences? We already have web conferencing tools available, just think how much more effective it could be with face to virtual face contact - and how much more efficient.
- Counseling or Medical Services: Instead of calling your therapist, counselor or other medical professional could you have a virtual consultation? What happens to the office visit co-pay then?
- Recreation: Is this the next step in recreation? Could people actually use this for recreational travel? Or could it be the next new technology for video games, taking the "Wii" system several steps into the future?
- Virtual Shopping: Can holographic imagery give virtual shopping a whole new meaning? Would we move beyond the express lane and self service lanes, to virtual checkouts?
- Virtual Banking: Can I save myself a trip to the bank and complete basic services as well as loan and credit applications as a hologram?
With all these possibilities there are also a number of concerns that the technology of a virtual presence or holographic image creates. For example, who owns the image or hologram? What happens when enterprising individuals learn less expensive and complicated ways of created a holographic image? Could it be possible to capture my image and use it for identification, shopping or even medical services; just to name a few? Could holographic images be the next new technology in identity theft, fraud or other financial crimes?
The law rarely keeps up with technology. As a result, with every more useful emerging technology such as a holographic image there is a need to not only look to the future uses, but the future threats to our safety and identity that these types of new technology bring. After all, spam and phishing all started with a simple e-mail.
Identity Theft Statistics (2006)
* 8.3 million Americans were victims of identity theft
* Over 16,000 New Yorkers were victims of identity theft
* New York ranks 8th per capita in identity theft crimes.
* 33 billion dollars were stolen through identity theft.
* On average an identity theft crime robs victims over $6,000 and they incur an additional $1,200 in out of pocket expenses.
* It takes an average of 55 hours of personal time to rectify the consequences of identity theft.
New York also recently passed a state law requiring law enforcement to take full information in identity theft cases. However, it is estimated that a full two thirds of identity theft victims do not contact the police. New York hopes to change those statistics with awareness and prevention through the Identity Theft Awareness Campaign. Assemblywoman Audrey I. Pheffer, who introduced the resolution stated, "Identity theft is an extremely important consumer fraud concern and a serious financial crime. Working with the New York Credit Union Foundation and the Credit Union Association of New York to proclaim November 2008 'Identity Theft Awareness Month,' I believe, will educate the consumer and help prevent this crime." New York has also confirmed a resolution to support a public service campaign sponsored by the New York Credit Union Foundation and the Credit Union Associations of New York.
New York's recent program "Who Are You? Identity Thieves Really Want to Know" will focus on educating New Yorkers on how to avoid being an identity theft victim. The campaign included five video public service messages that feature Assemblyman Peter M. Revera and Assembly Minority Leader James N. Tedisco. There are also a series of longer videos featuring Mindy A. Bockstein from the New York State Consumer Protection Board. All videos are being produced in English and Spanish.
When James Tedisco speaks during the campaign, he speaks from experience. Tedisco was a victim of identity theft years ago. In 2006 an identity thief from Long Island, New York ran up $15,000 in under 24 hours using stolen credit cards. Tedisco was one of the two victims in this case. Interestingly, identity theft had only been on the books as a felony in New York since 2002.
The New York Credit Union Foundation and the Credit Union Association of New York's identity theft campaign comes right on the heels of a new awareness campaign launched by AARP and Google.
Will the identity theft awareness campaigns help?
Here's what Assemblyman Tedisco has to say: "Several years ago, I was the victim of identity theft. I know first- hand the stress and suffering it can cause. If this educational campaign helps even one person avoid the devastation of identity theft it is worth the effort."
While New York has officially dedicated the month of November as Identity Theft Awareness month, all citizens should take heed to being aware, safe and secure. As the holidays approach consumers will be shopping on line, in stores and by phone in record numbers. Taking the time to prevent identity theft can protect you from becoming not just an identity theft statistic, but a real victim and that's something we can all be thankful for this November and in the months to come.
Why are these two brands joining hands to offer identity theft protection tips? Each year over 10 million Americans become victims of identity theft. That's equates to a new identity theft victim every 19 minutes. In fact, identity theft is the number one consumer complaint in America.
AARP is a non-profit membership organization with a mission of helping people over the age of 50 to maintain independence, choice and control in their lives with options that are beneficial and affordable. As more and people over the age of 50 are using the internet, identity theft is a great concern for this age group and AARP wants to help their members protect themselves from this devastating crime.
Google of course is the innovative internet search technology that everyday connects millions around the world with just the information they are searching for on line. Google's Business Product Manager for Trust and Safety, Shuman Ghosemajumder shares Google's motivation for joining AARP to create thee videos.
"Record numbers of older Americans are going online to surf the web, connect with family and friends, share photos, and run online businesses. We hope the Online Safety video series will help AARP members keep their online information safe, private, and under their control," said Ghosemajumder.
Before you can make sure your online activity is safe, first you must secure your computer. The AARP offers these tips:
*Use a firewall and make sure it is turned on. (The video will even show you how.)
*Use antivirus software
*Use antispyware programs
Topics Covered In the AARP & Google Online Safety & Privacy Videos
*setting privacy controls in on line photo sharing sites
*configuring firewalls
*selecting safe and secure passwords
*shopping safely on line
*avoiding phishing scams
Where can you find these videos?
About 20,000 AARP members watched the debut of the video series on internet safety and online privacy at the associations annual member event. Anyone can now view these videos at one of two places, either the AARP web site at www.AARP.org/onlinesafety or on the Google Privacy Channel on YouTube at www.youtube.com/googleprivacy.
Both sites offer information on privacy and protection beyond the new 6 part video series. On the Google Privacy Channel page there are also videos on:
*What information Google collects when you use their search engine and how they protect it
*why Google keeps logs and what information they record
*steps you can take increase your privacy when searching on line
*information about privacy settings and questions and answers on how products work from engineers and product managers who designed them
In addition to the 6 part series on line safety, the AARP web site also offers more articles and videos on identity theft risks such as pop ups, e-mail scams and on line bidding sites.
While many people who use the internet are aware of YouTube videos, many consumers probably were not aware of the Google Privacy Channel. At the same time, AARP has 40 million members and 33 million readers of their magazine, the AARP Bulletin, but many members may not have taken advantage of their AARP website. This joint venture puts information about on line safety and privacy and identity theft protection right on line where many people work, shop, play and research and presents it in an easy video format that many consumers are already comfortable with.
Many of the risks for identity theft come on line activity. AARP and Google are offering identity theft protection tips that can be accessed right from your computer where the risks begin so that you can put the information to work for you right away.
What is phishing?
The name PhishTank refers to phishing, the type of scams that the site tracks. Phishing is any scam initiated in order to steal your personal information. The purpose of stealing your personal information of course is to steal your identity and commit financial fraud.
The most common form of phishing is through e-mails. Phishing e-mails usually appear to come from an organization that is well known and the e-mails often look and sound official. The e-mails are an attempt to collect your personal information such as social security numbers, credit card numbers, user names and passwords. In recent years, phishing scams have targeted victims by imitating PayPal, banks, the Better Business Bureau and even the IRS.
Phishing e-mails will attempt to get you to click on a link that takes you to an unsafe site in order to "phish" for your personal information.
How does PhishTank.com work to protect consumers from phishing attacks?
PhishTank collects and shares statistics and information about phishing scams on the internet. PhishTank also provides an open API for developers and researcher to integrate anti-phishing data into their applications free of charge.
PhishTank registrants are invited to submit suspected phishing, track the status of your submissions and verify whether or not their own or others submissions are verified to be phishing scams.
PhishTank Success
PhishTank just celebrated their second anniversary. In that time over 1 million phishing scams have been reported. Earlier this year PhishTank PC World honored PhishTank with the Top Product of 2008 award.
There are over 29,000 registered users of PhishTank. This means a large amount of shared information and that allows PhishTank to educate consumers on the latest scams and help them protect themselves from identity theft.
Tips for Recognizing Phishing E-Mails
PhishTank offers the following tips for avoiding being "caught" as the victim of a phishing scam.
* A generic greeting.
Phishing emails are usually sent in large batches. To save time, Internet criminals use generic names like "First Generic Bank Customer" so they don't have to type all recipients' names out and send emails one-by-one. If you don't see your name, be suspicious.
*A forged link.
Even if a link has a name you recognize somewhere in it, it doesn't mean it links to the real organization. Roll your mouse over the link and see if it matches what appears in the email. If there is a discrepancy, don't click on the link. Also, websites where it is safe to enter personal information begin with "https" -- the "s" stands for secure. If you don't see "https" do not proceed.
* Requests personal information.
The point of sending phishing email is to trick you into providing your personal information. If you receive an email requesting your personal information, it is probably a phishing attempt.
* A sense of urgency.
Internet criminals want you to provide your personal information now. They do this by making you think something has happened that requires you to act fast. The faster they get your information, the faster they can move on to another victim.
What's involved in registering to join and participate in PhishTank.com?
PhishTank.com is very user friendly. All it takes to join in the fight against phishing is to type in a username (one that will be displayed and identity you on the site), an e-mail address, password you create and a verification code. It's really that simple.
Consumer education is one of the largest nets in fighting identity theft. PhishTank.com has the latest hooks on how to avoid taking the bait for identity theft.
In this interview with Paul Herbka from South Seas Corporation (development and training company based out of Colorado), we go in depth in a discussion of web applications, security, and why it's important for any individual or business to seriously consider what their policy is for the security associated with any web-based applications they may delpoy online.
Mr Herbka also goes into reviewing some great security platforms for protection of any web-based application.
You can listen to the interview, and/or read the transcript below, for free.
(Paul even offers you a discount if you mention this interview when you call him.)
Download the interview about what Email Security is in MP3 Format"
Identity Theft Secrets: This is Jonathan Kraft with Identity Theft Secrets and I'm here again today with Paul Herbka. Today we're going to be talking about Web Application Security which doesn't sound like that exciting of a topic, but it's pretty amazing what can happen when you have a website or web application that gets hacked and all of your information for all of your customers is stolen and what do you do about that? So Paul's going to talk with us a little about that today.
Paul Herbka is actually the President of The Information Systems Security Association in Denver. He's the Vice President for South Seas Corporation which is headquartered in Littleton, Colorado and he's also a Certified Identity Theft Risk Management Specialist and has spoken at numerous conferences and I know you just have a wealth of knowledge here. So thank you very much Paul for taking a few minutes with us today.
Paul (web application expert): Absolutely - I appreciate the time to be with you and just share some information. Really I'm hearing a lot of buzz about Web Application Security. It's really become an age where if a company has a website, then they're legitimized and people feel they're a real company and "ok, I can do business with them, because they must be a real one if they have a website."
Identity Theft Secrets: You know what's funny about that - can I interject there real quick? I actually used to work at when it was US West/Dex, you know the yellow pages and I used to sell internet advertising back in 1999, I was a phone sales rep for internet advertising. I would call these businesses in like Pine Junction, Arizona and I'd say, "hey, we'd like to talk with you about getting your website set up on the internet." And seriously, people would go, "inter- what?!" And it's so funny to have gone from that in 1999 to today where having a website is being a "real business." Anyway, I just thought I would interject that there.
Paul (web application expert): No, that is funny and it's so true. It's funny - I was just talking to another gentleman and he wants to setup a website; he's like, "well, people keep asking me, what's your website?" As if, as long as they have a website, then he's legitimate. It used to be if you had a business card, you were legitimate and I think some people still do that. But now a lot of people printed up mass, different business cards - so now it's "ok, do you also have a website? - then you must be real!" So it's interesting to see that trend.
Well along with that trend is a lot of people are serving up applications and a lot of even government entities are going to where, "hey, now you can do everything online" -- and it's a mixed review, right? Some people say "great! Now I don't have to leave home - I can just do that, I can do it online; I can it while I'm traveling." Other people say "hey, this is scary, because now all of my information is "out there." "
The reality is a lot of different government entities are making it's job applications, etc, are all being done over the web which now means, people are putting in their social security numbers, their date of birth, their address, their home numbers, etc., and all that information is traveling. So obviously, security becomes a big issue in that as people are becoming very aware of the cost-savings by having a website. And not only that, but the ability to maybe be in one town or one country, but now offer things to the world, right? We saw those commercials a while back where they say, "hey, you might be a small business here but now you can do business worldwide by having a website." And you look at the people selling stuff on eBay and now all this stuff is out there.
Now one of the root issues is, is that stuff secure and is your web application secure? So there's actually a coalition out there called OWASP - I don't know if you've heard of them, but they have the OWASP "Top Ten" and what that is, is it's a list of the Top Ten issues or vulnerabilities that they are seeing in web applications. And I won't read through all of them, but the top ones are Cross Site Scripting, Injection Flaws, Malicious File Execution, Insecure Direct Ops References, etc. So basically, it's the ability for me to hack that website remotely and now it doesn't matter where I am, I can be in Russia, or China or wherever and hack into these websites and now I no longer have to worry about getting onto the network, right? I don't have to worry about getting into the physical building - they've given me access out on the Worldwide Web and opened it up for me to get in!
The interesting part of that is when people are developing those applications, all the programmers went through school - but in school, they never worried about security. They were worried about efficiency, right? Write better code, more efficient code, less code, the more it can do with less lines -the more efficient it is; the faster it runs, happier everyone is. So they worried less about security, or even not at all about security, and just worried about the efficiency of the code. Well now, what they're finding out is, this code is efficient, but it's very easy to fake or to hack and take advantage of these vulnerabilities that just aren't secure just because of the way it was written. Now when they look at these applications that have grown over the years, that are now thousands and thousands of lines of code, they either need to go back in and do code review or they need to find some other way to secure it.
So that's really become a key issue in web application and web application security. In fact one of the biggest things now that people are looking at are web application firewalls that are purpose-built firewalls specifically just for web applications.
Identity Theft Secrets: Can you explain more what that means?
Paul (web application expert): Sure! So web application is really focused on all the different things like SQL Injection, Cross-Site Scripting and Cookie Poisoning. Just a simple example of that, is like if you've ever done an order online and you see there's a large string at the top and then the last part is your order number? Well, if you go up and change that order number -- and it's not a secure website -- then you'll actually pull up someone else's order. Now that's interesting, but it's now a security risk if that order had their name, information, credit card number, address, etc., not to mention their order, which they may be ordering something that they may not want the world to see - depending on who they are and what they're buying or where they're buying it from.
Identity Theft Secrets: And may also include their credit card information in that order.
Paul (web application expert): Absolutely! Credit card information, the CVV code off their credit card, any of that stuff. And depending on again what they're doing it may also include - let's say you're doing a job application and you change that code, now you may be seeing someone else's job application; now it also has their social security number, their date of birth, their home address. As far as an identity thief, they're going, "hey, that's great! Game over! I've got all the information I need. This is fun." Of course the more sophisticated ones are saying, that's only the one-sies and two-sies; I'm going to go after the thousands and the tens of thousands or millions. For the hacker that wants to setup a script to just keep doing that - running through all the orders, that's an easy way to glean information without having to do much hacking.
Identity Theft Secrets: Right, the machine is doing all the hacking for them at that point. Gleaning some random order numbers over and over and over and over and over until it finds one and then it's grabbing all that information and then putting it into an Excel sheet or something and somebody can open that from wherever.
Paul (web application expert): Exactly and so we're finding that, more and more, people are going "ohhh, ok, we didn't realize!" They're starting to realize the implications of "yes, it was nice that you put this stuff out there; but now, what are the issues?"
So just as an example of what a web application firewall does is, if there are Web worms - so worms written specifically for the web. A regular firewall only has limited access to stopping that. But a web application firewall is built specifically to. Another example would be web vulnerabilities like Cross-Site Scripting, etc. A web application firewall knows about those -- a regular firewall has no clue. So that's something that's there. The other thing would be directory files or directory structures, brute force attacks, which is where they're basically just guessing passwords or guessing random numbers or guessing strings. Changing the cookies -- most people are familiar with what a cookie is on a website, but a cookie is basically something that says, "I've initiated, I've authenticated this transaction; whether it's a purchase or an inquiry or whatever for maybe my bank statements or maybe my access to my records, for medical or whatever." "I've done the authentication," so then it assigns a cookie to that session or to me so that when I do another request, it says, "oh, ok. I know who you are and I remember who you are." So if I can find a way to adjust that cookie or tamper with that cookie, called Cookie Poisoning, then I can now take that and get other people's information the same way. So that's one example. Brute force attacks are another example where a regular firewall doesn't know how to handle that; but a web application firewall is built specifically to help with that. So it doesn't matter if it's SQL or OS Injection, Cookie Poisoning, Hidden File Manipulation, Parameter Tampering and the list goes on. But there's a bunch of things -- SSL Flooding, a lot of people say, "well, I'm secure, I'm ok, no one can hack in because I'm using SSL VPN or I'm using SSL sessions, HTTPS -- so I'm good." Well, you can do something called SSL Flooding and again a regular firewall isn't going to know what to do about that; whereas a web application firewall can.
One of the best web application firewalls out there is an F5 Product and they call it ASM Application Security Manager. But it's basically specifically built to help with that and their whole company policy is to deliver applications that make them secure, but make them available all the time. They also do "low balancing" to make sure that it's got high availability.
So when we talk about web application security, really the two options are either, review all of your code and make sure it's secure which is kind of a nebulous thing to start off with anyway; not to mention a painstaking, time ...
Identity Theft Secrets: No kidding, hunting through lines of code trying to find vulnerabilities.
Paul (web application expert): Exactly and thousands of thousands lines of code which now are causing other things. You need to know not only that, but you need to follow the whole thought process of what's being passed, what should be passed, what are the legal ranges for the items being passed - do we have a way of checking for those legal ranges, testing if they are or aren't legal, etc. And then what happens, how do we handle the exceptions when it's a typo versus it's a hacker trying to get in? So we don't want to cut all sessions that don't have the right information, but we don't want to allow them either. So there's different issues there.
So those are the types of issues that people are facing and I think it's interesting that there are some people that say, "oh, well I'm not worried about that." Well, if that application is tied to a database or tied to your network which now has a database that has any information, again, people's names, social security numbers, their identity, you should be worried about securing that - otherwise you're going to have a breach and you're going to be in the newspaper, you're going to be on the "bad list" of companies to deal with because you don't secure their information correctly.
Identity Theft Secrets: Let's say I'm either government institution or a large business. Or even -- I work a lot with internet marketing people - those are some of the people I know just selling odds and ends of little products online. But they're storing credit card information, at least temporarily. If any of those people have issues, what are some good, just everyday resources for people to find details about what they need to do to secure web applications?
Paul (web application expert): Wow, great question! One is, I would say definitely; find yourself a good security consultant, right? Not just a computer reseller, firewall reseller, but find a security consulting company that focuses on that and there's several things they should do. One is they should be able to do assessments and penetration tests and web assessments to go and find out what are the issues on your website? Is it vulnerable to all those things we just discussed? And then two is, after they do that, they should give you a detailed report that not only says, "here are all the issues we found," but ranks them in the order of priority - here are the issues that are most important; like a high-red - oops, you've got to get this fixed right away. That way you know what your priority list is because no one has unlimited time, unlimited resources and unlimited money to go and just fix all them. You want to figure out what are the big holes that are serious violations or vulnerabilities that I need to plug up now!
Quite honestly, bang for the buck - I would recommend a web application firewall because that's going to stop - with all of your applications, the old ones, new ones, etc., long-term, the whole OWASP mentality is we'll learn how to program better and code better and make that a part of your whole development lifecycle and that's great. It's a great goal, but it's not going to get there quick enough. It's kind of like saying, ok, our car should be energy-efficient. Well that's not just going to work overnight - it's a good goal, but if you're driving an 8-cylinder SUV, it's not going to become energy-efficient overnight. So those are things you can add to that so that's it's protected and it's secure to give you time to fix the process behind and work with that.
The other thing is it's constantly getting updated as well from that vendor so that as new vulnerabilities are found, it's keeping up with that and you don't have to worry about it. Because people will just say, "well I'll just work it into my development lifecycle." Even if all their coders were of that same mentality -- which just being real -- they're not, is what about when a new thing comes out are you really going to stop production and coding to go tell everyone about this new thing - here you have to worry about coding it this way or are you just going to say, "well, we'll fix it up in the next version." If that's the case, you're still open to vulnerabilities and you're open to being breached and then you again have that high expense of being reactive to a breach; versus proactive on the front-end.
Identity Theft Secrets: Sure and what you've said before is that it's always - and I think "always" and "never" are two words you should always remember never to use - but, you've said it's always cheaper to be proactive then to deal with it on the back-end.
Paul (web application expert): Absolutely, absolutely! In fact, I want to say it's under 10% -- normally the cost for breaches is usually under 10% to deal with it proactively before it happens versus after the breach occurred because you've got all these fines and notifications and fees and things you've got to do. Not to mention all the hidden costs; customers don't trust you now so you lose business, the goodwill, things you're trying to do then to overcome that goodwill. So yes, if you look at the overall costs, always, always, always - which you should never use - (laughs) it's always more effective to be preventative - at least cost-effective to be preventative - unless you're just one of those gamblers who says, "I'm going to gamble and hope I don't have a breach before I go out of business." But hopefully most people are deciding they want to be in business a long time and therefore that's not a good policy because the chance of time is against you.
Identity Theft Secrets: Sure. If I'm looking for a solution, what types of solutions are available?
Paul (web application expert): Wow, there's low-end web application firewalls, there's "do-everything-in-one-box" type of UTM, Unified Thread Management box and the good thing about that is that they do everything. The bad news about them is that they are a "Jack-of-all-Trades, Master of None." So, they're going to be ok at just about everything, but they're not going to be great at anything. So I really recommend getting a purpose-built box specifically for something as high-volume, high-traffic as a web application where you need that delivery not to be slowed down, but you need it to be looking at everything and securing everything. So I would look at things like that; I would look at again, the F5 product which is really recommended which has great success. It works well, you plus it in and it works; it's what makes it a great solution and they are constantly increasing it and developing it to make sure it's always secure and it's always working to help you.
Then also look at the Data leakage-type products, like the Vontu product from Symantec that really helps you do that. Another thing that people don't realize when they're looking at the costs are just all the different fines. In fact, even the payment card industry has figured out this web application stuff is serious. In their new version, PCI DSS, Version 6.6, they've said, "you've got to have" it's no longer it's "nice to have" - they're saying now "you've got to have either code review, which means going through all those lines of code or you have to have a web application firewall." So they've now admitted to themselves and to their community, hey, if you're taking credit cards, if you're storing credit cards, no matter how temporary that might be, you need to have a web application firewall or you need to show improved and do the constant code reviews to make sure your code is always secure.
Of the two, the least expensive is going to be the web application firewall. Unless again, you only have one program and it's only a couple hundred lines long, then yes, do a code review. But if it's hundreds of thousands or millions of lines of code, a web application firewall is going to be less expensive and it's going to be easier to implement.
Identity Theft Secrets: You just mentioned too that there was some law or some rule that required people to have things set up. What other kinds of compliance changes or government issues - is the government getting involved as they do in lots of different arenas, so that ideally they'll protect and help people; but what kinds of compliance issues are people facing now when it comes to web application security outside of the one you just mentioned?
Paul (web application expert): I'm glad you asked that - in fact, it reminds me of a local news story here in Denver where the District Attorney for Denver has just published and said to all the different public websites, so any of the cities or counties or what not, "hey, this is serious and you should not be having people's social security number or private information out on public websites." And while that was a general rule that everyone thought they were following, everyone forgot and again it becomes more of the business process in the paper world that then got changed into the web world and people forgot how that became a security risk.
An example is now, public records for a house; who purchased the house and who's the lien against the house. Wedding information, all that stuff is now filed online and you can look it up online. Well because of that now, people worldwide have access to that, can go in there and get that and they're saying, "hey, we've got to take that off." If you've got a lien record, you're supposed to be taking the social security numbers off, you're supposed to be taking the private information off. So now that's something that's been kind of declared as an internal or external rule, depending on how you look at it, that says, "hey, we need to be doing this!"
Again, it's not something where people were doing maliciously posting information; they were just taking what they did in the paper world and automating it to the web world to make things easier for people. But in our "lust" for making things easier, we forgot about security and now we've opened people up to the possibility of having identity thieves get their information and use it maliciously.
Identity Theft Secrets: So as far as compliance issues, there's nothing specific necessarily that requires them to be compliant?
Paul (web application expert): Well, that's where it's interesting. There was no specific solution mentioned, but it basically said, "go through all of your web information, whether it's millions or thousands of pages of stuff you can get off the web and make sure that none of it contains social security numbers, credit card numbers, personal information.
So now there's a huge market out there for programs that can go out and search for that stuff automatically, right? Using the technology to go through and scan your whole farm of web pages and say, ok, where does that apply? And then, either wipe it clean or take those off and find a way to keep that information off of it - and that's important. So now there are programs and one of the things that the F5 product can do and that people are using, is the ability of the F5 product to say, "oopss, you're sending out this webpage, but it contains social security numbers. I should change that so that now it's generic, right? And I just put X's instead of the actual number." So that people see, yes, there is a social security number on this file, but they don't know what it is. So that's something that people are doing to automate that. Quite honestly, the payment card industry has said, if you aren't doing that, you're in trouble. Now the Denver District Attorney has said, yes, I want all the state's entities to do that; so it's becoming more and more and I don't think that's a rare thing, I think you're going to see that more and more and more whether you're a small business or government entity falling under the SEC or falling under PCI or SOX or HIPAA. Now all the members saying yes, we need to start securing our data because they're realizing that Identity Theft is a big issue.
So where can you go? Again I would go to ... by all means, you can get in touch with us and we can help you with a solution; we can help figure out what's the best solution. Is it easier to scan through your data, re-clean up your data or just filter it on the way out and change it all out? Or just not allow it? You know there are a lot of different solutions there, but I would say, start working on that and making it a priority. Otherwise you'll end up paying fines or breach costs, one way or another.
Identity Theft Secrets: I know that South Seas Corp offers people a lot of solutions, as we've talked about before, for dealing with web application security and a whole other variety of things. If people want to get in touch with you, how do they do that?
Paul (web application expert): Well, the best way is either email or phone. Our 800 number is 1-866-794-1655. Again, toll-free is 1-866-794-1655 or they can call me directly at 303-798-7588. Or they can email me, my email address is pherbka@SouthSeasCorp.com.
One thing I'd like to offer is that anyone who mentions that they heard it here, we will go ahead and give them a discount and we will give them a 2% discount on any web application firewall they buy from us or any services specifically for security by mentioning this ad. As long as two things: one is they are not an already pre-existing customer and it's on something they've already been quoted or already bought and two is that it's not on a government contract, because on government contracts I can't adjust the pricing that way.
Identity Theft Secrets: Well thank you very much for taking a few minutes with us to talk about web application security. I hope people are more informed about - if they have any sort of web application, they need to be looking at creating some security specifically around that web application.
I appreciate you taking a few minutes to share your expertise with us today.
Paul (web application expert): Absolutely and one other thing I forgot to mention is another resource they may want to go look at is the OWASP Top Ten. If you just Google OWASP Top Ten, it will give you the Top Ten List and you can drill down in that - here's all the things and here's what it means, here's how to do it, here's how to do the code review, here's some of the products that work against it. So that's a good resource as well -- so I neglected to mention that earlier. If you're in a web application environment, that's hopefully something you already know about but if not, that definitely would be a good place to go to.
There are also local chapters of the OWASP that have different meetings. I know there's a Denver Chapter, there's a Boulder Chapter - they're nationwide. I think they're worldwide, but they're at least nationwide and so you may want to look at if there's a OWASP Chapter in your area and get plugged into that because that's a good way to network with other peers that are concerned about security for web applications as well.
Identity Theft Secrets: Awesome! Well, thanks so much for taking the time with us today and we'll look forward to talking with you again soon!
Paul (web application expert): Sounds good, thanks so much for having me!
]]>In this interview with Paul Herbka from South Seas Corporation (policy and email security solutions review company based out of Colorado), we go in depth in a discussion of email security, and why it's important for any individual or business to seriously consider what their policy is for email security.
He also goes into a review of email security products and services.
You can listen to the interview, and/or read the transcript below, for free. (Paul even offers you a discount if you mention this interview when you call him.)
Download the interview about what Email Security is in MP3 Format"
Identity Theft Secrets: This is Jonathan Kraft and welcome back to Identity Theft Secrets. I'm here again today with Paul Herbka who does a whole bunch of things in the security protection industry. Works with a company, out of Colorado, called South Seas Corporation that does a bunch of different compliance issues and helps companies with their security issues. He's also the President of the Information Systems Security Association, the Denver chapter; Vice President of South Seas Corporation; is a Certified Identity Theft Risk Management Specialist (CITRMS) and he has a whole other bunch of things that he's done in this arena. He's spoken at a few different conferences. Paul, how are you doing today?
Paul (email security expert): I'm doing well thanks. How are you today?
Identity Theft Secrets: I'm doing awesome! Thank you for taking a few more minutes with us today to talk about email security. I think what's interesting -- people have heard a lot about worms and viruses and trojans and malware and all this stuff and most people don't even know what it is that is coming at their computer through their email. But most people now today also have installed some sort of protection, or they think they've installed some sort of protection, on their computer. Why should people still be concerned about email security?
Paul (email security expert): Well, there are really lots of reasons but probably the top two reasons would be; because on the inbound traffic, you can get all those bad viruses from the trojans and other things that then let people "own" your machine and then get your information out of it. The second reason would be because people can accidentally send stuff out not knowing it's confidential or that it's proprietary information or maybe they think it's ok with who they're sending it to and don't realize that other people can find that information out on email, that it's not secure, depending on how you have your email set up. So probably those would be the two biggest reasons - you can boil it down to: you can lose information whether it's on the inbound, people getting access or control. Or on the outbound, people getting information because it's being sent, whether it's accidentally or on purpose, or just they didn't realize that email wasn't secure.
I know I've had conversations with people and they've say, "well, I sent that to my friends over email - but no one can see that right?" (Laughs) For you and I, people that are in the world of security -- we laugh. But of course, that's open to the world! Anyone can see it, anywhere in the world -- it's on the worldwide web. That's the stream that it follows! So, depending on how they have their email set up; if people are using Yahoo or Hotmail or whatever. So then that's an interesting question; but yes, the biggest reason is because you're responsible for your people's information, whether it's your customers or your employees, or both. And that's an easy way, a door that just opens and swinging all day long, so it's an easy way to lose information.
Identity Theft Secrets: Sure, that definitely makes sense. Well and you're talking about from a company perspective, like if you have employees or something, and they're sending out your customer information or your employee information, that could be a pretty serious security threat to your company on an ongoing basis, right?
Paul (email security expert): Absolutely and in fact there are a ton of compliance laws that now make it more than just a security issue and make it more of a business issue - a business risk; because there are now fines and notification laws and other actions and responsibilities that you have to do if that information gets out. So say for example, if someone emails a spreadsheet -- they were supposed to send some information on a customer to someone and they just send the whole spreadsheet. Well now, that information can be out there and even if that other person on the other end didn't get it, someone may have caught it on the interim and it can be a problem.
The other thing is that the FBI has done a lot of studies and they find that over 70% of breaches are actually internal jobs. And they split it out into different percentages; some of them are malicious, some are just people didn't realize what they were sending and other times people just didn't realize they were sending this stuff to someone who didn't have an official obligation or an official capacity to have that information and they just sent it, not knowing -- just thinking they were being a good citizen or doing their job as a corporate employee. So you see a lot of that and really email seems to be one of the easiest ways - and again it happens both the inbound and outbound but it's different.
So I thought I'd take just a minute and talk about some of the inbound issues versus the outbound and then go from there. Is that ok?
Identity Theft Secrets: Sure! What are the top issues that people in this arena are facing? If I own the company, or even if I'm just at my home computer, what are the top issues that I should be aware of?
Paul (email security expert): Sure! So the first one is - everybody is deciding if they want to go green and they want to spend less on gas and so what they're doing is they are saying, "hey, let's do webinars and let's do this free web conferencing and web access and a whole bunch of different company products where they're doing webinars or web information and that's great! And you say, well, what does that have to do with email? Well, when you set those up, most of those say "open up Active X, install Active X" and you do that. Also for emails, a lot of people like the color and interactive emails that are more flashy and more fun to read and cooler to print out, less DOS looking, so they want the XML, HTML etc. Well, by adding all those things to the computer, now when I read email, I can open up an attachment and it may just be a simple picture but there may be some malware attached to that picture, whether it's a virus or a trojan or something that's going to be used to do either do a root kit or take over that computer, make it part of a botnet. So there's a lot more things that it can do and now, because of the cool abilities within Active X and Java and all these other new technologies - now you don't even need as much work being done from the end-user - they don't have to open something and run an application - they just have to open the email and look at the picture. In some cases, they just have to open the email and then it runs it for them. In other cases, depending on what Active X or what not you have in place, you just need to get the email and then depending on how you're doing your email reading, it could actually activate some of those Active X or different controls and run malware as well. So it's become a world where everything is more powerful and does things behind the scenes -- which is great -- until you put it in the wrong hands and now it becomes an easier tool to hack into your company. So that's on the inbound side.
On the outbound side, it's really a lot of people not realizing, "opps, this is confidential information," because they deal with it all day long. So people become desensitized to "This is Confidential" or "This is Proprietary Information," etc., and as much as you tell them about it and talk about it and put it on there, if you put it on all your documents, eventually they say, "oh that's on everything, I'm just going to send it anyway." They're just trying to help speed-up the process and make more business and make things happen quicker. So they think they're doing something good, but they're actually giving away something that they shouldn't.
Identity Theft Secrets: Right - so how do you fix that?
Paul (email security expert): Well, one of the easiest fixes, which is unpopular with the end-users, but popular in the tech field, is just to turn off all those cool applications and applets and things, such as Active X and Java and HTML email and things like that. Unfortunately, many times the owners of the company are the end-user that likes the "pretty," that likes the other stuff and says, "no, we're going to enable that because I like getting my emails with all the pretty pictures and who it's from and the logos and all that. I don't want to just look at boring black and white." So that's one challenge to that solution.
So some other solutions that are out there are solutions that will actually filter email and filter out attachments, filter out web content that they're looking at and really help with that. The other option is to get some kind of a solution that actually does encryption so that as you're doing things, it's encrypted and you're only working with secure people. Now the challenges, that's only if you're in a world where you're not getting emails from a lot of unknown people, that you have known people that you're going to work with and you can kind of set up that encryption. Or number two, it's really good for outbound stuff but it's very hard for the inbound stuff. So typically what we find is that you need to find something that does filtering on the inbound stuff -- that looks at the email and will cut up/strip-off all the negative applications and there are some that actually bring them in and run them in a virtual world - like a little VPN environment and see if it has that code in it and if it does, it doesn't allow it in and if it doesn't, then they allow it through.
So those are the types of solutions that I think people are going to start moving to because they allow the end-user to have the pretty, cool-looking applications that are self-automated while still getting the security for the corporation. So that's the trend I see happening really in the inbound email protection or email scanning. And most of the top competitors are adding those things, they've got the anti-virus, anti-spyware, anti-spamware, you name it and anti-this, that and the other thing and they're adding the suites, but they keep finding that their solution still isn't complete enough because the bad guys find one other way to attach it or sneak it in or hide it under the radar. So I think we'll continue to see those being developed.
On the outbound, there are several things you can do and there's a number of products are probably smaller as far as what can fix things on the outbound and what can really scan for that. In particular, there's a product out there called Vontu DLP8 and what it does, Vontu was actually bought a little while ago by Symantec, so most people have heard of Symantec, and what it does is it actually does scanning and it's pretty cool because it will do, really it works with data at rest, it works with endpoint protection, it works with network data and it actually does a full enforcement so that it will actually look at things going out anywhere from email, instant messaging, web traffic, secure web traffic, HTTPS, etc., and it will actually look for that and stop things. One of the neat things that it does - especially in today's world of compliance, is that it will look specifically for things such as social security numbers or credit card numbers or whatever specific things that you put together. It actually does something called a "fingerprint" of that information. So let's say that you have internal documents that are Confidential or Proprietary Information, it will say, "hey, anytime this document is trying to be sent out, don't let it." And the cool thing is you can actually set it for your own policies, so you can say, "hey, let it, but make the end-user pick, here's why I can let it out, here's the justification, I'm sending it to a business partner under a NDA or I'm sending it to a customer and it's their own information or I'm sending it to an approved partner or whatever." That's one option.
Identity Theft Secrets: Can I ask you a quick question about that?
Paul (email security expert): Oh absolutely!
Identity Theft Secrets: How much time do you figure that adds in for the end-user, I mean for the company. Because obviously, if every email you're sending or every third email you're sending has a little box that pops up and says, "this is potentially a harmful email to send, why can you send this?" And obviously they check that box - it's fine, it's good. But, that adds in time into the workday which ends up costing an employer more. How much time do you figure that adds in and how do you factor in that added cost factor?
Paul (email security expert): That's a great question, great question! So, first and foremost is it only does that, it only has that pop-up for things that contain the credit cards or social security numbers, etc. So, hopefully, the number of emails that have that stuff in it are few and far in between. Unless you're with a credit processing company and then you may say, "I'm going to turn that rule off and I'm just going to log everything. So I won't ask, I'll just notify and log or I'll just log it, but I'll go ahead and send it anyway." Or, depending if that's not the type of information that normally should be going out, maybe you just have them block it no matter what and when the pop-up comes and says, "hey, you're trying to send out information you shouldn't be" and that works.
So yes, that's a great question - you really need to justify, do I have that on for everyone or do I not have it on? So it depends upon how much of that type of information you're sending out. Now if you're the approver for home loans and you're always sending that information out, then clearly you're not going to want to pick the option where they have to justify live unless you need that for auditing and logging and then you may want it because it makes them more aware --they've got to say exactly why they're sending it and think about, is this only for the customer that I'm sending it to or is this a partner that is truly under a NDA. So while I say it could add to the cost, the other calculation you need to see is how many millions of dollars are we going to lose in business in customer name, or name recognition or brand quality and/or in fines and notification fees if we do have a breach. So there's always two sides to the coin; one is what is it going to cost us proactively and then what is it going to cost us reactively? And the proactive costs are always less expensive than the reactive costs.
Identity Theft Secrets: Sure, that makes sense.
Paul (email security expert): So that would be how I look at that and justify that and figure out which solution works there. It's funny because you're seeing now, at least I'm seeing the trend of many DLP products; whether it's data leakage prevention, or data loss prevention products out there and they all do different levels of things. And really I think the best one that I've seen is Vontu, it's the most complete, it's the most granular and yet it's very flexible in that you can set it to be granular or not based on your needs for those departments or those people.
Identity Theft Secrets: When you say "granular" - what do you mean?
Paul (email security expert): When I say granular I mean I can actually say, "look for any numbers, "x" number of numbers, dash "x" number of numbers, dash "x" number of numbers or any strings of nine digits." I can look for any variance; I can get as granular as I want to look for ....
Identity Theft Secrets: So you just mean really detailed that can get ...
Paul (email security expert): Yes, very detailed exactly. Very granular in what it can filter and what it can look for and then also granular or detailed in the actions I can do. So the other really cool action that is important about that product is that it allows you to do logging, right? So it's one thing to be able to say, look this employee was sending out bad information and it's another thing to be able to log it so that either when you fire them or when you sue them for sending out all your information, or you get sued for that breach, that you can then turn it around and point it to that person because you have the data and the logging of that data to show where the breach happened and it wasn't your company being lackadaisical about security, it was just a bad employee.
Identity Theft Secrets: So basically this is all about CYA.
Paul (email security expert): Oh, one hundred percent! In the business world unfortunately, I think most security comes down to CYA. First and foremost hopefully it comes down to -- this is the right thing to do to protect our data, our customer's data and our own employee's data. But on the business level, it's definitely a CYA and an insurance policy against if it does happen, how do we minimize our risk, our exposure and our fines?
Identity Theft Secrets: So talking about fines - I know that government likes to get involved in all of this to try and regulate it, to try and help people and a lot of times in the process, they create rules which penalize the people who are being most penalized anyway, a lot of times that comes back to the business owner or the individual. Are there any recent compliance changes in this arena as far as email security is concerned that people need to be aware of?
Paul (email security expert): Well, I think the biggest one is that they're now starting to say, "it doesn't matter what size of business you are, we're going to come after you if you lose your customer's data; and we don't care if it a thousand names or a hundred names of customers from a small Mom and Pop shop or it's a hundred names or a thousand names from a large IBM-type company." They're really trying to crack down and make the businesses pay and so a lot of the issues out there come down to that.
The other thing is in the payment card industry arena, they've added some more information and laws that say, "hey, we're going to track this and we're going to make sure that you're compliant. And not only are you compliant but now all of the business partners or sub-contractors you use have to be compliant as well." So that trend is now waning and the ripple effect is now coming down to the small Mom and Pop shops, the small one-man contractors, five-person contractor shops. Whereas before, they didn't have to be compliant, but the big company that they were a sub-contractor to did. Well now, they're coming down to the rules saying, "Nope, everyone along the chain has to be compliant and therefore we're going to make you do audits as well. We're going to make sure you prove your compliance." And email is one of the easiest links to show that someone is not compliant on and is one of the most widely used. I don't know anyone who doesn't use email. I take that back, I know one person who doesn't use email, but that person is retired and is happy ...
Identity Theft Secrets: Living in Fiji!
Paul (email security expert): ...and is happy not to be using it. For the majority of us out there, email is a way of life and it's a requirement and so you just need to make sure that it's secure.
Identity Theft Secrets: Obviously you guys offer some solutions, or as a company, you come in and do offer some solutions to people as well. I know you partner with a lot of people; you've mentioned Vontu a couple of times here in the conversation. If people wanted to get a hold of you for help with their email security, what would be the best way for them to go about doing that?
Paul (email security expert): I think this best way to do that is if they send a gold bullion cube to me directly and then I will be very responsive on the help and support for them.
Identity Theft Secrets: Gold bullion cube?! How much gold is in a gold bullion cube?
Paul (email security expert): Well, it depends, if it's a one-ounce one or a hundred-ounce one ...
Identity Theft Secrets: Right! A hundred ounces will get you quicker results!
Paul (email security expert): That's right, that's right! No, to be serious though, customer service is very important, we don't care if you're a large customer or a small customer our business is built on references and it's built on good customer service and a good reputation. So you don't have to send the gold; if you do, I'll keep it and will cheerfully accept it!
But the easiest way would probably be through our 800 number, that number is 1-866-794-1655, 1-866-794-1655 or they can call me directly at 303-798-7588 or even easier, they can use email which we just discussed everyone uses, most everyone uses. My email address is pherbka@SouthSeasCorp.com.
Identity Theft Secrets: And you mentioned in a previous interview, I'm sorry to interrupt you there, but you mentioned in a previous interview we did actually, that if people mentioned, when they are a new customer of yours, that you would give them a discount if they heard about it through this interview.
Paul (email security expert): Absolutely and we will give them a discount - it will be somewhere between 2 and 5% depending on the product or the solution that they pick. But I'll guarantee them 2% discount and up to 5% discount on any of the solutions they have just for mentioning that they saw it here on your network.
Identity Theft Secrets: Great! Well, thank you very much and obviously you are a wealth of knowledge -- appreciate you taking a few minutes to talk with us today about email security.
Paul (email security expert): Thank you and have a great day!
]]>eBay recently announced that checks and money orders would no longer be allowed as payment methods on eBay. Under the new policy all items sold on eBay must be paid for through PayPal, credit or debit card payment to a seller through a merchant account, ProPay or payment upon pick up. PayPal account users can use not only existing PayPal account balances but also credit cards, debit cards or bank account withdrawals. The credit or debit card payments to sellers must be done through an internet merchant account. There are a few exceptions, to the payment rules, including vehicles, business and industrial equipment, real estate and "mature audience" items. Further eBay promises that in January in 2009, all of the approved eBay payment methods will be integrated into eBay check out.
Some buyers and sellers are saying Ouch! eBay insist that these changes benefit buyers and sellers. They claim that buyers can expect a more consistent and secure check out experience, therefore increasing buyer confidence and ultimately sales. EBay also suggests that the change will benefit sellers by providing them with more reliable and faster payments. In turn eBay argues that when payment is received faster, items are shipped faster and buyers are happier too.
The Facts Presented by eBay
eBay points out that of US transactions paid with PayPal, 25 % are paid within 5 minutes and 73% are paid within 24 hours.
eBay argues that listings that don't accept PayPal or credit cards are more than twice as likely to experience an unpaid item as listings that only accept these payment methods.
eBay further states than buyers today who pay with a check or money order on eBay are 80% more likely to file an "item not received" dispute and 50% more likely to leave a negative feedback than buyers who pay with PayPal or credit cards.
eBay also shares that 1 out of 5 current eBay transactions send buyers off eBay to complete their purchase and buyers' experiences vary greatly depending on the payment provider and seller. By using an integrated payment system, buyers will be able to remain on eBay to pay.
And therein may be part of the problem. Some people feel that the motivation behind this change benefits eBay when users use PayPal more than sellers and buyers. Some feel that eBay's new plan keeps all payments running through eBay and encourages eBay profitable payments.
Many consumers are complaining that they don't want to use these new accepted only eBay payment methods because they are uncomfortable providing credit card or debit card information on line for fear of identity theft or fraud. Some eBay buyers argue that they have been buying comfortably on eBay for years with money orders and never had or reported a problem. Others argue that there is still a cash economy in the U.S. that eBay is ignoring. With the recent banking crisis, many argue that they are unable to use credit cards or are untrusting of banks and unwilling to shop at eBay under these new rules. Some sellers are unhappy too. Sellers, who have not wanted to pay for the extra fees to be "merchant" allowed to accept credit cards aren't happy either. Others argue that Google Check Out is good alternative not included in eBay's new check out plans.
One unhappy eBay seller has said, "If the check doesn't clear---you don't ship. Simple as that. PayPal only benefits only one place EBAY AND EBAY alone--more money in their pocket since they own PayPal."
PayPal itself has been found to be a safe way to make financial transactions on line, whether with eBay or other popular on line sellers. Readers will remember, though, and keep in mind for their own safety, the identity theft phishing scam that sent out e-mails claiming to be a form of PayPal redirected readers to an unsafe site in an attempt to get their personal information.
Was eBay's decision motivated by profits or by increasing happy buyers and sellers? Are eBay users safer from identity theft and fraud or more at risk? Do you feel safer using PayPal? And how do you pay for items on eBay? Leave us your comments and let us know what you think.
Protect yourself and your information, be persistent, and you can work to keep your information off of the internet -- which AARP video refers to as a virtual card catalog of information on just about everything and everyone.
There is some truth to that, depending on who you are, and how much information is out there about you.
Use this information to make sure what is "out there" about you is only what you want to have out there.
Sources:
Check out all the videos Google and AARP created at the YouTube Channel about personal information protection.
And here's the post about finding what information about you is online at the official Google Blog
]]>Imagine, getting info without having to give any! I spent many years working for a university, that required you to "tailor" your experience with your name and information, to get information from the school. At the time, it was considered great marketing. The information was supposed to be limited to use by the university, but do you wonder like I do, that if the information IS THERE, even if the business doesn't sell it or make it available, maybe it still is available to those who shouldn't have it?
What do you think? Should more companies be required to protect their customers privacy? What are the advantages to this system? How can we know our information is safe online and still get the services we need? Is AT&T setting a standard? Share with us your thoughts.
]]>"Work from Home" notices get a lot of attention as many people desire to work from home to spend more time with their children or to work from home to save gas money or other resources. Working from home is ideal employment opportunity for many but all work from home opportunities are created equally. This scam has used posted "Work from Home" signs as well advertisements on popular on line job search sites such as Monster.com.
Prospective employees are asked for all personal information, including their Social Security Number and date of birth. This doesn't seem out of the ordinary when applying for employment but unless you "know" the company, always verify a company's legitimacy before giving them your personal information. You can check on a company through-
• Local consumer protection agencies
• Federal Trade Commission
• Better Business Bureau
• The state attorney general
The ads often look say they are looking for "merchandise managers" or "package processing assistants." Duties listed include receiving, packaging and remailing merchandise for clients.
Victims are then "hired" and they immediately begin receiving packages at their residence for repackaging and shipping abroad. Of course, the merchandise has been purchased with stolen credit card information. Soon the "employees" will receive a third party cashier's check, not a regular paycheck. What's even better is the check is for too much. How lucky can you get? But here's the catch. The "company" acknowledges the error, ask you to go ahead and cash the check and get your money and then to electronically forward the extra to a bank account, which is invariably overseas. Of course, once the bank learns the cashier's check is counterfeit, the victim is now responsible for the total amount. Instead of a landing a new work from home job, they've landed in a nightmare. Victims have lost money and participated in the shipment of stolen goods and handed over their personal information to know identity thieves.
Other Versions of the Work from Home Identity Theft Scam
Sweetheart Scams
These scammers also look for prey on dating websites. They spend a little time to "get to know you" and may even send a photo or flowers. Then they ask you to help their business or family by shipping packages to Europe or Africa. They may even claim to be working with a charity or as a missionary and ask you to help them get merchandise delivered to Africa or another part of the world.
Of course, this "Sweetheart" is really asking you to commit a crime by smuggling stolen goods. You can be sure that the photo they sent you is fake and what's worse you've given these identity thieves your address and personal information.
Avoiding the Con
*Don't accept packages for anyone you don't know personally.
*Check out any potential employer before you give them any personal information.
*Be suspicious of e-mail or chat room sweethearts.
What to do if You've Been Conned:
*If you've already received merchandise, DO NOT mail it.
*Save all correspondence including paperwork, e-mails or faxes.
*Contact Postal Inspectors at 1-877-876-2455.
Be savvy. Identity thieves are! Companies are constantly looking for ways to eliminate the middleman. Why would a company pay to mail merchandise to you and then pay you to re-mail it? You can be sure crooks will give you a convincing reason but don't be victimized by scammers who take advantage of your desire to work from home or make a friend on line.
]]>ID Vault is a product that can offer on-line banking and shopping customers some protection.
What is ID Vault?
ID Vault offers a USB security token with an embedded smart card chip that it easy to use. There are three steps:
1. Plug your ID Vault in to your USB port.
2. Choose the online account you want to log in to.
3. Enter your ID Vault PIN to unlock your username and password.
ID Vault remembers all of your user names and passwords, which is very helpful in addition to protecting you. You only have to remember a single PIN number. Now you can be automatically signed in with just a few mouse clicks. No more typing isn't just covenant, it's also safer.
You are now logged in to your online account quickly and securely, and can bank, shop and invest online with confidence.
How Does ID Vault Protect You?
ID Vault protects you against phishing, pharming and keystroke logging, three common means of identity theft.
It encrypts and stores usernames and passwords for up to 100 on-line accounts and also credit card information for up to 25 credit cards.
If your ID Vault is stolen, no one can access your information without your PIN.
The System Requirements for ID Vault
* Windows XP or Windows Vista
*Internet Explorer version 6.0 or higher
* Minimum 600 MHz processor
*Minimum 512 MB RAM
*At least 40 MB of free disk space
*One free USB 1 or USB 2 port
*One CD-ROM or DVD drive
What You Should Know About ID Vault
Software reviewers have found ID Vault easy to use. Consumers agree that ID Vault is easy and can be very helpful. However, the biggest consumer complaints regarding ID Vault involve financial institutions and consumer shopping sites that are not compatible with ID Vault. Depending on the diversity of your on-line habits, ID Vault may work with more or less of your favorite on-line transactions. Consumers should research the compatibility of this product with their own favorites before purchasing.
ID Vault is $39.99 at their site and this includes the USB security token with an embedded smart card chip and a one year subscription to ID Vault services. Consumers should note, as their web site discloses that after one year an ID Vault subscription must be renewed at current subscription prices.
Keylogging, phishing and pharming can not only take the cake, but your identity, your money and your credit too. ID Vault can be a helpful tool to protect against identity theft. In addition to identity theft protection, ID Vault can also save you time as it eliminates remembering and retyping password after password as you shop or bank on-line. Everyone has unique shopping habits so all consumers should research whether or not ID Vault is a good match for you.
]]>Instead of becoming fearful of giving, it is important to educate yourself on safe giving to protect yourself from identity theft and to make sure your money goes to the people who really need it.
Lessons learned from Katrina
Most of us would agree that there were many lessons to be learned from Hurricane Katrina. One relates to on-line scams. Before Hurricane Katrina even hit the coast, criminals were setting up websites that included the keyword Katrina along with key words like help and relief in an effort to collect money and personal information. In the weeks following, the FBI reported that it had identified over 4,000 bogus websites that were attempting to take advantage of the goodwill of generous people.
Tips for Dealing with Charities On-line Safely
*Unless you've signed up to receive a newsletters from charities, be skeptical of e-mail solicitations. As a general rule, reputable charities do not solicit donations through e-mails. Many scammers create e-mails that look like they come from a charity name you recognize but links could take you to an unsafe site, unrelated to the reputable charity.
*If you are interested in a charity, start by checking out the actual web address. Most no-profit web addresses end with .org not .com.
*No reputable charity should ask for your social security number or date of birth on line.
*The same goes for solicitations by phone. Say no, or if you are interested, ask for information on the charity to be mailed to you and give no information beyond your mailing address.
*It is convenient, safe and economical for you and for charities for you to give on line to reputable charities at their safe sites.
How Can I Check Out Charities & Give On Line Safely?
CharityNavigator.org rates charities and gives you direct links to reputable charities. At CharityNavigator.org you research charities by name, rating (they have a zero to four star rating system) or by city or state.
CharityNavigator.com has many articles on smart giving that are helpful, especially in times of giving following a crisis. They remind us that new, even well-meaning charities are often not equipped to be most effective during times of crisis. They suggest at a minimum to require proof of a 501 C for any new charity and recommend giving to organizations with a strong track record for responding to disasters like the Red Cross that has a four star rating.
You want to help and there are so many people, including the victims of Hurricane Ike, that need your help. Just make sure that as you reach out to help victims, you aren't reeled in by a scam that puts you at risk for identity theft.
There is a new telephone credit scam. You'd think it could never work. Everyone knows that you should never, ever give your credit card account information over the phone and that your financial institutions would never ask you for this information by phone or by e-mail.
So how does this new identity theft scam work?
Criminals are calling victims on the phone and claiming that they work for Visa or MasterCard fraud or security department. They tell victims that they have identified a suspicious purchase and are contacting them to verify this purchase.
It seems legit at first because the callers do no ask for your credit card number. In fact they already have it.
This is a transcript of a variation of these identity theft credit card fraud scams:
Caller: 'This is (name), and I'm calling from the Security and Fraud Department at VISA. My Badge number is 18228. Your card has been flagged for an unusual purchase pattern, and I'm calling to verify. This would be on your VISA card, issued by (name of bank). Did you purchase an Anti-Telemarketing Program for $499.99 from a company based in New Mexico?'
When victims say "no", the caller continues by saying, 'Then we will be issuing a credit to your account. This is a company we have been watching and the charges range from $200 to $499, just under the $500 purchase price that flags most cards. Before your next statement, the credit will be sent to (gives you your address), is that correct?'
When victims say "yes," the caller continues - "I will be starting an investigation. If you have any questions, you should call the 1- 800 number listed on the back of your card (1-800-VISA) and ask for Security. You will need to refer to this Control Number. The caller then gives you a 6-digit number and asks, "Do you need me to read it again?"
Here's the catch!
The caller then says, "I do need to verify you are in possession of this card and that it has not been stolen." He'll ask you to 'turn your card over and look for some numbers saying, "There are 7 numbers; the first 4 are part of your card number, the next 3 are the security Numbers that verify you are the possessor of the card. These are the numbers you sometimes use to make Internet purchases to prove you have the card. The caller will ask you to read the 3 numbers to him. After you tell the caller the 3 numbers, he'll say, 'That is correct, I just needed to verify that the card has not been lost or stolen, and that you still have your card. Do you have any other questions?' After you say "no", the caller then thanks you and states, "Don't hesitate to call back if you do."
Victims who participate have then learned that a fraudulent charge for up to $499.00 was immediately made to their credit card.
Why do people fall for this?
*We are used to people asking us for the three digits on the back of the card for verification.
*We feel safe since they never asked us for our card number.
*As credit card companies have stepped up fraud alerts, many people are not suspicious of the call.
*We are panicked to get an almost $500.00 charge removed quickly.
Remember, that in addition to credit card and banks never asking you for your credit card or bank account numbers over the phone or e-mail, nor would they ask you for the three digit verification on the back of your card.
What should you do to avoid being the victim of identity theft and a credit card scam?
*If you receive such a call, or an e-mail for that matter, make no response by phone or e-mail. Hang up and call the number on your card and ask for the fraud department to verify if you do have a problem.
*Don't let statements sit around. Open them immediately to look for fraud while the trail is still hot.
*Report any scams, whether you became a victim or were just intended prey, to the local authorities to help prevent others from falling victim to identity theft.
It seems that identity thieves stay one step ahead of us on the learning curve. We learn to never give out our card numbers over the phone, and so they steal card numbers other ways and rewrite their scripts to get out security codes. Being aware of these scams is the best way to protect and prevent from becoming the next victim of identity theft.
]]>In this interview with Paul Herbka from South Seas Corporation (services and solutions based out of Colorado), we go in depth in a discussion of two-factor authentication, and why it's important for any individual or business to seriously consider two factor authentication for any sensitive data.
You can listen to the interview, and/or read the transcript below
Download the two-factor authentication Interview in MP3 Format"
Identity Theft Secrets: Welcome back to IdentityTheftSecrets. This is Jonathan Kraft and I am here again today with Paul Herbka who is the President of the Information Systems Security Association here in Denver, Colorado; as well as the Vice President of South Seas Corporation which is headquartered in Littleton, Colorado. He is a certified Identity Theft Risk Management Specialist by the Institute of Fraud Risk Management and he holds the state contract for encryption in the State of Colorado as well as Arizona and I know you've spoken at a bunch of different conferences. So Paul, thank you very much for taking a few minutes with us today.
South Seas VP (on two factor authentication): Thank you and I appreciate the opportunity to get to speak with people and share some information with them. I know a lot of times people know they need different solutions or have questions about different technology that has been out there, and really need help clarifying what's real, what's not. Also cutting through some of the marketing hype from the different vendors, right? I mean we all know that they all say they're Number 1 and they're the best -- and they slice, they dice, they solve every problem! We in fact know that's not true, but there are a lot of solutions that are out there that do solve problems and so it's good to know which ones do what and which ones work well.
Identity Theft Secrets: Right? And given the award for Winner's Choice Award for blah, blah, blah. You know, "three out of four doctors approve us" and they only interviewed four doctors who already buy their products so...(laughs).
South Seas VP (on two factor authentication): Exactly.
Identity Theft Secrets: Well today I just wanted to take a few minutes here and talk to you about two -factor authentication. I know you know quite a bit about this and definitely some people have had some questions about it. So what is two-factor authentication?
South Seas VP (on two factor authentication): Absolutely. So two-factor authentication falls under a category of "strong" authentication. The two-factor authentication means that they have two factors, right? So it's something they have and something they know. Or it's something they are and something they know. So something they have might be like a little Smart Card or a key fob or a token which holds some information and then something they know would be like a password or a PIN or a pass phrase to unlock that information on that Smart Card or token or what not. Or if they are using biometrics, then two-factor authentication might be something they have like their fingerprint or an iris read, an iris scan and then a password or a PIN or something that goes with that as well. So it's just like the name implies, its two factors, right? It's something you have or something you are and then also something you know. So that it's not just one factor. It's like a log-in and password, right? So typical credentials are a log-in and password in most places. Well, that's all just something you know and that can be stolen, that can be faked. Someone in New Zealand could take that information and pretend that they're me logging into something in New Zealand when in fact, it's not me. So by adding stronger authentication or by adding two factors to it, now not only do they have to have something that I know that might be easy to get, but they are also need to have that other factor whether it's something I have or something that I am. And that way it's much stronger authentication.
Identity Theft Secrets: So you, as a company, South Seas Corporation, talks a lot to companies about solutions they can put into place. Two-factor authentication is obviously more involved than just a simple log-in and password. When do you recommend that to companies?
South Seas VP (on two factor authentication): Well, we recommend it to companies when they have data that they need to be secure and when they have a lot of mobility for that. Because as we know, it used to be you'd put down my firewall and you locked your network and then everything inside your building was safe. You locked your front door, you locked your firewall down and you were good. Well now, as we've become a mobile environment and everyone wants to work remotely and maybe they VPN through a FSL VPN or an IPsec VPN and then tunnel in remotely. While that's a secure connection, the PC they're using to get onto that may already be owned by a Root Kit or a Trojan or a botnet. And therefore if it's a hotel kiosk, or a different friend's computer, it's a home computer that maybe doesn't have the same security standards, now then that log-in and password might be gotten and therefore it's not as secure.
If you're a larger corporation and you've got something secure or even if you're a smaller corporation but you're using either ... you're in the financial world, you're in the banking, you're doing payment cards or you're receiving and storing credit cards and you fall under Payment Card Industry (PCI), SOX, HIPAA; any of those, you'd want to use a stronger authentication because what we're finding is passwords just aren't good enough anymore. If you have a breach or you have an issue and you say, "well, yeah, but we had passwords." It's kind of ..., gee, you didn't really use your best effort. You did kind of well, ok; and even then if you ask, "are they strong passwords or were they written down on a sticky underneath keyboards?" The answer is usually, "oopps, well yeah they might have been." And so it's harder to control that.
Identity Theft Secrets: So then you recommend if they've got some sort of secure information that really needs to be secured and they've got people connecting in through some sort of virtual connection, virtual private network so that they can actually have some sort of more robust solution for authentication.
South Seas VP (on two factor authentication): Exactly. The other example ... so all those definitely ... and then the other example would be someone who often logs in remotely or logs in front of other customers. So if I have to log-in and authenticate with my log-in and password, whether I'm a network administrator, or a system administrator, help-desk troubleshooter or someone that's out in the field and I'm collecting data, then they're going to see that. And if they see if over and over and over, or even like the teacher, then the student is going to pick up and it's not going to take long for them to find that log-in and password.
In fact, I was just told of a scam that they're using to get the PINs at a certain resort, it actually happened at multiple resorts, but this in particular happened at a resort in Mexico where they were hiring young boys to go and just learn one PIN number a day from people using the ATMs and then they would have that. So that was a password and it's secure as long as no one finds it but just by watching someone do it over and over, you're going to learn that PIN or password so that's why they're no longer secure.
Identity Theft Secrets: That's very interesting. So two-factor authentication would be having some sort of thumbprint scanner or retinal scan plus something you know. Who are the major players in offering solutions in this area?
South Seas VP (on two factor authentication): There are several, probably the most well-known one is RSA. In fact, they have a large secure world conference. But RSA Security; they were now bought by EMC. So they're part of EMC, but their own division. Then there's also another company called Aladdin, Aladdin Knowledgeware and their tagline is "Securing the Global Village."
So those are two of the leading ones and they provide all the different types, they've got the Smart Cards which look like a credit card-sized thing. It has a little Smart Card on it. Or they have the USB tokens which are Smart Cards in a USB form factor because most PCs now have a USB or multiple USB ports. Rather than having to find one with a Smart Card reader built in, they can just plug it into the USB drive and it has that encrypted Smart Card right on there and it can read it on any of those PCs.
And then they also have ones that are called OTP or One-Time Passwords and what those are used for is for remote VPN access in. So the RSA version uses a changing code that every 60 seconds changes and in that way you put that in plus your PIN, depending on how you have it configured and you get remote access. And the nice thing about it is then that code is no longer valid after sixty seconds. That code's not valid, so even if someone watches me and writes down that code, it's no longer good within a minute and so it makes you more secure.
So both of those companies provide those and they also have other ones that are combination tokens; where they have the Smart Card as well as the changing code or one-time password. They also have