Identity Theft: Not So Scary Anymore?
This article originally appeared on F5.com on 10.20.15. With Halloween in our rearview mirror and the holiday shopping season upon us, a couple surveys are out examining our fears and in particular, our concerns about identity theft. Apparently, ID theft is not so scary anymore - like entering a haunted house for the hair-raising screams but walking out with nervous giggles. Over at Bankrate.com, only 54% of surveyed tricksters says they are somewhat or very frightened of ID theft. That's down 80% from those who expressed the same level of concern back in 2008. Almost half, 43%, claim they have little or no fear, trouncing the 19% who were brave in 2008. This is all while the overall victim count remains at similar levels - 12.5 million in 2008 verses 12.7 million in 2014 according to Javelin Strategy & Research. As far as knowing someone who has been hit, 46% say they or a friend has been a victim compared to 34% in 2008. They chalk it up to people being desensitized to breaches due to the almost weekly confessions of data intrusions. The general feeling is that if large retailers, health care providers and credit agencies can't keep my data safe, how can I. More of those same folks however are also following some good advice of shredding sensitive documents (72%), checking their credit report regularly (56%), avoiding insecure WiFi (54%) and almost 20% have frozen their credit files. These are all good ways to help you worry less. And Chapman University published their Survey of American Fears, Wave 2 (2015) examining the fears of average Americans. The domains of fear include areas like crime, natural and man made disasters, personal anxieties, environment, technology and others. Along with the corruption, terrorism and warfare, identity theft comes in at 39.6% and credit card fraud sits at 36.9%. Both in the Top 10. So, while ID theft is still one of our top fears, by the time you get to Nightmare on Identity Street 4, Freddy isn't so freighting and you have some tools to deal with him. Besides, your insecure connected kettles could be exposing your WiFi passwords without your knowledge. Now that's scary! ps Related Survey: More Americans say 'boo' to the ID theft boogeyman America’s Top Fears 2015 Connected kettles boil over, spill Wi-Fi passwords over London The Breach of Things The Reach of a Breach 5 Stages of a Data Breach Technorati Tags: identity theft,breach,privacy,crime,fears,silva,fraud Connect with Peter: Connect with F5:Moving Target
I moved recently. Not too far away nor to a different state, just the other side of town. It is simultaneously exhilarating and exhausting. Most people in the U.S. moving during the summer. Kids are out of school, the weather is mostly nice, friends might be available to help and you are settled in for the holidays. And while you are worrying about packing, movers, mail and all the other check lists, your identity is ripe for the picking. The increased risk of identity theft during a move is because personally identifiable information is being shuffled around from one home to the next. At the same time, buyers and renters are preoccupied with the move and can forget to protect their sensitive documents. You may lock up or personally carry your jewelry, checkbook and other 'valuables' but your personal information might be unprotected and targeted during a move. If you are moving this summer like I just did, there are a few things you can do to minimize the risk. While most moving sites have 'Change of Address' as their top protection mechanisms (which we'll get to), I feel that shredding old bills, receipts and financial info is critical. First, you might not want to drag all that old paperwork with you, especially if you are paying by the pound but more importantly, shredding important documents can prevent thieves from finding any information in your trash. Old-skool dumpster diving is still a viable method to steal personal information. You also might not want the movers themselves to have access to those documents, particularly if you are having them help pack. I was fortunate to find reputable movers but mover fraud is becoming more commonplace in the U.S. Mail call! What? Oh yea, Change of Address. Seems like a no brainer, filling out a postal change of address but it is also important. Make the change with all the companies, financial institutions, magazines, and other organizations that regularly send you mail. Identity theft is often carried out by stealing mail. The folks who move into your old house might not steal your identity, but they will most likely throw away mail that isn’t theirs, and they won’t necessarily take the care to shred it as you would. If your mail continues to be delivered to your old address, it might be left on the doorstep or in an unlocked mailbox, making it very easy for anyone to walk away with it. Lock down your electronics. Many households have multiple computers now including tablets, mobile phones and other 'things' storing sensitive information. These are a treasure trove. You can carry/pack yourselves and make sure they are always in your possession or password protect and place in a slightly unmarked box. Maybe label it as 'dog food' and the crook, movers or otherwise, just might pass it over. If you plan on donating or recycling your old computer(s), make sure you totally erase the hard drive since criminals can easily retrieve those files and sue them for no good. Slightly related to this, I recently bought a refurbished Blu-ray player with various streaming services. I wanted to replace the one we broke with the exact same one but they stopped making that model. When it arrived, I went in to configure our Netflix account. So I clicked the Netflix icon and it loaded fine. Wait a minute, that's not my Instant Que. Whoever had the unit prior to me, still had their Netflix saved and I could see all their viewing habits. Old episodes of Leave it to Beaver and Attack of the 50 Foot Cheerleader. And keep an eye out for yourself before, during and after. Check credit monitoring if you have it; your credit report a few months later for anything suspicious; that all your mail is arriving intact; that all your household items are accounted for; and we often leave cars, garages, and other entrances wide open when moving so keep an eye there, if the location warrants. Physical items can be used to create digital identities and while we may read about ID theft topics when computer breaches are reported, the physical realm is still ripe with fraudsters. Everything is game nowadays but you can take physical and digital action to stay safe when you are finally home sweet home. ps Resources: Prevent ID Theft while moving Identity Theft Risk Factor: Moving to a New Home Moving and Identity Theft - How to Protect Yourself Ten Tips to Avoid Identity Theft When You Move Minimizing the Risk of Identity Theft When You’re Moving Technorati Tags: identity theft,id theft,moving,home,household,iot,mail,security,pii,silva,f5 Connect with Peter: Connect with F5:Malware costs $491 Billion in Perspective
A recent joint study from IDC and the National University of Singapore (NUS) predicts that companies around the globe will spend around $491 billion in 2014 for fixes and recovery from data breaches and malware. The sponsor, Microsoft, also noted that pirated software tweaked with intent is a common method of getting inside. Consumers will likely spend $25 billion as a result of those security threats. $491 billion is a lot of change and in the spirit of Mobile Threats Rise 261% in Perspective, I wanted to know what else costs $491 billion. Apparently, quite a few things! U.S. motorists may spend a record $491 billion for gasoline this year. Expensive oil and increased exports have kept our fuel prices high this year. We are still under the 2008 average gas price record but we will still spend more due to gas going up sooner in the year and staying high longer. I know I've seen $4.11 here in California where the average is $3.94. While the winter blend production does bring some relief, don't expect major drops due to higher global demand along with the various feuds in the world. Back in 2005, the US House of Representatives passed a $491 billion defense bill. This was when we were still in Iraq and the only reason I find this interesting is that the cyber-war can now cost as much as real wars. Not really apple to apples admittedly, but I often talk about how our digital worlds are colliding integrating with our physical lives. Either way, the costs can be very real. Now at the 3 year mark of the Fukushima meltdown, property damage so far has been assessed at approximately US$200 billion but some estimates show that the total burden will be $491 billion. While one could never put a price on the 19,000 people lost from the earthquake and tsunami, it is kinda spooky that breaches and malware are on par with nuclear disasters. According to the Global Business Travel Association (GBTA) Foundation business travel was responsible for about 3% of U.S. GDP in 2012 or $491 billion. Essentially, every dollar of business travel spending generated about $1.28 in GDP. Of the $491 billion total, $208 billion accrued directly to businesses that served travelers or meeting attendees. In 2011 the European chemical industry contributed to 20.9% of the world’s chemical sales valued at €2353 billion, generating € 491 billion of revenues and employing 1.16 million people. In 2012-13, India's total imports was $491 billion according to their Finance Minister. And finally, the Earth is 491 billion feet from sun, give or take. The malware market is on par with the likes of defense budgets, nuclear disasters, overall energy consumption and an entire country's import bill. It is often hard to quantify such large dollar amounts but when compared to the other $491 billion items, you can get a real sense of the magnitude. ps Technorati Tags: malware,pirated,threats,identity theft,security,$491billion,f5,silva,perspective Connect with Peter: Connect with F5:So Where Do We Go From Here?
If you are who you say you are. I've been travelling the last few weeks shooting some videos for VMware PEX and RSA. When that happens, my browser tabs get crowded with the various stories I'm interested in but will read later. This time they all seemed to hover around Identity Theft. When I got home, in my awaiting physical mail was a letter from Target. I also returned something to a national hardware store and the cashier tried to crumple my credit-card-info-having receipt into a trash can. Kismet. Let's take a look... The FTC recently announced that Identity Theft is the #1 complaint in 2013, for the 14th consecutive year. Is that a record? While down slightly from 2012, it still accounted for 14% of the 2 million overall complaints. This is down from 18% in 2012. Florida, followed by Georgia and California were the worst hit states for ID theft. The IRS has also named Identity Theft as their #1 Dirty Dozen Tax scam for 2014. Speaking of California, 7.5 million of the over 110 million breached Target accounts were Californians. California is one of the few states that require disclosure when more than 500 accounts are compromised. The first year California required reports, 2012, there were 131 breaches reported...in 2013 that rose to 170. The other interesting thing about California breaches is that many target smaller companies. In 2012, half of the reported breaches came from companies with fewer than 2500 employees and almost a third were businesses with less than 250 employees. Being small and relatively unknown is no shield. Also in Southern California, the Feds busted a couple guys running a Tijuana-based identity theft ring. These dudes broke into a U.S. based mortgage broker's servers and siphoned off mortgage applications which included most of the borrower's personal info: name, birthday, SSN, DL number, tax info, the works. They then used that info to open credit lines and, with the info they had, were able to change access to the people's brokerage accounts. From there, transferring money to other accounts was a snap. From Dec 2012 thru June 2013 they stole personal data on 4200 individuals. Javelin Strategy and Research released their annual 2014 Identity Fraud Study stating that in 2013, a new instance of identity fraud occurred every 2 seconds. 1 Mississippi, 2 Mississippi. Another. There was 13.1 million identity fraud victims on 2013. While the people number is going up, the actual money stolen, according to Javelin, in going down. They estimated that the total cost of identity fraud in 2013 to be around $18 billion, more than $3 billion less than 2012. 2004 holds the record at $48 billion. Attackers are now focusing on opening new accounts rather than piggy backing existing credit cards. Account take-over's, particularly for utilities and mobile phones are the new free-bees. Most of the stolen info appears to be from corporate breaches and about 1/3 of those who receive a breach letter actually becomes a theft victim. Your debit card also seems more valuable than your social security number. 46% of consumers with breached debit cards became victims verses only 16% of breached SSNs. And in an interesting twist, the top complaint against debt collectors is mistaken identity. Trying to collect a debt from the wrong person was by far, the most common complaint to the Consumer Financial Protection Bureau (CFPB). I know this all too well since over the last 3+ years, we've been getting debt collection calls looking for a certain person. We tell them that we've had our phone number for years and stop calling. Few months go by, the debt gets sold to another collector and we get calls again. It got so bad that this person's own mother called to tell her son that the dad was in the hospital and probably wouldn't make it. About 2 weeks later we got a call from another family member looking to talk about the father's death. This guy was running from debt so much so, that his own mother couldn't get a hold of him when dad was on his death bed. Now that's bad. So where do we go from here? Will we all need that personal chip installed on our left earlobe to verify identity? The payment terminal says, 'Please listen for verification.' Riff-raff will then be all like, 'Oh, listen to this cool song,' as they plug the bud into your ear only to suck the data off your PID chip. You didn't hear? That's our IPv6 Personal Identity Chip inserted into every newborn starting in 2025. Oh, it will happen. ps Related: FTC: Identity theft is the plague of the country Calif. attorney general focuses on retailers' data theft Tijuana-Based ID Theft Conspiracy Busted Javelin Study: A New Identity Fraud Victim Every Two Seconds The 2013 FireEye Advanced Threat Report! Mistaken identity top complaint against debt collectors RSA 2014: Anti-Fraud Solution (feat DiMinico) Technorati Tags: identity theft,id theft,security,privacy,banking,pii,breach,fraud,silva,f5 Connect with Peter: Connect with F5:OK 2014, Now What
So I've been staring at this blinking cursor for the last 5 minutes wondering what story to tell. 'Once upon a time, there was a....' No that won't work. 'It was a dark and dreary night as our protagonist grudgingly dragged his feet toward the impending...' No, not that either. How about, 'The waves were big, mean and fast that day...the kind of day where Eddie would go.' Nah, too local boy. After a few weeks break and with so much going on within information technology, I sometimes find it difficult to zero in on something interesting with so many choices. So I decided to do a mini blog buffet....the best in town, I say! The big news this week seems to be the Consumer Electronics Show (CES). From connected and driverless cars to interactive kitchens to wearable technology to the massive ultra HD televisions to even toothbrushes, the internet of things is certainly posed to take over the world in 2014. There are, of course, risks with all these embedded systems. There was the Target breach right at the height of the holiday shopping season nailing 40 some million (now 70 million) credit and debit cards in the process. I had a browser tab The 10 Worst Data Breaches of 2013 saved since before the new year for an article but this most recent debacle will certainly make all of 2014's lists. I was in Target a couple days ago retuning something and the person in front of me was asked, 'Do you want cash or credited back on the card?' He dryly answered, 'Well, I got a letter from my bank this week saying they are replacing my card due to your breach, so I'll just take the cash.' Mine was an even exchange. There was the FireEye - Mandiant deal struck slightly before the ball dropped and announced after the 12th ding. Interesting blend of attack detection along with attack response. The timing seemed perfect in the wake of the Target news. There was the Snapchat breach, the Yahoo malware, the WoW attack and certainly all the 'national security' news. And finally, our very own John McAdam earned Puget Sound Business Journal Executive of the Year for 2013. I first met John when I joined F5 in 2004. We had less than 1000 employees at the time and our sales conference that year was at a local Seattle hotel. During one of the breaks, Ken Salchow took me over to introduce me to McAdam, who was sitting in a chair fiddling with his blackberry. Now you'd think that the first time meeting your CEO you'd be all proper, business-like...Sir. Not me. As Ken did the formalities, the first words out of my mouth were, 'What's your high score on brick breaker?' John's face lit up with a smile, a determination in his eye and without missing a beat, shoved his phone in my face and taunted, 'Can you beat that?' It was wonderful and crushing at the same time since his score trounced mine. This was well before internet on planes and playing brick breaker was a way to pass time in the air. For the next several months as we did our individual business travel, we would send each other our high score(s) wrapped in a bit of bragging. There was actually a few of us on the thread, all hoping to blast the others. Then one day, one of the competitors (who had been on an overseas flight if I remember correctly) sent a score that blew everyone away. That was it, game over. But I'll never forget how the CEO included a relatively new guy into a fun little group of folks trying to one up each other. I've been here ever since. Welcome to the Year of the Horse! ps Related: Top 10 products revealed at CES 2014 so far Customers paying the price after Target breach The 10 Worst Data Breaches of 2013 The Internet of Things and DNS Looking to 2014 Executive of Year: F5 Networks CEO John McAdam strikes the perfect balance Technorati Tags: 2014,breach,security,target,mcadam,f5,malware,ces,IoT,silva,attacks Connect with Peter: Connect with F5:Identity Theft Hits Close to Home
While certainly not the likes of having SWAT show up at my house like Krebs or even Honan's fiasco, we've had some ID theft attempts occurring for the past few months...actually my wife has. It all started innocently enough at a child's birthday party. We were invited to a now ex-friend's house for a kid's birthday party this past April. We were told it would be a small gathering of a few close friends. Usually, when we attend things like this, my wife will leave her purse covered, locked in the car. In this instance, thinking it was a small group, she took her purse in. To our surprise, this was not some small get-together, as we were told, but a big party with numerous parents, kids and jump bouncers in back. Many people we had never met. That's cool, meet some new families with kids around the same age. Almost immediately, the 'host' told my wife that she would put her purse in the home office where it would be 'safe.' At the time, we didn't think anything of it since we had been to this house numerous times and had trusted the family. The following week, my wife mentioned that she couldn't find a couple credit cards but thought she had misplaced them. 'They gotta be around somewhere.' You know the phrase. After another week of not being able to locate them, she called the card companies and requested replacements. At that point, nothing, as far we knew was amiss. A couple weeks later, we get a letter from the credit card company (the one we replaced) saying they were not able to change the mailing address of our cards since certain security verification was not provided. This was for the old, just replaced card. Clearly not knowing that we had already cancelled and replaced the card, the thief attempted to change the mailing address for our account. What?!? But couldn't provide a photo ID with the new address or the secret squirrel settings so it was denied. Nice. We asked the card company for details and they could only provide the basics: it happened, verification failed, it stopped. But don't you have caller ID?...Can't you go back and look?....What question failed? Nothing. See, while potential fraud was potentially attempted, it never actually occurred since it was not successful...thus no investigation. I can understand. We locked and froze and alerted the credit community. Another couple weeks go by and due to the alerting in place, my wife gets a call asking if she's currently attempting making a purchase of some high end sunglasses online. She wasn't. Add to that, whoever apparently entered the wrong billing address. Denied. This was a different credit card than the address change attempt. We got the CC transaction ID and hoped, maybe, that the online vendor could correlate. What address did they enter?...Can you get any meta information from the transaction logs?...Can I talk to your IT department? As you probably know, CC transaction numbers do not always match the merchant's transaction ID and neither was able to correlate the other's. They did their best providing what they could but nothing to connect the two incidents...even though we had our suspicions. Change of address request could come from anywhere and purchasing online...well it is the world wide web. There was no way to tentatively finger someone but we did file a police report. And then last week, my wife gets a call from our local pharmacy informing her that the doctor had denied her cough medicine refill and that she needed to make an appointment with the doctor if she needed the medicine. The only problem was that she hadn't requested a refill. This was for some codeine laced cough syrup that was scripted over a year ago. The caller had her name, doctor and birthday...plus knew exactly what medication to request and which store to request it from. Big mistake. The geographic region of the perpetrator just shrunk from world wide to our area. There was/is only one person who would have all that info - the host of the birthday party. It was her doctor (recommended to my wife) and she went with my wife when the cough medicine was prescribed. I told the pharmacy to just fill something with grape juice and hold whoever tries to pick it up. Yeah, ahh, they don't do that. I guess a sting operation is outside the realms of a pharmacy but sounded good to me. Now we've added an 'attempted' medical ID theft with a controlled substance sidebar. Another police report filed. While we do not have a video of the individual attempting the crimes, all indications point to one person. Some of you might know that my wife is a retired Federal Investigator. She spent some time hunting fugitives as a US Marshall and protected past #2s while in the Secret Service. So she went down every other possible investigative path. The only one who had access to her purse, who also likes to purchase expensive sunglasses and would know specifically my wife's birthday, our pharmacy, and that particular medication along with who prescribed it? It finally sunk in. According to ITAC, more than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster. Back in 2006, the FTC Identity Theft report noted that 2% of thieves were co-workers of the victim, 6% were relatives or family members and 8% were friends, neighbors or in-home employees. For medical ID theft, Ponemon's 2013 Survey on Medical Identity Theft said a family member took the personal identification or medical credentials without consent 28% of the time. Unfortunately, many of these crimes go unreported due to the perpetrators being friends and family. Identity theft is on the rise and if I remember correctly, medical ID theft is the fastest growing segment. I'm certainly not suggesting to keep your personal secrets locked from your trusted, long time best friend or a family member. But for us, this experience will make us think twice about divulging certain information to fly by friends. ps Reporter’s Identity Stolen The World Has No Room For Cowards Largely a family affair, medical identity theft on the rise I challenged hackers to investigate me and what they found out is chilling Identity Fraud by Friends or Family Identity Thief Is Often Found in Family Photo ITRC Fact Sheet 115 - When You Personally Know the Identity Thief Who Commits Identity Theft? Your Identity Thief Could Be Your Sibling or Child Parental Identity Theft Statistics Technorati Tags: identity theft,medical,privacy,security,friends,family,credit card,silva Connect with Peter: Connect with F5:Personal Data For Sale – In time for the Holidays!
Come one, come all! Are you tired of using your own money for those big holiday purchases? Are you wary of entering your own personal & financial information to get that special gift? Would you rather spend a stress-free holiday season impersonating various folks? Just in time for your holiday shopping, get your very own unlocked identity profile!! Why go through the hassle of protecting your own information when you can just pretend you are someone else? For a limited time we are offering everything you need to create your own shopping character – name, address, bank/credit card info – and if you act now, we’ll include the user names and passwords for 5 social media profiles!! Call Now! Operators are standing by… I got a call yesterday from a well-known national bank letting me know that there may have been some fraudulent activity on my account and to enter my info to verify the charges. First, I don’t have an account with this institution but played along. The automated system gave me the name of the person they were trying to reach but I couldn’t go any further since I didn’t have their info. I tried to zero out but the annoying prompts kept scolding me that the info I entered does not match their records. Initially, I thought that this might be a phone scam attempting to get sensitive info but upon further investigation it was the actual bank. I called the 800 number back and finally got to a human. I explained the situation and got connected with the fraud department. Apparently, my number is still associated with a customer (actually 3 customers) and they will correct the database. But it got me thinking that I might have been able to pretend I was that customer and through a little social engineering, get their info. I already had their name and associated phone number, it doesn’t take much more to create a persona and demand that I am who I say I am. Just this past week, I also got a nice email from another financial institution alerting me that my account’s Online Access Agreement had been updated and I need to logon to confirm my identity, over a secure connection of course, to read & accept the new agreement. I was urged to partner with them to prevent customer fraud. What a great idea…unfortunately, I don’t have an account with them either! The link to the ‘security update’ went to tiktak.com.br (intentionally left out the rest) and the source showed that it was also sent from Brazil. I sent to the abuse department of the bank and to the FTC. Not surprisingly, the bank’s reply did confirm that it was a scam. While many of us are aware of the dangers of clicking on an email link that looks suspicious, crooks are still using this method to pilfer and even if only a few fall for it, it’s still a success. According to the Identity Theft Resource Center (ITRC) as reported this past June, data breaches are up in 2010. 498 total breaches were reported for the entire 2009 calendar, including those high profile exposures and for the first 4 months of 2010, 245 breaches were reported. Well on the way of breaking 2009’s numbers. The scary part is that only 8% of all breaches are reported, according to the Australian Crime Commission. In the states, I’ve seen statistics saying that 89% of security incidents go unreported. Either way, reported statistics for electronic fraud are well below the actual damage. And it’ll probably get worse as more and more mobile devices are used to conduct sensitive transactions. And don’t get me started on social media. I’m still amazed that just 10-15 years ago when we all had answering machines (remember those?) we were warned that you never say as part of your outgoing message, ‘We’re not home right now….’ since that tells criminals that the place is ripe for the pickings; the message should say, ‘we can’t get to the phone right now…’ Yet, just a decade later, thousands of people are telling the world, ‘Hey we’re a thousand miles from home having a wonderful time – check out the great photos,’ all with GPS info included. The profile has their hometown, kid’s schools, latest expensive purchases and a picture of the new addition to the house. I realize social media is a great way to share with family and friends and has many benefits both business and personal but we do need to be aware of the type of information we choose release. And with the holidays coming, that data is extremely valuable to outlaws. This is just a friendly reminder to protect yourself, reduce your risk and pretend you have an old answering machine before the madness of the holidays is upon us. I guarantee we’ll be seeing a number of data theft stories at the peak of the shopping season and wanted to get a jump on it now – before all the clutter arrives in a few weeks. ps twitter: @psilvas
