Surveys Highlight Poor Security Precautions of Social Networkers

Though They Say They Are Concerned About ID Theft; Few Take Steps to Protect Themselves

A pair of reports released at the end of August highlight the lack of care that a large percentage of people take when engaging in online social networking.

According to the Bringing Social Security to the Online Community poll, conducted by the Chief Marketing Officer Council and software firm AVG, while the majority of social networking users are afflicted by Web-based security problems, less than one third are taking actions to protect themselves online.

Poll participants indicated concern over growing phishing, spam and malware attacks, and nearly half of those surveyed are very concerned about their personal identity being stolen in an online community, according to the CMO Council.   

The survey was conducted online during the second quarter of 2009 and gathered responses from a random sampling of more than 250 consumers.

According to the poll results, despite widespread use (86 percent) of social networks at home and at work, most fail to perform the following basic security measures on a regular basis:

• Changing passwords (64 percent infrequently or never).
• Adjusting privacy settings (57 percent infrequently or never).
• Informing their social network administrator (90 percent infrequently or never).

Perhaps even more telling, or more alarming, are the following poll findings:

• Twenty-one percent accept contact offerings from members they don’t recognize.
• More than half let acquaintances or roommates access social networks on their machines.
• Sixty-four percent click on links offered by community members or contacts.
• Twenty-six percent share files within social networks.
• Nearly 20 percent have experienced identity theft.
• Forty-seven percent have been victims of malware infections.
• Fifty-five percent have seen phishing attacks.

“As social networking populations grow globally and the proliferation of niche social networks and mobile offerings extends the reach of social communities, the threats and vulnerabilities are escalating accordingly,” said Donovan Neale-May, executive director of the CMO Council, upon release of the findings. “More frequent breaches and outbreaks on popular social sites are a testament to the need for a more preventative mindset and threat-alert culture among community users.”

The poll findings echo similar identity issues discovered in a survey of 2,092 social media users by British-based Legal & General.

Nearly four in ten, (38 percent) of users of sites such as Facebook and Twitter have posted status updates detailing their holiday plans and a third have posted status updates saying that they are away for the weekend. Coupled with the finding that an alarmingly high proportion of users are prepared to be “friends” online with people they don’t really know, this presents a serious risk to the security of people’s home and contents, Legal & General, an insurance firm, said in it’s report, The Digital Criminal.

The report found that 23 percent of social media users have discussed holiday plans “wall-to-wall” – outside the privacy of their own page – and 17 percent of users reported seeing people’s residential addresses posted on pages that can be seen by strangers.

Legal & General’s research confirmed that a large proportion of users use social media sites to connect with people who are essentially strangers: 79 percent think they are a great way to track down people they “met on holiday,” 75 percent feel that they are a good way to meet “friends of friends,” and nearly half like to use sites to meet new people based only on the person having a nice picture.

Other findings:

• Nearly half (48 percent) of respondents have no worries about the security or privacy of social networking sites.
• Of all social networking sites, Facebook creates the most concern with 46 percent of respondents feeling that there are some security and privacy risks.
• Thirty-four percent of respondents have seen somebody else’s phone number posted on their social networking profile.
• Nearly one in ten, (9 percent) of respondents have included their own phone number and 5 percent have included their address in the personal information section of social networking sites visible to friends.
• Some people are sharing mobile numbers and addresses directly with strangers: 6 percent have written their phone number and 3 percent have written their address “wall-to-wall” or on pages open to those who are not accepted contacts.
• Men are more blasé about personal information – 13 percent have included their mobile number on their profile compared with just 7 percent of women and 9 percent of men have included their address compared with just 4 percent of women.

I find it both shocking as well as telling of the larger problem that Anna Bernanke, who is the wife of Ben Bernanke (chairman of the US Federal Reserve), both carried her physical Social Security card and printed her home address and telephone number on each of her checks.

Anna and Ben Bernanke

The Bernanke family is at the top of the US government financial food chain.  They have failed to lead by example by taking the most basic of steps when it came to personal security against identity theft.

I find it shocking because the Bernanke family is highly educated,  Anna with a M.A. from Stanford University.  An individual of Anna’s educational background and intelligence should certainly be aware of and practicing simple personal financial protection techniques to avoid identity.

I find it telling of a larger problem because if an individual such as Anna Bernanke is not practicing simple personal financial protection techniques to avoid identity theft then it is very likely that neither is the general American public.

Perhaps the Bernanke’s will pass along a lesson learned the hard way to their children Joel and Alyssa who are at great risk of becoming victims of identity theft at some point in their lifetimes.

To learn how to practice simple personal financial protection techniques to best protect yourself from identity theft visit this link for up to date tips from identity theft experts.

In 2006, my bank provided an identity thief posing as me, debit card approval through an unauthorized phone number. Within a few days, the thief wiped out my checking account, stealing $8,000.00 before I realized what happened. For six months, the identity thief continued to victimize me. I lost $22,000.00, before I managed to catch the thief and stop the rampage. Yet, my bank was accusing me of forging my own identity.

It’s dreadful enough when you find out you are a victim of identity theft, but it adds insult to injury when your bank treats you like a criminal.

Did you know that many of the largest banks in the United States are frequently targeted by identity thieves? (Fig. 1) Fortunately, what I learned during my personal experience dealing with my bank after becoming a victim of identity theft may assist you if you’re ever a victim.

 Figure 1:  Courtesy of Chris Hoofnagle and the Berkeley Center for Law and Technology

Tips for working with your bank if you’re an identity theft victim:

TIP #1 – IMMEDIATELY CLOSE ALL COMPROMISED ACCOUNTS

If your bank doesn’t automatically provide you with a new account number,   insist that they do so.  In order to get any money reimbursed, you will need an account number that has not been compromised.

TIP #2 – GET PROTECTION ON ALL ACCOUNTS

Insist that your bank place an “Identity Theft Warning” message and password protection on all your accounts. I found it easy to do this for phone inquiries, but difficult for in-person inquiries. So when I thought I was safe because I had a new password-protected bank account, the identity thief managed to withdraw money in person from different bank branches. Through perseverance, I was able to locate a bank manager who was able to place a universal warning on all my accounts. I believe this helped me eventually track down my identity thief. 

TIP #3 – ASK QUESTIONS

Knowledge is power. If you don’t understand the bank’s identity theft protocol, ask questions about it. It’s important to know what the bank is requesting of you. Understanding the bank’s procedures will help you deal with this crime. If you don’t understand the bank’s procedure or don’t think the procedure is useful in your particular circumstance, ask further questions and/or request additional assistance.  I was able to get a new protocol put into place for my accounts (see Tip #2).

TIP #4 – KEEP RECORDS AND A JOURNAL

Create a file for your identity theft documents. Log all your conversations and transactions. Make sure to get full names of the people you talk to, keep track of all dates and times (noting how much time you spent dealing with each issue), and be sure to keep track of the amount of money lost or stolen including your time spent to recover. Creating these records will help you recall what happened, should you need to at a later date.  Most importantly, if you ever go to court because your identity was stolen, you will have a clear record. Plus, you may be able to claim the loss on your taxes.

 TIP #5 – MONITOR YOUR ACCOUNTS REGULARLY

Keep an eye on your bank accounts. Call your bank immediately if you notice a discrepancy, no matter how small as you may have a limited period of time to file a complaint. I regularly review my bank activity online. It saves a time and, if your mail has been stolen or redirected by an identity thief, you may not get your bank statements in time.  Remember to be smart when banking online. Always log in using your bank’s official URL and never log-in by clicking on a link provided in an email or advertisement. Always log out when finished and close the browser window. Empty cookies from your computer system regularly and never allow the browser to remember your password (type in your password every time).

 TIP #6 – KEEP PERSONAL INFORMATION OFF YOUR CHECKS

All you need are your first initials and last name on your checks. Your full name, address, Social Security number and phone number are not necessary. The bank knows how to handle your checks. The less your personal information is out there for a thief, the better. If a crook can’t match an exact name to a bank account, he/she will be less likely to use it.

As an identity theft victim, dealing with your bank may be a challenge.  You may have to repeat the facts of your case to several different bank officials until the bank has a grasp of your specific circumstances.  This can be frustrating. If possible, find one person that can handle your claim as quickly as possible.  Ask to speak to a supervisor if you feel you are not getting the help you need or if someone treats you poorly. And trust that your situation will eventually get resolved.

Our staff of identity theft experts strives to present the latest and most relevant identity theft articles, identity theft news, commentary and ID theft videos.

Our staff (under the guidance of Rob Douglas) follows and presents ID theft related legislation, identity theft services, scams, credit card fraud and security breaches / data breaches. We additionally offer ways to protect yourself and your family from becoming victims of identity theft.

We take identity protection seriously, as a theft of identity can result in not only great financial loss and loss of time in order to repair the damage done, but could end in permanent medical damage or death (see our medical identity theft section).

We are proponents of the credit freeze / security freeze option available to consumers at the three major credit bureaus as a way to prevent identity theft.  Although the credit freeze is not a total identity theft prevention method it does prevent many types of ID theft and our identity theft experts believe it is the best option available to consumers at this time.

If you are already a victim of ID theft our identity theft experts provide tips on how and where to report identity theft as well as important other steps you should consider taking.

All of the ID theft research and content at www.IdentityTheft.info is written or compiled by identity theft experts for consumption by journalists, lawmakers, and consumers and is edited by Rob Douglas our chief editor and identity theft expert.

International Effort Busts Phone Hacking Ring

Stolen Service Valued at $55 Million, Some Money May Have Been Used to Fund Terrorism

A federal grand jury in New Jersey has indicted a group of people for allegedly breaking into the phone systems of more than 2,500 firms in the U.S., Canada, Australia and Europe in order to route calls through the hacked networks.

In conjunction with the indictment, Italian law enforcement conducted searches of approximately 10 locations in four regions of Italy and arrested the financiers of the hacking activity. Five individuals, all Pakistanis, were arrested.

From about October 2005 through December 2008, the hackers sold telephone service to customers of call centers and then placed the calls over the compromised networks. According to the indictment, the hackers stole 12 million minutes of telephone service, valued at $55 million. Italian news reports said some of the money was used to fund terrorist activities, but the indictment and the U.S. Attorney’s office could not confirm that.

According to the indictment, the group used a “brute force attack” – breaking computer codes by systematically attempting a large number of telephone extensions and corresponding passcodes in the hope that eventually the proper combination would be used.

The hackers used a combination of “loop-back” and “passcode” methods.

In the loopback method, the hackers and their clients would place a phone call into a hacked telephone system and then used the hacked system to dial back to a second number that the hackers controlled, resulting in the call being charged to the hacked system. The hackers then manipulated the compromised system to place calls to third parties while maintaining an open phone line, causing the company that owned the hacked system to incur the full cost of the call.

In the passcode method, the hackers and their clients would place a call through the hacked system and then - using the passcode stolen via the brute force attack - manipulate the hacked system to dial codes to third parties located in dialing areas with significantly more expensive dialing rates than those of the initial calls placed to the hacked system.

The hackers would still pay their own long distance carriers for the initial calls, but the rate for those calls would be far less than the rates to the ultimate call destination. The higher rate was charged to the owners of the hacked systems.

The indictment alleges that three hackers, Mahomoud Nusier, 40, Paul Michael Kwan, 47, and Nancy Gomez, 24, all residents of the Philippines, were working in conjunction with call centers in Italy and Spain. Unlike in the U.S., where call centers are predominantly used by large companies to field customer service and other calls, in Italy there are call centers that provide the public with local and long-distance service in addition to the more well-known corporate call centers.

Whatever method was used, the hackers would transmit the hacked numbers, extensions and passcodes to operators at the Bresica call center, who would then wire payments to the hackers via Western Union, Ria Financial Systems and MoneyGram. The hackers – Nusier, Kwan, Gomez and others – were then paid approximately $100 per hacked telephone system.

The Brescia call center operators, in turn, transmitted the hacked phone numbers, extensions and passcodes to operators of other call centers, including Spain, in return for payment.

“This was an extensive and well-organized criminal network that worked across continents,” said Ralph J. Marra, Jr.,  acting U.S. Attorney for New Jersey, whose office handled the case. “The hackers we’ve charged enabled their conspirators in Italy and elsewhere to steal large amounts of telecommunications capacity, which could then be used to further or finance just about any sort of nefarious activity here or overseas.”

The defendants face maximum prison sentences of five years on the conspiracy count, five years on each of the two respective unauthorized computer access counts, and 10 additional years on the access device count. In addition, each is subject to a maximum fine of $250,000 on each count for which they are named, or twice the gain resulting from the offense, whichever is greater.

Dissent, over at PHIPrivacy.net, posted a link to Hello GovernmentCare, Goodbye Personal Privacy by Warner Todd Huston today.  The subtitle to the piece is, “A vote for Obamacare is a vote to give away your personal, private medical information.” 

In addition to the increased risk of medical identity theft that the rush to government controlled health care and the mandate for electronic health records will bring as previously noted on this blog, there are significant privacy issues that are not currently being addressed sufficiently.  Huston’s piece examines a portion of that concern.  Here’s the start of the commentary:

Do you want your government to know that you have bowel troubles? Do you mind if the president can discover if you have erectile disfunction? Would you be out of sorts if your local Congressman could discover if you’d had an abortion? How about if your state comptroller’s office or your governor could discover if you’d had breast implants? Well, a vote for Obamacare is a vote to give away your personal, private, maybe embarrassing medical information.

Do you think this is a silly claim? Well, don’t. In the newly released Obamacare plan, section 3102 titled “Financial Integrity” makes provision for state and federal governments to be able to investigate any medical care provider at any time. This provision gives government the right to look at any record that a doctor has in his files and that means your private medical information. Worse, they may do so without court approval, without a warrant, with no cause stated.

Please read the full piece and think about the path this country is headed down when the government takes over health care.

The practice of implementing and renewing fraud alerts by several companies selling identity theft prevention/recovery products may stop.

Fraud alerts can be put in place at one of the three major credit bureaus (which automatically notifies the other two bureaus) when an individual believes that they are a victim of identity theft or have reason to believe that may become a victim of identity theft.  The initial fraud alert lasts 90 days and then must be renewed or it drops off the individual’s credit file.

An entire identity theft prevention industry has come into existence primarily based upon a service which renews a fraud alert for individuals automatically every 90 days.

A court case involving identity theft protection service LifeLock and credit bureau Experian ended in LifeLock being ordered to stop implementing fraud alerts on behalf of third parties (Lifelock’s customers) at Experian.

Debix- another identity theft protection service - announced that they will discontinue the use of fraud alerts due to the opinion issued by the U.S. Federal District Court in the Experian v. LifeLock case.

Regardless of the court’s opinion and the impact on commercial identity services, individuals would be wise to consider a security credit freeze as a more powerful alternative to a fraud alert.  The security credit freeze offers better protection against new credit lines being opened because it blocks the credit bureaus from providing a frozen credit file to potential creditors rather than just the “note” a fraud alert places on a credit file.  While there is a fee each time an individual orders a freeze or thaw on their a credit file, the added security may be worthwhile for many consumers.

For example, if an identity thief applies for a new credit card in your name the card issuing company will attempt to pull your credit report to see if you qualify.  When a credit freeze is in place, the card company will not be able to access your credit report at all.  Therefore, the card company will not issue a new credit card to the impostor.

If the security credit freeze is not attractive to victims of identity theft, there is also the option of a seven year extended fraud alert.  Identity theft victims must provide an identity theft report in order to qualify for the extended alert.

Until you lose your identity, you may not realize just how precious it is.

Some 6,000 people were jolted by this shocking reality when they fell victim to one of the largest international identity theft and credit card fraud rings in recent history.

The unraveling of this multi-million dollar scam began in September, 2007 when a package delivered to an employee of a  real estate office was opened by the owner of the office.  Upon finding 60 valid credit cards inside the package, the owner reported the find to law enforcement authorities who – with aroused suspicions – began a nearly two year investigation, involving electronic eavesdropping, physical surveillance and the translation of thousands of conversations and e-mails.

The investigation was revealed when forty-five indictments were handed down last month to individuals alleged to have stolen the credit cards and personal credit information of thousands of hapless victims.  The defendants are accused of shipping stolen or illegally obtained credit cards to buyers around the world.  The fraud, estimated at a staggering $12 million, hit individuals across the United States and Canada.

While announcing the bust, Queens Distrct Attorney Richard A. Brown said, “Our investigation reveals that – in terms of just the sheer number of people indicted – this is one of the largest identity theft networks uncovered in recent history and is just possibly the tip of a much larger global credit card trafficking operation.  Besides draining the bank accounts of individuals throughout North America, we believe that the defendants – some of whom live in California, Illinois, Maryland, Pennsylvania and Toronto – also shipped stolen or fraudulently obtained credit cards to buyers around the world and that purchases were made in such far-off places as Japan, Saudi Arabia and Dubai.”

New York City Police Commissioner Raymond W. Kelly and Brown said the ring was made up of three enterprises working together.  Commissioner Kelly said, “When these suspects said ‘charge it’ they stole more than cash and goods.  They robbed unsuspecting victims of their identities too.  This was a sophisticated crime ring which met its just end through painstaking investigation by NYPD detectives and unstinting support by Queens prosecutors.”

As part of the identity theft ring’s operation, a simple, easy-to-obtain and inexpensive technique called Caller ID Spoofing enabled the suspects to defraud the victims and their banks and credit card companies.  Caller ID Spoofing changes the number appearing on Caller ID and some providers of Caller ID Spoofing also provide services that can alter the caller’s voice to such an extent that a man can sound like a woman and vice-versa.

Legitimate uses of Caller ID Spoofing and SpoofCards purportedly enable professionals such as doctors and attorneys to protect their cell phone numbers.  However, in the hands of the defendants named in the indictments, Caller ID Spoofing allowed the defendants to impersonate legitimate credit card account holders by pretending to be calling the account holders financial institution.  Brown went on to explain, “SpoofCards are virtually untraceable and can be used by identity thieves and hackers to pose as government and financial entities as a means to unscrupulously obtain personal information from unsuspecting consumers.”

To acquire the credit cards three methods were used. Cards were either fraudulently taken over, fraudulently opened or intercepted in the mail.  Once the thieves had the stolen cards, all they had to do was visit the nearest ATM machine.  ID mills produced bogus back-up identification materials, such as driver’s licenses, to enable the suspects to present the cards to bank tellers and withdraw larger amounts of money.

This multi-faceted crime ring appears to have been well organized with individuals assigned to specific roles such as account washers, account preparers and account maintainers.

Account Washers:  Gathered specific information on account holders such as mother’s maiden name, household income and occupation to enable account preparers to take over the account.

Account Preparers:  Caller ID Spoofing allowed the defendants to activate the account by pretending to be calling from the account holder’s phone.  By posing as the account holder, the account preparers could then manipulate the information to their advantage by changing key information including the mailing address, PIN number and/or increasing the credit line on the account.

Account Maintainers:  Paid off accounts to avoid any suspicision of fraud and upped the credit lines.  Once the credit line reached a high point, all monies were withdrawn.

But, that’s not all.  Compromised accounts were then sold to identity theft cell leaders who in turn distributed them to the ring’s foot soldiers and shoppers.  Shoppers bought top-of-the-line electronics and were charged with finding “fences” who would buy the electronics from them.

The indictments charge the defendants with Enterprise Corruption under New York State’s Organized Crime Control Act.  Said District Attorney Brown, “Technological advances have made it increasingly easier to carry out identity theft and fraud, two of the fastest growing crimes in the United States…We will continue to work closely with our law enforcement colleagues to stamp out such fraud and help to maintain our nation’s safety and security.”

WASHINGTON – The Safe Internet Alliance today applauded President Barack Obama’s announcement of a major new comprehensive U.S. cybersecurity program. Leveraging both civilian and military capabilities, the program’s initiatives will better enable public and private partnerships to, as President Obama said, “find technology solutions that ensure our security and promote prosperity.”

Linda Criddle, president of Safe Internet Alliance and member of InfraGard’s Evergreen State Members’ Alliance, said, “President Obama’s announcement provides a timely validation for our new organization. Safe Internet’s growing membership knows firsthand that cybersecurity is an enormously complex issue that touches every industry, organization, community and family. We simply cannot allow criminals and abusers to hijack and corrupt the Internet. Together we can work to bring safety and civility online, enabling everyone to confidently take advantage of the great opportunities the Internet provides.

“As President Obama stated, ‘We rely on the Internet to pay our bills, to bank, to shop, to file our taxes… Millions of Americans have been victimized, their privacy violated, their identities stolen, their lives upended, and their wallets emptied.’ We can only feel comfortable performing these tasks if the cyberworld is secured,” said Criddle.

Joy Howell, a board member of Safe Internet Alliance and a former director of the Office of Public Affairs of the Federal Communications Commission, praised the government’s inclusive approach. “It is Safe Internet’s goal to facilitate dialogue and partnerships between the administration, the public and the private sector. Cross-vertical collaboration is absolutely essential to developing the security infrastructure America needs for the 21st century. We look forward to promoting the resources, technology, best practices and conversation to help the president with this crucial task.”

IdentityTheft.Info is a member of the Safe Internet Alliance.

Today, President Barack Obama released the administration’s much-anticipated Cyberspace Policy Review.

The preface of the report states:

Cyberspace touches practically everything and everyone. It provides a platform for innovation and prosperity and the means to improve general welfare around the globe. But with the broad reach of a loose and lightly regulated digital infrastructure, great risks threaten nations, private enterprises, and individual rights. The government has a responsibility to address these strategic vulnerabilities to ensure that the United States and its citizens, together with the larger community of nations, can realize the full potential of the information technology revolution.

The architecture of the Nation’s digital infrastructure, based largely upon the Internet, is not secure or resilient. Without major advances in the security of these systems or significant change in how they are constructed or operated, it is doubtful that the United States can protect itself from the growing threat of cybercrime and state-sponsored intrusions and operations. Our digital infrastructure has already suffered intrusions that have allowed criminals to steal hundreds of millions of dollars and nation-states and other entities to steal intellectual property and sensitive military information. Other intrusions threaten to damage portions of our critical infrastructure. These and other risks have the potential to undermine the Nation’s confidence in the information systems that underlie our economic and national security interests.

The Federal government is not organized to address this growing problem effectively now or in the future. Responsibilities for cybersecurity are distributed across a wide array of federal departments and agencies, many with overlapping authorities, and none with sufficient decision authority to direct actions that deal with often conflicting issues in a consistent way. The government needs to integrate competing interests to derive a holistic vision and plan to address the cybersecurity related issues confronting the United States. The Nation needs to develop the policies, processes, people, and technology required to mitigate cybersecurity-related risks.

Information and communications networks are largely owned and operated by the private sector, both nationally and internationally. Thus, addressing network security issues requires a public-private partnership as well as international cooperation and norms. The United States needs a comprehensive framework to ensure coordinated response and recovery by the government, the private sector, and our allies to a significant incident or threat.

The United States needs to conduct a national dialogue on cybersecurity to develop more public awareness of the threat and risks and to ensure an integrated approach toward the Nation’s need for security and the national commitment to privacy rights and civil liberties guaranteed by the Constitution and law.

Research on new approaches to achieving security and resiliency in information and communications infrastructures is insufficient. The government needs to increase investment in research that will help address cybersecurity vulnerabilities while also meeting our economic needs and national security requirements.

For the full report see the pdf at Cyberspace Policy Review.