Through twitter, we connected with the good people at Broadband for America to bring you this article about three common online identity theft myths.

Thanks to identity theft awareness programs, many people are now exercising increased caution when online. Most folks understand the danger in revealing too much personal information on the Internet, or falling for phishing scams. However, there are still some persistent myths that may be keeping you from protecting yourself and your identity. Here we will look at just three of these myths, and the facts that lay behind them.

Myth 1: I know what those scams look like, bad spelling and terrible English- who falls for those things anyway?

Fact: Indeed, many people are familiar with the obvious signs of a scam. So many people are wise to these frauds that scammers have begun to outsource their products and develop corporate-like organizations to work…(continue reading)

ID Experts on KATU News:

A few news stories have been circulating about the looming identity theft threat to couples who have decided to tie the knot. Thieves prey on our deepest and strongest emotions, and two people madly in love and about to take the plunge are certainly full of emotions and stress. Stress makes us more apt to decide quickly, without thinking the situation through. The sense of relief we feel may encourage us to accept an offer that seems “too good to be true” when we might otherwise hesitate. Our families and friends may also be targeted, for much the same reasons. Think like a thief- on average weddings cost over $20,000 and guest gifts range between $50-150 each. That places a rather large bulls-eye on anyone involved. Here is just a small list of the kinds of scams that are lurking out there:

• Fake vendors- these are identity thieves or card frauders. They are online, at bridal shows, and call individuals out of the blue. You may be even approaching them for a genuine service advertised in the classifieds or a bridal magazine, or it may be a “sweepstakes”. As part of the “contract” or “application” you answer personal questions in great detail or provide a credit card number that is later used to defraud you.

• Fraud vendors- this category is not technically identity theft, but still leaves you stung. Often you are promised a “free” sample and hand over your credit card for shipping and handling, and then find yourself with outrageous charges. Vendors take a deposit for renting you an item as pictured on their site, and when the big day comes, nothing arrives or what arrives bears little resemblance to the model. Sweepstakes and Giveaways should be especially scrutinized if you get a call and you “won” – there may be strings attached.

• Crooks- these people take advantage of the fact you share so much about your event. They may rob your house while you’re exchanging rings, or wait until you’re away on honeymoon. While everyone at the reception is distracted, they snatch purses or sneak into hotel rooms. Honeymooners are easily targeted by pickpockets, camera snatchers, and hustlers.

• Disappearing act- this can be anything from a deposit you paid disappearing from the books to a company suddenly going bankrupt. Bankruptcies are up 47% from last year, so this is a big concern. While insurance can help protect you, it is important to purchase coverage carefully.

• Malware – There are tons of “free” applications out there to help out couples. Cost calculators, dress design software, websites, countdown clocks, reminders, calendars, the list goes on… Then there are the flash animations and videos of weddings, decorations, crafts, flowers and more. However, some of these may contain harmful code that could harvest your information and place you at risk for identity theft and fraud.

• Robocalls and junk mail – While shopping around online or in person, you’re often asked to leave your contact information. This can result in an increase in junk mail offers and robocalls. Some of these are likely phishing attempts, and are cleverly disguised. Another risk with increased junk mail is the possibility of mail theft going unnoticed for a longer period of time. Pre-approved credit card offers may inflate your mailbox, also increasing your risk of fraud.

• “In distress” scam- this is commonly used while a couple is on honeymoon, but can strike at any time. Fraudsters may call, email, or take over your email or social networking accounts to contact your friends and family claiming to need emergency money. Excuses range from medical emergencies, to being kidnapped. Often they have “been robbed” and need the money to get home. The rest is ALWAYS to wire money or send Western Union.

• YOU – of all the threats, YOU might be your own worst enemy. Many couples have wedding announcements; send emails, e-vites, wedding websites, social networking pages, online gift registries with their personal information, personal details, family details, and wedding, reception and honeymoon specifics available to the public at large. Brides and grooms alike tend to become excited and may share greater detail about themselves, their partners and the event with coworkers and friends… and florists, photographers, DJs (or anyone else who will listen).

With a few minor changes and some awareness, you can still have all the bells and whistles to your big day while keeping your friends, family and your identity safe.

• Assume the numbers and addresses you are using to contact vendors, get quotes, order catalogs are going to be stolen, traded and sold over and over. Set up a PO Box and a separate number to use for your contact information.

• Contact the Better Business Bureau in your area about any vendor, sweepstakes, or service you are going to fork over a large amount of money to, or that you are unfamiliar with. Do this before you provide them any personal or contact information.

• Always assume that calls you receive are compromised and never reveal any personal information. You may trust calls you initiate to a trusted business more, but still exercise caution.

• Read ALL fine print carefully. TWICE.

• Keep all receipts; require everything in writing and document, document, document. Go over all your credit card and bank statements monthly and notify your financial institution right away if you notice any unusual activity.

• Quarantine. Don’t use the same passwords or email account for your social networking sites, registry, and wedding webpage. You should never attach your “trusted” email account you have been using to communicate with your friends and family to another site. A compromise of a social networking site can easily lead to an email compromise, and makes it easier for fraudsters to contact your entire address book for money. If your quarantined email is hacked and messages sent to all your friends, they should be more cautious since it is a different email than they are used to communicating with you. This will buy you enough time that you can then use your “trusted” email account to notify them all of the fraud (or better yet- call them!).

• Never send money Western Union- this is one of the few ways you can send money and never get it back. Provide contact information to their nearest consulate if you are met with this scam online.

• Limit access to personal information- If you are going to list the details of your big day and honeymoon, look for websites that allow you to create a wedding website for friends only, or that is password protected so you can control who has access.

• Be careful of accidentally revealing personal information like your mother’s maiden name (which may be derived from guest lists or online friend list on social networking sites) and your date or place of birth. Also, you will be asked a lot of questions so people can “get to know you” before your big day- make sure none of these questions and answers correspond to the security questions of any account you have. Go through each online account and determine what questions are asked if you click “I forgot my password”. You may wish to change those answers.

• Find gift registries that allow you to control privacy, and insist on revealing as little about yourself as possible. Gift registries often offer a disturbing amount of detail about you, and often are generally open to the public.

Check your credit reports regularly with www.annualcreditreport.com or by calling 1-877-322-8228.  If you do experiance fraud or a scam, report it to your Better Business Bureau and the FTC and place fraud alerts with the major credit bureaus.

The newest phishing attack to hit Twitter yesterday was a type of cyberscam called typo-squatting. This falls under a more generic term, cybersquatting. This attack took advantage of the similarities between a double v (tvvitter) and a w (twitter) to scam you into revealing your login information.Other typo-squatting simply takes advantage of the pay-per-click system to rack in money that should be coming to your organization. According to a recent independent report, cybersquatting increased by 248% in the past year.

Fairwinds Partners, an internet strategy consulting firm, estimates that a company such as Myspace, who has 5.94 % of its traffic being diverted to its top ten typo pages stands to “lose the marketing equivalent of between $400,000 and $700,000 each month”. Although the Anticybersquatting Consumer Protection Act (ACPA) was intended to protect against these scams, they are still common enough to present a real danger to customers and companies.

There are several ways that users can try to protect themselves against typo-squatting. Microsoft has suggested settings to enhance your browser. They have even developed a download called Typo-Patrol. More simply, you can avoid clicking on links to navigate to websites and type carefully each web address you visit. As an organization, there are several companies that will help you prosecute typo-squatters and monitor for cybersquatting. You may also may use the Uniform Domain-Name Dispute-Resolution Policy website to lodge a dispute. You may also wish to visit the Coalition Against Domain Name Abuse for more resources.

Today I was asked several times about social networking and job hunting. The question on everyone’s lips is, “What do I have to watch out for?”

Computerworld reports that one in five companies search social networking sites during the hiring process, although many experts believe that number is much higher. You may think that you’re immune because you don’t have any MySpace, Twitter or Facebook accounts- but read on and you will find that is far from the truth.

• Do a search on yourself. Try Google and Pipl. Search for the same items that appear on your resume and application- name, addresses, phone numbers, user names, email accounts and professional groups are all gateways to finding your profile

• Be aware of professional name squatting and company squatting. There are those who scoop up usernames and create profiles using professional information belonging to you. You can usually get access to these profiles, but at a cost. You do not have to buy the impostor login from the squatter, but be aware that if you found it while searching for information about you, your employer will see it too. There are plenty of online reputation management companies that will help you change the order of appearance of your legitimate profiles in search rankings, and even some that will help you reserve your name and user profile on multiple social networking sites for a small fee. Others still will help you create positive chatter to help drown out any negative or misleading pages.

• Even if you delete the profile, page or photos they may not be gone. Internet archives are still searchable. Photos can be especially difficult to delete entirely.

• Who you keep company with says a lot about you. Your profile might be clean and professional, but if your buddy has pictures of the two of you on your last pub crawl, it can damage your chances of landing the job. Use the privacy settings on your profiles wisely!

• Many people are transitioning between being laid off and job searching maybe angry about the economy and the way they were shown the door. Keep a lid on negative comments about your former employer, just as you would during an interview.

• Be careful of professional identity thieves. I don’t mean people who steal identities for a living, I mean people who troll profiles like LinkedIn to create fake resumes to get hired at companies using real information from other people. The more personal information available on your profiles and resumes the easier it will be for a person to commit identity theft, professional identity theft or gain access to your online profiles by correcting guessing your secret questions. Consider removing details like the names of companies, schools and organizations as well as dates and addresses. Change your profiles slightly to use generic terms such as “Privacy officer for major health organization in Silicon Valley” instead.

• Social networking has become popular way to search for jobs as well. There are classifieds on MySpace, and the ever popular Craigslist- but these are often full of scammers lurking in wait. Offers that sound too good to be true probably are. Stay aware from offers that involve wiring money, processing money orders or otherwise acting as a “broker” for transferring funds. Check the company out using Better Business Bureau, your local police, or other methods before proving any personal information such as date of birth, social security number or showing up for an interview

• If you are offering your services, be careful of people who may be looking for an excuse to come to your home to “case” it for a robbery later. Also watch out for offers to pay you more than what you asked.  You may cash the check, but once the bank processes the phony funds, you will be left holding the bag. Be careful in responding to emails about your job posting as they may be from bots used by spammers or scammers trying to verify that there is a person on the other end of the email.

Bottom line: beware of what you post, delete does not always mean gone forever, use your privacy settings, and be aware of intential and unintential impostors. The last is a warning for both employers and employees. This is why it is so important to know what comes up out there under your name and details- if there is a person sharing your name, area, and has a similar address you may want to directly address that issue in a cover letter or interview. Don’t worry about bringing it up- It shows that you care about your reputation, and that you’re tech saavy.

Lately, I have gotten many emails and phone calls about online impersonations. Everything from MySpace, Twitter and Facebook accounts to email addresses and craigslist postings. This is also sometimes called profile jacking or twitterjacking. Enough real information is being used that someone searching by things like name, address, phone number or username might mistake the impostor for the real deal. People who regularly “google” themselves may be surprised to find new pages and emails associated to their details. Sometimes this impersonation can flood you with phone calls and junk mail, or at worst turn into a kind of cyberstalking.

While annoying and occasionally frightening, online impersonation is not identity theft unless personal information not otherwise available to the public is used. Since you are not required to provide a social security number, date of birth, or other private information for verification for email addresses or online profiles, opening up an account using another person’s name is incredibly easy- but not identity theft.  While many of the activities may fall under stalking laws in your state, many times these are activities outside the law’s ability to change with new technology.

However, all is not lost! Almost all internet companies have a Terms of Service (TOS) agreement, and most of them include online impersonation for the purpose of harassment or fraud as a violation of the agreement. You can contact their abuse desk, usually found at abuse@domain.com, and point out the abuse of their TOS by the impostor. This is particularly useful if the impostor is spamming people with messages, as you can also email spam@domain.com to report it at the same time. They may or may not choose to shut down the impostor. Remember that parody and fair use rules typically apply to most companies, especially in social networking- so you may not always get a result. Additionally, a good rule of thumb is that you will get better service and swifter action on violations of TOS from services you pay for. Free email accounts and free profiles, blogs and networking typically deliver slower results, if they choose to take action at all.

If there is use of your company’s logo or other copyrighted material, you can send them a DMCA take-down notice to their registered agent. The use of copyrighted material or violations of Terms of Service are often the only leverage that a person can use to get an impostor shut down.

The ease and convenience of the internet will always struggle for balance with privacy, security and individual rights. Not only should we be aware of people potentially impersonating us, but we should be aware of how easy it can be to be fooled into believing an impostor. Often impostors will take real blog posts and real tweets to add to their own profiles to try to confuse search engines and potential followers or friends. Some become followers or friends of the real person, just to gain access to more information to imitate. The internet can be a wonderful sandbox, just be careful of the person standing behind you with a shovel.

Technology Review, published by MIT, has an article that is highlighting a personal crusade of mine. Your secret questions are not all that secret! I’ve said many times that most security questions are answered truthfully, and most of those are easily obtained or guessed. What town you grew up in, what high school you attended, what your pet’s name is are all probably either in public record or on your own profile page somewhere. Several chain-letter-type surveys that ask you to answer your teacher’s name and the street you grew up on in order to provide you with a “Rock Star” name are often a clever scam to get people to reveal the answers to these questions. From there, they only have to click on the “I forgot my password” link on email or websites to gain access to your accounts, profiles, identity and contact list. They may start contacting users in your address book, trying to scam money or personal information- creating a nightmare of fraudulent activity and impersonations to try to resolve.

Sarah Palin’s hacker gained access to her account in this way. As a public figure, much was on Wikipedia and other websites about her life which together provided the answers to her security questions. The lesson to learn here is that our LinkedIn profiles, business contacts and networking efforts may appear enticing to identity thief. Researches from Microsoft and Carnegie Mellon University show that the secret questions are typically insecure. “In a study involving 130 people, the researchers found that 28 percent of the people who knew and were trusted by the study’s participants could guess the correct answers to the participant’s secret questions. Even people not trusted by the participant still had a 17 percent chance of guessing the correct answer to a secret question.”

More alarming:

The least-secure questions are simple ones whose answers can be guessed with no existing knowledge of the subject, the researchers say. For example, the answers to the questions “What is your favorite town?” and “What is your favorite sports team?” were relatively easy for participants to guess. All told, 30 percent and 57 percent of the correct answers, respectively, appeared in the top-five list of guesses.

But answers that require only a little personal knowledge to guess should also be considered unsafe, the researchers warn. Of people that participants would not trust with their password, 45 percent could still answer a question about where they were born, and 40 percent could correctly give their pet’s name, the researchers found.

Remember, the easier it is for you to remember- the easier you make it for others to guess. The most secure method would be to create your own password for each security question, with special characters and number. However, realistically, most people will have to sacrifice a little security for convenience. I have always recommended coming up with your own secret question plan. When asked about your pet, give your best friend’s middle name. When asked about the town you grew up in, always answer with your shoe size and so on. This should cut down on the likelihood of a successful attack.

By Rebcca Seaman

 With the rise (and benefits!) of professional Social Networking, Hackers are increasingly turning their energies away from ‘old school’ methods  of inflicting harm on  organizations (such as email containing viruses and Trojans) and focusing more on Social Networking vulnerabilities.

According to a recent report conducted by the Secure Enterprise 2.0 Forum, hackers have increasingly used programs like MySpace, Facebook and Twitter to perpetuate malware and this trend is expected to increase as more and more organizations incorporate Social Networking into their standard practices.

In an article titled Fail 2.0: Further Musings on Attacking Social Networks,  Shawn Moyer writes “Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them.”So how can you protect yourself and your organization? My best advice would be to remember that while you are on the web at work; you are wholly responsible for protecting the information you transmit. Don’t rely solely of your organization’s malware and virus filters to catch any potential harmful software-it’s up to you to be diligent as well. And just as you wouldn’t broadcast sensitive data in a chartroom, think twice about what you say on Twitter, Facebook and the like (check our Rachel’s blogs on the ownership terms and conditions of some of these sites).

Of course, the end result of these types of hacks can be extremely harmful both to your company and your career-you don’t want to be responsible for exposing trade secrets or sensitive data inadvertently. According to the report, nearly 30 percent of the attacks did lead to the exposure of sensitive information. Additionally, Around 13 percent resulted in actual monetary loss, while more than 10 percent installed malware on computers or their corresponding networks.

You’re in the scene- you’ve got the Facebook, MySpace, LinkedIn and Twitter accounts active and updated. You juggle to remember which friend requests have been added where, and then you suddenly decide to sign up for another social media site such as Yelp, Plaxo, Ning, FriendFeed, Orkut, or iLike. What a pain to add all those friends all over again! Then you see a advertisement for a wonderful service provided by the company- all you have to do is provide your email username and password, and all your friends will be automatically added to your social network. Sounds great, right?

Wrong. This leaves the door wide open for numerous types of fraud. Most people do not take the security precaution of creating different user names and passwords for the sites they visit. They may be handing over their address books, and financial and email accounts. You must also consider that a large database of user names and passwords are VERY attractive to potential hackers and identity thieves, and is much more likely to be targeted than individual accounts.

As reported on TechRadar, Twitter’s API lead Alex Payne said “We’ve always advised users to only give their passwords to websites they feel they can trust. Any website runs the risk of compromise, so giving out your credentials is always a gamble. There’s little risk in using a desktop Twitter client, but we’ve cautioned users against handing out their passwords to web-based services that are higher-value targets to attackers.”

Even if you trust the service not to delve into your personal information, you are providing a third party website with security information. A habit that identity theft and security professionals have been trying to break for years. As handing out your security information from one site to another site becomes commonplace, the easier it will become to convince users to continue the practice. As Jeremy Keith, technical director of user experience consultancy Clearleft points out, “…it teaches people how to be phished.”

There is always a security trade-off for convenience. Before you click on that free download, try the new service, or ask a computer to remember your password ask yourself- Is this worth it? Is the increased risk of attack and theft worth the convenience I am trading it for? Remember to use different usernames and passwords for your accounts, so that any single compromise does not result in total loss of your personal and finacial information. Never provide account information on a third party site, and be cautious of any requests for password or account information by email, website or phone.

PC World reports that On Wednesday, an anonymous hacker going by the name of Hacker Croll posted 13 screenshots to a French online discussion forum, apparently captured while logged into the Twitter account of Jason Goldman, a director of product management with Twitter. This hack was confirmed Thursday by Twitter CEO Biz Stone. The initial investigation revealed that at least 10 accounts were viewed during this hack, possible compromising phone numbers, email addresses and more.

How was this hack possible? Well, if I haven’t emphasized enough the need to change your security questions, this should hammer it home. The hacker was able to gain access through the administrator’s Yahoo! account by guessing at his security questions. Once in his Yahoo! mail account, all her had to do is request his password to be emailed to the account. Security questions are the prompts you receive when you click “I forgot my password” button. They have been the focus of many attacks and breaches, since many times they are easily guessed answers or publicly available information (such as the high school you went to, the town you grew up in, and so forth).

This is the second time someone has hacked into the support staff at Twitter, the first was in January. During the attack in January, it was reported that the password was a word found in the dictionary with no special characters or numbers. A password that would be easily guessed: happiness. Highlighting the problem with third parties who handle your information carelessly. You may take all the precautions to protect your information, but it only takes one mistake by someone else at a company to expose your information.

While some of the recent security problems that Twitter has experianced are related to technology attacks, such as worms and viruses- this highlights the ongoing problem of social engineering attacks. Knowledge is power, and most people would be surprised to find out what information is available to the public. Further, most people are unaware of the amount of information that they place on thier profiles that can be used to conduct these kinds of attacks. Limiting the amount of personal information available by using the privacy setting is important. It is equally important to change the answers to your security questions- make sure the answers are ones you would remember, but no one else who knew the “right” answer could get it. When asked about your pet’s name, pick your best friend’s middle name. When asked about the town you grew up in, answer with the last four digits of your phone number- whatever it takes to make it more difficult to obtain access to your accounts.