ID Experts on KATU News:

A few news stories have been circulating about the looming identity theft threat to couples who have decided to tie the knot. Thieves prey on our deepest and strongest emotions, and two people madly in love and about to take the plunge are certainly full of emotions and stress. Stress makes us more apt to decide quickly, without thinking the situation through. The sense of relief we feel may encourage us to accept an offer that seems “too good to be true” when we might otherwise hesitate. Our families and friends may also be targeted, for much the same reasons. Think like a thief- on average weddings cost over $20,000 and guest gifts range between $50-150 each. That places a rather large bulls-eye on anyone involved. Here is just a small list of the kinds of scams that are lurking out there:

• Fake vendors- these are identity thieves or card frauders. They are online, at bridal shows, and call individuals out of the blue. You may be even approaching them for a genuine service advertised in the classifieds or a bridal magazine, or it may be a “sweepstakes”. As part of the “contract” or “application” you answer personal questions in great detail or provide a credit card number that is later used to defraud you.

• Fraud vendors- this category is not technically identity theft, but still leaves you stung. Often you are promised a “free” sample and hand over your credit card for shipping and handling, and then find yourself with outrageous charges. Vendors take a deposit for renting you an item as pictured on their site, and when the big day comes, nothing arrives or what arrives bears little resemblance to the model. Sweepstakes and Giveaways should be especially scrutinized if you get a call and you “won” – there may be strings attached.

• Crooks- these people take advantage of the fact you share so much about your event. They may rob your house while you’re exchanging rings, or wait until you’re away on honeymoon. While everyone at the reception is distracted, they snatch purses or sneak into hotel rooms. Honeymooners are easily targeted by pickpockets, camera snatchers, and hustlers.

• Disappearing act- this can be anything from a deposit you paid disappearing from the books to a company suddenly going bankrupt. Bankruptcies are up 47% from last year, so this is a big concern. While insurance can help protect you, it is important to purchase coverage carefully.

• Malware – There are tons of “free” applications out there to help out couples. Cost calculators, dress design software, websites, countdown clocks, reminders, calendars, the list goes on… Then there are the flash animations and videos of weddings, decorations, crafts, flowers and more. However, some of these may contain harmful code that could harvest your information and place you at risk for identity theft and fraud.

• Robocalls and junk mail – While shopping around online or in person, you’re often asked to leave your contact information. This can result in an increase in junk mail offers and robocalls. Some of these are likely phishing attempts, and are cleverly disguised. Another risk with increased junk mail is the possibility of mail theft going unnoticed for a longer period of time. Pre-approved credit card offers may inflate your mailbox, also increasing your risk of fraud.

• “In distress” scam- this is commonly used while a couple is on honeymoon, but can strike at any time. Fraudsters may call, email, or take over your email or social networking accounts to contact your friends and family claiming to need emergency money. Excuses range from medical emergencies, to being kidnapped. Often they have “been robbed” and need the money to get home. The rest is ALWAYS to wire money or send Western Union.

• YOU – of all the threats, YOU might be your own worst enemy. Many couples have wedding announcements; send emails, e-vites, wedding websites, social networking pages, online gift registries with their personal information, personal details, family details, and wedding, reception and honeymoon specifics available to the public at large. Brides and grooms alike tend to become excited and may share greater detail about themselves, their partners and the event with coworkers and friends… and florists, photographers, DJs (or anyone else who will listen).

With a few minor changes and some awareness, you can still have all the bells and whistles to your big day while keeping your friends, family and your identity safe.

• Assume the numbers and addresses you are using to contact vendors, get quotes, order catalogs are going to be stolen, traded and sold over and over. Set up a PO Box and a separate number to use for your contact information.

• Contact the Better Business Bureau in your area about any vendor, sweepstakes, or service you are going to fork over a large amount of money to, or that you are unfamiliar with. Do this before you provide them any personal or contact information.

• Always assume that calls you receive are compromised and never reveal any personal information. You may trust calls you initiate to a trusted business more, but still exercise caution.

• Read ALL fine print carefully. TWICE.

• Keep all receipts; require everything in writing and document, document, document. Go over all your credit card and bank statements monthly and notify your financial institution right away if you notice any unusual activity.

• Quarantine. Don’t use the same passwords or email account for your social networking sites, registry, and wedding webpage. You should never attach your “trusted” email account you have been using to communicate with your friends and family to another site. A compromise of a social networking site can easily lead to an email compromise, and makes it easier for fraudsters to contact your entire address book for money. If your quarantined email is hacked and messages sent to all your friends, they should be more cautious since it is a different email than they are used to communicating with you. This will buy you enough time that you can then use your “trusted” email account to notify them all of the fraud (or better yet- call them!).

• Never send money Western Union- this is one of the few ways you can send money and never get it back. Provide contact information to their nearest consulate if you are met with this scam online.

• Limit access to personal information- If you are going to list the details of your big day and honeymoon, look for websites that allow you to create a wedding website for friends only, or that is password protected so you can control who has access.

• Be careful of accidentally revealing personal information like your mother’s maiden name (which may be derived from guest lists or online friend list on social networking sites) and your date or place of birth. Also, you will be asked a lot of questions so people can “get to know you” before your big day- make sure none of these questions and answers correspond to the security questions of any account you have. Go through each online account and determine what questions are asked if you click “I forgot my password”. You may wish to change those answers.

• Find gift registries that allow you to control privacy, and insist on revealing as little about yourself as possible. Gift registries often offer a disturbing amount of detail about you, and often are generally open to the public.

Check your credit reports regularly with www.annualcreditreport.com or by calling 1-877-322-8228.  If you do experiance fraud or a scam, report it to your Better Business Bureau and the FTC and place fraud alerts with the major credit bureaus.

As the main “Twit” on our account, it is my pleasure to announce that after four weeks for the corporate Twitter account, we now have over 500 followers. We have connected with many more in the twitterverse. It has been truly educational to see the conversations and discussions happening amongst privacy and security professionals and interested parties. Valuable commentary and opinions on everything from REAL ID to HITECH to PCI DSS, and of course data breaches. The insights we have gained have been incredibly valuable, and we thank everyone deeply for their participation.

I want to thank all the people who are following us, and those who we have interacted with in the twitterverse. You all have been very patient while we figure out the proper netiquette in this space. If we have forgotten to thank you for retweets or follows, I apologize and assure you that it was not done purposefully. We deeply value the insights that are coming from Twitter, and we will continue to foster that community. I want to encourage everyone to send us questions, blog requests or suggestions to @idexperts

In the future, we are planning some exciting things for Twitter. You can look forward to exclusive white paper releases, open job positions and promotional offers coming to our tweet stream. Our international community is growing, so I will attempt to flex some language skills and occasionally tweet in German, Spanish, Dutch, French and more. Additionally, as matters in the privacy and security sector arise, we will be creating polls and surveys to try to capture valuable input from our followers as well as providing research and statistical resources as we make them available.

I want to encourage those who may have specific questions that cannot be asked in 140 characters or less to contact us directly at twitter@idexpertscorp.com. We welcome your input and support, and look forward to building a community of understanding.

Are you tweeting? Do you belong to the Twitterverse? Now, so do we!

Want to follow us and watch us grow? Or, you can send us a question or topic you would like addressed to us @idexperts

Our Twitter will automatically notify our followers of new blog posts, news and activity here at ID Experts. From the latest news on data breaches, to our efforts in Washington, Twitter will help us reach more people in more places while reaching out to the privacy and security community at large. As a recognized leader in data breach prevention, detection, & remediation, Twitter is part of our greater effort to bring cooperation and understanding to the data breach and identity theft sector while focusing on our vision  to create a world where personal information  remains private.

By Rebcca Seaman

 With the rise (and benefits!) of professional Social Networking, Hackers are increasingly turning their energies away from ‘old school’ methods  of inflicting harm on  organizations (such as email containing viruses and Trojans) and focusing more on Social Networking vulnerabilities.

According to a recent report conducted by the Secure Enterprise 2.0 Forum, hackers have increasingly used programs like MySpace, Facebook and Twitter to perpetuate malware and this trend is expected to increase as more and more organizations incorporate Social Networking into their standard practices.

In an article titled Fail 2.0: Further Musings on Attacking Social Networks,  Shawn Moyer writes “Social networking sites are meant to get as many users in one place as possible on one platform, and for attackers there’s a lot of return-on-investment in going after them.”So how can you protect yourself and your organization? My best advice would be to remember that while you are on the web at work; you are wholly responsible for protecting the information you transmit. Don’t rely solely of your organization’s malware and virus filters to catch any potential harmful software-it’s up to you to be diligent as well. And just as you wouldn’t broadcast sensitive data in a chartroom, think twice about what you say on Twitter, Facebook and the like (check our Rachel’s blogs on the ownership terms and conditions of some of these sites).

Of course, the end result of these types of hacks can be extremely harmful both to your company and your career-you don’t want to be responsible for exposing trade secrets or sensitive data inadvertently. According to the report, nearly 30 percent of the attacks did lead to the exposure of sensitive information. Additionally, Around 13 percent resulted in actual monetary loss, while more than 10 percent installed malware on computers or their corresponding networks.

You’re in the scene- you’ve got the Facebook, MySpace, LinkedIn and Twitter accounts active and updated. You juggle to remember which friend requests have been added where, and then you suddenly decide to sign up for another social media site such as Yelp, Plaxo, Ning, FriendFeed, Orkut, or iLike. What a pain to add all those friends all over again! Then you see a advertisement for a wonderful service provided by the company- all you have to do is provide your email username and password, and all your friends will be automatically added to your social network. Sounds great, right?

Wrong. This leaves the door wide open for numerous types of fraud. Most people do not take the security precaution of creating different user names and passwords for the sites they visit. They may be handing over their address books, and financial and email accounts. You must also consider that a large database of user names and passwords are VERY attractive to potential hackers and identity thieves, and is much more likely to be targeted than individual accounts.

As reported on TechRadar, Twitter’s API lead Alex Payne said “We’ve always advised users to only give their passwords to websites they feel they can trust. Any website runs the risk of compromise, so giving out your credentials is always a gamble. There’s little risk in using a desktop Twitter client, but we’ve cautioned users against handing out their passwords to web-based services that are higher-value targets to attackers.”

Even if you trust the service not to delve into your personal information, you are providing a third party website with security information. A habit that identity theft and security professionals have been trying to break for years. As handing out your security information from one site to another site becomes commonplace, the easier it will become to convince users to continue the practice. As Jeremy Keith, technical director of user experience consultancy Clearleft points out, “…it teaches people how to be phished.”

There is always a security trade-off for convenience. Before you click on that free download, try the new service, or ask a computer to remember your password ask yourself- Is this worth it? Is the increased risk of attack and theft worth the convenience I am trading it for? Remember to use different usernames and passwords for your accounts, so that any single compromise does not result in total loss of your personal and finacial information. Never provide account information on a third party site, and be cautious of any requests for password or account information by email, website or phone.

PC World reports that On Wednesday, an anonymous hacker going by the name of Hacker Croll posted 13 screenshots to a French online discussion forum, apparently captured while logged into the Twitter account of Jason Goldman, a director of product management with Twitter. This hack was confirmed Thursday by Twitter CEO Biz Stone. The initial investigation revealed that at least 10 accounts were viewed during this hack, possible compromising phone numbers, email addresses and more.

How was this hack possible? Well, if I haven’t emphasized enough the need to change your security questions, this should hammer it home. The hacker was able to gain access through the administrator’s Yahoo! account by guessing at his security questions. Once in his Yahoo! mail account, all her had to do is request his password to be emailed to the account. Security questions are the prompts you receive when you click “I forgot my password” button. They have been the focus of many attacks and breaches, since many times they are easily guessed answers or publicly available information (such as the high school you went to, the town you grew up in, and so forth).

This is the second time someone has hacked into the support staff at Twitter, the first was in January. During the attack in January, it was reported that the password was a word found in the dictionary with no special characters or numbers. A password that would be easily guessed: happiness. Highlighting the problem with third parties who handle your information carelessly. You may take all the precautions to protect your information, but it only takes one mistake by someone else at a company to expose your information.

While some of the recent security problems that Twitter has experianced are related to technology attacks, such as worms and viruses- this highlights the ongoing problem of social engineering attacks. Knowledge is power, and most people would be surprised to find out what information is available to the public. Further, most people are unaware of the amount of information that they place on thier profiles that can be used to conduct these kinds of attacks. Limiting the amount of personal information available by using the privacy setting is important. It is equally important to change the answers to your security questions- make sure the answers are ones you would remember, but no one else who knew the “right” answer could get it. When asked about your pet’s name, pick your best friend’s middle name. When asked about the town you grew up in, answer with the last four digits of your phone number- whatever it takes to make it more difficult to obtain access to your accounts.

This isn’t a new scam, but we are about to see a revival as spring break and summer vacations roll around. Thieves troll through popular social networking sites such as Facebook or MySpace for individuals posting their spring break or vacation plans on their profiles. Then, posing as a troubled student or traveler they contact all your friends and family asking for emergency cash. Not just by email, but by phone as well. The reasons vary from bail money to medical emergencies or family deaths.  Recently, this wave of fraud has been felt in Washington and Oregon as reported by King5 News, so the scam has officially made its way from coast to coast.

If your children or grandchildren are going to be taking a trip, form an emergency plan of communication with them. Develop a secret password or question-answer combination that you can double check the information if you get strange calls, emails or letters. Question callers to search out scam artists, even if they sound like your relative over the phone. Don’t ever assume that because they are using a familiar family pet name (Nana, Grammy) that they must be the person they say they are. Use caution, ask questions, and remain vigilant.

In an excellent investigative report by Channel 7 News in Boston, reporters demonstrated how easy it was to obtain copies of vital records by using information available on popular social networking sites. Even though their requests contained incorrect information that should have raised a red flag- address, place of birth -  they were able to obtain birth certificates without much effort. The request did not even have to be made in person. This piece of paper- which may contain fathers name, mother’s maiden name, and place of birth- makes stealing an identity a breeze.

Putting your date of birth may seem like a relatively harmless piece of information to place on your profile, and it is fun to get birthday wishes from all your friends… but that can be a dangerous piece of information in the wrong hands. Not all states have the same controls in place for the retrieval of vital records, so it is important to keep as much information about yourself private as you can. Read the full transcript directly from their site here.

An update to Microsoft’s Malware Protection Center’s Threat Research and Response Blog by Scott Molenkamp the details social networking malware being addressed by Microsoft in their March update to their free Malicious Software Removal Tool.

This is an update regarding the US-CERT alerting us to the Koobface malware, as posted in this blog on March 4th, 2009. The Microsoft Malware Protection Center has noted that the following websites appear to be the focus of this attack:

• bebo.com
• facebook.com
• friendster.com
• fubar.com
• hi5.com
• myspace.com
• myyearbook.com
• netlog.com
• tagged.com

According to Microsoft’s details on the Malicious Software Removal Tool, “The Microsoft Windows Malicious Software Removal Tool checks computers running Windows Vista, Windows XP, Windows 2000, and Windows Server 2003 for infections by specific, prevalent malicious software—including Blaster, Sasser, and Mydoom—and helps remove any infection found. When the detection and removal process is complete, the tool displays a report describing the outcome, including which, if any, malicious software was detected and removed…

Because computers can appear to function normally when infected, Microsoft advises you to run this tool even if your computer seems to be fine. You should also use up-to-date antivirus software to help protect your computer from other malicious software. To download the latest version of this tool, please visit the Microsoft Download Center.”