Are Your Connected Devices Safe?

phone-bill

The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.

It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?

I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.

Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.

We need a time-out to think through and implement best security practices for the IoT market.

Are Connected Devices a Cyber Catastrophe Waiting to Happen?

With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.

IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.

On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.

Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.

So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.

Even the most cursory look backward reveals the likelihood of future attacks.

New Products, Better Prospects?

Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.

In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.

The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.

In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.

Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”

My questions:

There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?

What measures have been taken to protect other smart home products from hackers?

These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.

The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.

Image: istock

The post Are Your Connected Devices Safe? appeared first on Credit.com.

Post Equifax: Will Free Credit Freezes Help?

freeze your credit

When Equifax announced the historic data compromise that exposed the sensitive personal information of up to 143 million consumers, the company said victims would have access to credit freezes for a month free of charge. This was not exactly a solution to the fresh hell it had just announced.

Frankly, it seemed like a relatively cheeky move considering the staggering number of people who had just learned that they will be looking over their shoulders for a virtual mugger for the rest of their lives. I wouldn’t be surprised if Saturday Night Live re-creates Equifax’s offer of free credit freezes (for a whole month!) as a classic schoolyard drama featuring a bully holding a stolen bike in front of its owner and offering to give it back for a hefty fee.

My first thought was definitely not, “That seems fair.”

And while I can’t speak to whether there was any discussion of sketch comedy in their process, the Identity Theft Resource Center (ITRC) seems to have had a similar reaction. It launched a change.org petition that urged Experian, TransUnion, and Equifax to let consumers freeze, thaw, and refreeze their credit files, free of charge, once per year.

Sadly, this is not a solution either.

The Legislative Angle

Senators Elizabeth Warren (D-MA) and Brian Schatz (D-HI) recently introduced legislation that would force the Big Three credit bureaus to provide more robust solutions to the 24/7 identity-theft quagmire we now inhabit thanks to the Equifax breach.

One of the main provisos was a legislative version of the ITRC petition: Give all Americans access to free credit freezing (and unfreezing) for life. Additionally, the bill would force the credit bureaus to reimburse any fees collected for freezes purchased after the Equifax compromise was made public.

“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Warren said when announcing the bill.

The Freedom from Equifax Exploitation Act is a move in the right direction, a roadmap for the Big Three to provide consumers with more robust fraud protections as well as an additional free annual credit report. (One free report is already a consumer right in the United States. You can check your credit report for free at Credit.com.)

That SNL sketch encapsulates the feeling of the Freedom from Equifax Exploitation Act: credit bureaus shouldn’t be able to profit off the fear generated by their failures to protect our sensitive data.

Freezes Aren’t the Answer

While it is good to get those freezes (if you can figure out how to set them up), a credit freeze is by no means the be-all and end-all answer to the “What now?” reality of 143 million consumers.

Credit freezes do not mitigate all threats.

First of all, you are still vulnerable to attacks on existing accounts. Two easy ways to help diminish this threat is by setting up transaction alerts and opting for two-factor authentication wherever it is offered.

You are also more susceptible to spear phishing emails and texts now, since fraudsters now know where you bank, where you have debt, and who financed your car. They no longer have to guess which bank you use, thereby making the whole process of defrauding you much more expedient—a real win for scam artist productivity. Employment and tax fraud as well as medical/healthcare fraud are also real concerns after the breach.

The best course of action given all these variables is to change the way you think about your vulnerability and practice the Three Ms, which I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t over-share on social media; be a good steward of your passwords; whenever offered, opt for 2-factor authentication; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously; keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The Three Ms are not a solution to the threat of scams in the wake of the Equifax hack, but they are a lifestyle change that can help fend off the inevitable attempts to exploit your identity for ill-gotten gain.

Image: istock

The post Post Equifax: Will Free Credit Freezes Help? appeared first on Credit.com.

The Equifax Breach and the Cybersecurity Silver Bullet

acer hack

Some time ago, the popular show Mythbusters wanted to find out if the Lone Ranger was right about silver bullets being better than lead ones. Turns out silver bullets are actually slower and less accurate.

When it comes to cybersecurity, quick-fix silver bullets are also less effective than tried-and-true approaches. The most effective cybersecurity strategies begin with two certainties: mistakes will be made, and breaches like the one that hit Equifax will keep happening.

The 143 million consumers exposed in the Equifax breach provide plenty of evidence that there’s still no effective “silver bullet” when it comes to both chronic and acute threats to our collective cybersecurity.

While the Equifax breach is by no means the largest hack to date (that distinction still belongs to Yahoo), it definitely stands out as the breach with the greatest potential to harm its victims.

The Equifax hackers got the most complete data dossiers possible on millions of people. Those dossiers are worth about $30 on the black market and include Social Security numbers, names, addresses, birth dates, and, in some cases, driver’s license numbers. Additionally, the credit card numbers of 209,000 consumers were lifted.

What can be done with this information? Just about every sort of identity theft imaginable.

Credit lines and credit-worthiness can be destroyed overnight, health care records can be polluted with the information of thieves using your benefits illegally, and it can be nearly impossible to get medications filled in a timely manner. Crimes can even be committed in your name, since the thieves have all they need to create a driver’s license with your information and someone else’s photograph.

No Easy Fix

If there were any easy way to solve the data-breach problem, we’d be seeing fewer newsworthy compromises. But as yet, nothing works.

Take, for instance, biometrics. Fingerprints, retina scans, body weight, and shoe size—they offer a great addition to the various ways we authenticate ourselves to the systems storing our data. But they are not a true fix. If a security patch released by a software provider is not installed, as happened in the Equifax breach, it doesn’t matter how many body parts you scan.

Picture the mailboxes in the lobby of a city dwelling—the individual boxes can be opened with one master key so the letter carrier can slot the mail for all the apartments at the same time. It doesn’t matter how well you protect the key for your one apartment’s mailbox if a thief gets access to the master key. The same goes for individual cyber hygiene in the face of a breach.

One of the most promising solutions was once thought to be tokenization—a system of referents that create an impenetrable security trail—but it suffers from the same issue that was behind the Equifax hack: human beings messing up.

Tokenization systems have to be secured and validated using security best practices. That’s where the fallibility part creeps in. Those best practices still need to be implemented by fallible humans with busy lives who have not been told—and consistently reminded—that they are the only solution to the data breach problem.

Data breaches and the identity-related crimes that flow from them are the third certainty in life—right after death and taxes—because there will always be that fallible human element. Education can help mitigate the risks, but even the savviest populace will make mistakes.

Real Solutions

Senator Elizabeth Warren has set her sights on the three credit reporting bureaus, specifically demanding that they offer credit freezes for free. The looming threat of credit hijacking is made possible by the hoarding of information—the credit reporting bureaus’ daily bread. It seems logical, then, that the bureaus should have to pay for the most common crime that data can lead to: credit fraud.

While new laws are good, education is the only real solution.

For many years now I have been advocating a system called the Three Ms, which are the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Practicing the Three Ms continues to be the best way to keep your personally identifiable information from being used in identity-related crimes. 

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t overshare on social media; be a good steward of your passwords; opt for two-factor authentication whenever it’s offered; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously (you can check your credit report for free on Credit.com); keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The odds of President Trump giving his entire fortune to the NAACP are probably better than the chances that we’ll be experiencing fewer big breaches in the future. An individual’s security protocol is only so useful, but an individual’s actions make all the difference.

Image: istock

The post The Equifax Breach and the Cybersecurity Silver Bullet appeared first on Credit.com.

Your Equifax Download: What You Need to Know about the Equifax Hack

Teenage girl with hands on face victim of cyber bullying

Everyone knows a mosquito bite doesn’t really start itching until the damage has already been done, and the same goes for many kinds of identity-related crimes. With news of the recent Equifax breach continuing to surface, what do you need to know now to limit your exposure?

Equifax has estimated the hack impacts 143 million people, mostly in the United States. (That’s almost half the US population!) The thieves stole names, Social Security numbers, birth dates, addresses, and driver’s license numbers.

Each item of personally identifiable information (PII) is like an ingredient for a recipe. The more ingredients you have, the more recipes you can prepare. Similarly, the more pieces of PII exposed, the more kinds of fraud thieves can commit. If there were a fraud equivalent of The Joy of Cooking, thieves just got access to all the ingredients necessary to make every recipe in the book.

The Problem with Freezing Your Credit Report

The New York Times reported still more bad news in the wake of the Equifax announcement.

The credit freeze service the credit bureau offered (originally offered for a fee until it finally decided to provide it for free for 30 days) generated PINs that were based on the time and date the PIN was created. These PINs are required to release the freeze whenever you need to grant access to your credit files in connection with a loan, an apartment rental, or a job application (where permitted by law). Unfortunately, they’re laughably easy for a hacker to guess before then.

The bigger problem is that a freeze needs to be in place at all three reporting agencies in order to be effective. As credit expert John Ulzheimer told the New York Times, putting a freeze on your credit with only one reporting agency is “like locking one of three doors in your house and leaving the other two unlocked. You’re hoping the thief stumbles on the locked door.”

Types of Fraud to Be Aware Of

The hackers also made off with 209,000 credit card numbers and 182,000 credit dispute documents containing personally identifying information.

In August, there was a spike in credit card fraud, according to the New York Post. It seemed odd to security experts at first, since credit card fraud typically increases around the holidays. The Equifax news seems to provide an explanation for the statistical oddity. “We saw a 15% increase in the overall fraud attempts in our system in August, which is an unusual time of year to see such a spike,” said Liron Damri, cofounder of Forter, a fraud-prevention service for online retailers.

But the threat goes way beyond maxed-out credit cards, fraudulent credit applications, and tax-refund fraud. With Department of Motor Vehicle information also in play, the risks are elevated. A fake ID made out in your name could cause you to get arrested for an outstanding warrant. In the realm of identity-related fraud products, a fake driver’s license is a luxury item for sure, but it’s still one that could hurt you if a scammer provides your information on a fake license the next time they’re pulled over for speeding or collared for a crime.

And then there’s the serious risk of medical-identity fraud. Consumers could see delays in prescription fulfillment because of fraudsters using their health care information. Worse, consumers may not be covered for health care expenses until they are able to prove they are who they claim to be using the same information that the crooks used—a frustrating and often complicated process.

Legal Remedies 

One can only assume there will be lawsuits galore. In fact, one enterprising person has already automated the process. A robot lawyer is on the case, allowing consumers to automatically file a claim against Equifax in small claims court.

According to the Verge, consumers are still able to join class action suits while pursuing a small claims court remedy.

“Even if you want to be part of the class action lawsuit against Equifax,” the Verge reported, “you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.”

Protecting Yourself Now

To say that the Equifax PIN assignment process was incompetent is an understatement. Nevertheless, it is a teachable moment. While it’s okay to hope that your services and vendors will do things right, you need to stay vigilant. And this should go without saying: if you can change privacy and authentication settings on a product or service, do it. If that’s not possible, perhaps you should consider finding a new vendor or service.

The easiest way to protect yourself, in my opinion, is by using a system called the “Three Ms.” The Three Ms is the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, and the approach continues to be the best way to keep your personally identifiable information from being used in identity-related crimes.

And they are simple: 

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t oversshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
  2. Monitor your accounts. Check your credit report religiously, keep track of your credit score, and review major accounts daily if possible. (You can check your credit report for free at Credit.com.) If you prefer a more laid-back approach, sign up for free transaction alerts from financial services institutions and credit card companies, or purchase a sophisticated credit- and identity-monitoring program,
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly, and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and HR departments.

Your Chances of “Getting Got”

Scammers pay around $30 per complete ID dossier on the black market. With 143 million packets available through the Equifax breach, that’s more than 4 billion dollars’ worth of information. Though it may not seem so at first glance, this could actually be good news for you: your chances of “getting got” decrease with an increase in available targets.

Odds aside, though, Equifax is not the first, nor will it be the last, breach of note. Being prepared and alert is still the best remedy, because breaches have become the third certainty in life—right behind death and taxes.

A final tip: check with your insurance company, financial services institution, or employer. You may already have access to identity protection and resolution services, which is your best bet when it comes time to navigate the identity theft quagmire.

Image: AIMSTOCK

The post Your Equifax Download: What You Need to Know about the Equifax Hack appeared first on Credit.com.

How to Avoid Scams in the Wake of the Storm

High angle view of credit card with security lock on computer keyboard. Computer keyboard is in full frame position, defocussed. Focus on lock. Horizontal composition. Image developed from RAW format.

You’ve seen the dramatic footage of rescues and calamities, shots of stranded families, pets, and wildlife—even giant carp—and you’ve probably had the same reaction many other Americans had the past few weeks: “How can I help?”

There are myriad ways you can ease the suffering and hardship being experienced in the wake of Hurricane Harvey, but there are also a number of pitfalls to watch out for.

It is quite easy to fall prey to scam artists who come out in full force whenever a disaster of this magnitude occurs. In fact, the National Center for Disaster Fraud (NCDF) was instituted after Hurricane Katrina with a mission to hold post-disaster scam artists in check.

“Unfortunately, criminals can exploit disasters, such as Hurricane Harvey,” a recent NCDF release warned. These criminals have one goal: to get rich (or less poor) quick by sending crooked communications—and it doesn’t matter if it is via SMS, email, social media, or fraudulent websites designed to solicit contributions.

Several state attorneys general have sent out similar communiqués over the past week. If you want to help but are worried about scams, we’ve outlined best practices for you here.

What to Avoid

There are many ways a scam can go down. It’s worth bearing in mind that, just as you go to work, these criminals are also “going to work”—but their job is conjuring up new and ingenious ways to garner ill-gotten gains.

Phony Websites: One ploy that happens every year is in connection with the annual registration of storm names. Each spring, when the National Weather Service announces the roster of storm names, phony websites are registered using those storm names. These are hedges. Should the particular storm occur, the scammer is ready with a website purporting to collect relief funds—but in this case, it is relief from the criminal’s unbearable urge to separate you from your money, and, worse, your desire to help.

Crowdsourcing: Another common ploy is the GoFundMe page. Sometimes these pages are legitimate, but it’s up to you to do the research to figure that out. Crowdsourcing sites like GoFundMe provide you with the means to communicate with the organizer requesting funds, and you should always do so before donating.

Just because you saw the story of a particular person’s horrendous plight on the news doesn’t mean the GoFundMe campaign is legitimate. Scam artists saw the same segment. If you have any questions about a particular page, you should contact the crowdsourcing site directly in addition to the organizer of the campaign that you’d like to help.

Email Appeals: Do not reply to email appeals. Don’t do it if it’s an organization that you’ve given money to over and over. Don’t do it even if it’s your mom. Just don’t do it. The chances that you’re being baited into a phishing scam are high. It’s easier and safer to delete that message and type the URL of whatever charity is making the appeal into a securely connected internet browser instead.

The same goes for emails that link to images of a storm’s aftermath. Do not click those links.

Forwarded Emails: Never click on links emailed to you about big news events, even if they come from friends or family, unless you confirm with the sender that they actually sent the link. But, even then, be wary. They may just be forwarding a malware-laden email they received from someone they thought they knew (who was a scammer masquerading as the person they thought they knew). Email accounts can be spoofed, and any identity thief worth their salt can quickly and easily scam you using this method.

Never forget, if a scammer can get you to click on the right malware, they can drain your bank accounts or available credit, open accounts in your name, take advantage of your access to health care, divert your tax refunds, or commit other crimes in your name.

It’s also important to watch out for relief-related fraud. There have been multiple reports of people impersonating FEMA inspectors, insurance inspectors, and representatives of the National Flood Insurance Program. These impersonators perform another form of fraud—filing claims for relief money in your name.

Better Bets

If you’re looking for vetted places where your money will do the most good, there are many legitimate sources of information about helpful organizations.

If you see a story that interests you, get in touch directly with the organization or person featured. In our connected society, this is almost always possible, and it cuts out the risk of “getting got” by someone in the middle looking to take your money and run.

Before you submit your payment, make sure the charity you selected can actually deliver relief to victims. There are legitimate charity efforts that simply cannot deliver, often due to a lack of on-the-ground resources. Check to see if the charity you’re interested in already has operations in place, and if they don’t, find one that does.

If you’re worried you may have been the victim of identity theft or credit card fraud, you’ll want to check your bank accounts and credit reports regularly for suspicious activity. You can check your credit report for free at Credit.com.

Image: Ismailciydem

The post How to Avoid Scams in the Wake of the Storm appeared first on Credit.com.

Steps for Protecting Your Personally Identifiable Information at Home

Someone could be spying on you right now and you might not even know about it.

The only reason you have not yet been the victim of an identity-related crime (and that includes credit card fraud) is that no one practiced in the art has had the opportunity to separate you from your available credit, health care, or other bankable soft assets—yet.

The figures on data compromises vary, but Risk Based Security estimates that just last year more than 4.2 billion sensitive records were compromised—information that opens the door to all kinds of identity-related malfeasance, including account takeover, credit draining, theft of health care, and even the commission of a crime in the victim’s name.

To put it bluntly, your chances of avoiding fraud are right up there with winning it big at a bingo convention in Florida—slim to none.

Hopefully this is not news to you. If it is, read on for tips on how to protect yourself against identity theft.

Familial Identity Theft

Unless you’ve been pulling double shifts in a pyramid guarding one of the lesser-known pharaohs, you already know the basics about protecting yourself against the threat of ID theft. You never answer the phone by saying “Yes,” no matter what the interlocutor says (thieves steal voiceprints to authenticate your accounts and take them over), you use two-factor authentication whenever it’s offered, and your long-and-strong passwords are never used to access more than one account.

But here’s a factor you may not be protecting yourself against: the various ways you are vulnerable to identity theft at home.

The Identity Theft Resource Center has provided a comprehensive guide for navigating the problem of familial identity theft—that is, when a friend or a family member steals your identity.

While no one can be completely protected from identity theft, there are things you can do to safeguard yourself against this particular approach. First, you can practice the three Ms that I first introduced in my book, “Swiped: How to Protect Yourself in a World Full of Scammers, Phishers, and Identity Thieves.”

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t overshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and consider freezing your credit.
  1. Monitor your accounts. Check your credit report regularly (you can check your credit report for free on com), keep track of your credit score, and review major accounts daily if possible. If you prefer a more laidback approach, sign up for free transaction alerts from financial services institutions and credit card companies or purchase a sophisticated credit- and identity-monitoring program.
  1. Manage the damage. Make sure you quickly get on top of any incursion into your identity and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and HR departments.

Minimize Your Exposure to Identity Theft at Home

Regardless of your income and regardless of your likeability, someone you know is probably willing and able to steal your identity. To stave off that eventuality, you need to practice the first M: Minimize your exposure at home.

Consider what kind of personally identifiable information (PII) lives with you in your home—everything from tax returns to password cheat sheets. Now think about where these things are stored.

If you are like most people, your tax returns are at best kept in a locked filing cabinet with a key hidden in a not-too-paranoid spot nearby. For still more people, the above security measure has more in common with the protections at Fort Knox than the protections they’ve put in place themselves. Maybe it’s time to rethink that cardboard box.

The individuals who are regularly in and out of your house, and those who live in your house, are in a position to know what you have, where you have it, and the most opportune moments to steal it. It may be only a matter of time before they use that barely hidden key, or simply take that cardboard box.

Who are we talking about here? Literally anyone who can get in your house. And don’t think for a moment it matters if you’re at home, because the most sticky-fingered among us can rob us blind on a trip to the bathroom.

Our homes are not perfect sanctuaries, as much as we would like to think they are. Repair people come through, utility meters need to be read, we hire babysitters and housekeepers, friends and relatives come by to visit: all of them are potential ID thieves.

What You Can Do

There are a variety of things you can do to safeguard your PII in your home and minimize your attackable surface.

  • Miniaturize your data. Not only is a mountain of paperwork hard to store, it is also increasingly unnecessary. Get into the habit of scanning or even photographing your documents and then shredding the hard copies. Create two or three copies of the digital files—and make sure one of them is stored somewhere other than your house, since fires and other cataclysmic events do happen.
  • Use encrypted external storage. Whether you choose a thumb drive, a cloud server, or an external hard drive, store your PII digitally in an encrypted form. And it’s always better to choose a device that offers rich security features, like biometrics or two-factor authentication.
  • Invest in a safe. Once the exclusive equipment of rich folks, safes are now very affordable. They are a great place to store all that miniaturized data. Get one that is fireproof and has a biometric element (like a fingerprint scan) to further protect your information.
  • Employ two-factor data management. Store your data in more than one place. An encrypted drive can be left with the most untrustworthy relative. Just make sure that you have a backup somewhere. If you have a safety deposit box, that’s probably the best bet.

At the end of the day, you are the only one with access to the data points needed to figure out precisely how vulnerable you are to identity theft. If you think like a thief, you will be pointed in the right direction.

Image: shapecharge

The post Steps for Protecting Your Personally Identifiable Information at Home appeared first on Credit.com.

12 Places Your Data May Not Be Safe (And What You Can Do)

Someone could be spying on you right now and you might not even know about it.

Data compromises and the identity-related crimes that flow from them are now the third certainty in life, right behind death and taxes. That said, there is plenty you can do to stay as crime-proof as possible.

According to Risk Based Security, more than 4.2 billion records were compromised worldwide in 2016 alone. In truth, the total number of compromised records is unknowable. Here’s what you do need to know: it is a near certainty that most, if not all, of your personal identity portfolio is already “out there.”

How to Keep Your Personal Information Safe

Identity theft is a catch-as-catch-can endeavor. Where there is a will, there is almost always a way. In fact, many, if not most, of us have already been compromised either by a breach or as a result of obsessive (and excessive) overexposure on social media. Enough of our personally identifiable information (PII) is readily available on the web to make us easy targets for phishing attacks and identity-related crimes.

Thankfully, identity theft is often a crime of opportunity. All that vulnerable information still needs to be accessed, which may require more effort than your average identity thief is willing to expend. This is why it’s important to keep your data safe from those opportunistic hands.

Here’s what you need to bear in mind at every turn: It’s likely that you’re going to “get got” with PII that hasn’t been compromised . . . yet.

Though it may seem like a lost cause, you can make yourself a harder target to hit. First, you should follow the three Ms:

Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t overshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and consider freezing your credit.
Monitor your accounts. Check your credit report regularly, keep track of your credit score, and review major accounts daily if possible. If you prefer a more laidback approach, sign up for free transaction alerts from financial services institutions and credit card companies or purchase a sophisticated credit and identity monitoring program.
Manage the damage. Make sure you quickly get on top of any incursion into your identity and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and HR departments.

Where to Check Your PII

To minimize your exposure to identity thieves, you’ll want to evaluate places that may not be making the security of your PII a priority. Here are twelve places that may not be keeping your personal data safe.

1. Small businesses: Mom-and-pop shop owners have a lot on their plates, and managing your personal data isn’t necessarily on the front burner. Whether it’s the company that fills your oil tanks, a lawn service, or a local store where you have a tab, ask how they store your information. If they give you a vague answer, ask them to erase whatever they have—and watch them do it, if possible.
2. Children’s sports leagues: Children’s sports leagues need basic information to enroll your child, including medical contacts, names, addresses, emergency contact information, and other data points that can be used in identity-related crime. If you get a vague answer about data storage, ask them to erase whatever they have.
3. Doctors and dentists: You ever see those color-coded files sticking out of open metal cabinets at a medical provider’s office? They contain all the information needed to steal your healthcare services, compromise your financial accounts, or file fake tax returns and divert your refunds. If you see something, say something. Either way, ask your medical professionals how they store your records and request that they be stored securely.
4. Veterinarians: You might not think that your vet’s office could be a point of vulnerability. Worse yet, the possibility of data compromise may not have occurred to your vet, either. Ask how they store your data. Chances are good they will improve their methods once they understand the immediate consequence of lost business for failing to do so. If they don’t respond, ask for your file and vamoose.
5. Gyms and fitness clubs: Increasingly, fitness clubs are on the ball when it comes to data security, but you’ll still want to ask how they store your information. If they don’t have a satisfactory answer, you may want to consider looking for a different gym.
6. Educational institutions: Many people contribute to the care and education of our children. Unfortunately, not all of them are educated in the ways of cyber hygiene, which is why it matters how your child’s information is stored by these institutions. Always ask about it and request that your child’s information be stored securely. Once it no longer makes sense for a particular institution to have personal information about your children, ask that they delete their records.
7. Accountants: While bigger accounting firms are liability-minded, smaller firms and one-person operations may not be as up to date on cybersecurity best practices. In addition to having hard copies of your files, which contain extremely sensitive personal data, your accountant has to send electronic files to the IRS and other state agencies that collect your taxes. Make sure they are using secure networks and store your files securely. If they don’t, it’s in your best interest to look for a more secure accountant.
8. Lawyers: If you’re worried about the amount of sensitive data residing with your accountant, take a moment to reflect upon the sort of personal information that resides with your attorney. It’s okay to have a direct conversation about their data security practices. If there is any pushback, take your business (and your data) elsewhere.
9. Real estate agents: While they may not have a lot of your PII, real estate agents have enough for a thief to get a foothold into your mineable credit. If your agent gives you a vague answer about how they handle sensitive information, don’t give them any—or limit what you share to the bare minimum required.
10. Car dealerships: Car dealerships are focused organizations. While their employees know a great deal about closing deals, they may not know how to close the gates to ID thieves—and because they offer credit, they are in possession of the skeleton key to all your finances: your Social Security number. Make sure it’s safe. You’ll want to check with any other retailers that offer credit as well, since they will also have access to your SSN.
11. Travel agencies: In order for travel agents to do their job, they likely need your name, address, date of birth, contact info, emergency contact information, license or passport number, and credit or debit card number. You need to know how long they will keep it and how they will store it. If you are not satisfied with their explanation, cruise on over to someone else.
12. Home: Your domicile is an El Dorado of personal information, and you need to be able to protect those riches. Store all of your most-sensitive documents in a secure, fireproof location. Better yet, scan and store them in an encrypted, password-protected thumb drive.

Never forget, the ultimate guardian of the consumer is the consumer. No one cares more about the protection of your personally identifiable information and your financial security than you do.

Image: shapecharge

The post 12 Places Your Data May Not Be Safe (And What You Can Do) appeared first on Credit.com.

The Hidden Cost of Verizon’s ‘Free’ Rewards Program: Your Data

Free rewards programs can actually cost you in terms of privacy.

With the announcement of Verizon Up, a new wireless rewards program that provides users with customer incentives, first-dibs opportunities on things like VIP tickets and other exclusive deals, we thought it was time to review how reward marketing plans work.

First, the good news: Verizon Up is free!

Like their intrusive cousin the loyalty program, reward-based marketing schemes usually require no additional fees. In essence, Verizon Up is a camouflaged version of what author Seth Godin calls “permission marketing.”

Now the bad news: Nothing is free. Verizon is making you pay with your personal information instead of money. But make no mistake: They’re going to profit more than you will from the arrangement. (Note: Verizon did not return our request for comment.)

Never were the words of the German philosopher Georg Wilhelm Friedrich Hegel more prescient: “To be free is nothing, to become free is everything.” Translation: In the world of big data, there’s no such thing as “free.” If a company offers you something for your data, you’re the product. They are monetizing your information.

The eligibility requirements on Verizon’s website make this clear. Opting in enables Verizon to personalize marketing sent your way by them, and by other companies, using your data.

What Data?

These days “your data” is pretty much anything marketing companies can get their hands on. If you belong to a gym, it may be selling that fact to a third party, and with it possibly more data about how often you go and anything you bought there to enhance your workout.

If you use a mobile phone, your data could include everywhere you have gone and most likely anything discussed via text. Whether or not you use the popular Waze app, there’s data on how fast you drive, which in the wrong (or right) hands could affect the rates you pay for car insurance — never mind the possibility that law enforcement could one day claim jurisdiction in the realm of cyberspace-clocked speeding tickets.

When it comes to your data, the goal is to create a granular portrait of you — your interests, likes, dislikes, passionate yearnings — all of it prepared and arranged for resale to companies and organizations hoping to match products and services with various aspects of your personality.

How Specific Does This Get?

The kind of information the big data companies have — what constitutes “your data” — depends on your privacy hygiene. The less you share, the fewer times you opt in, the more privacy you will enjoy.

Companies like to incentivize the sharing of personal data. Sometimes it’s by creating something fun, like a toy or gaming experience. The lure of social media is hard to resist but every like and comment becomes part of your sellable data.

If you’ve ever signed up for a loyalty program, everything you’ve purchased will be included under the heading of “your data,” providing a very specific window into your life, not just simple stuff like your gender and age — they already know that — but your health and habits based on what you buy. And of course, your credit card companies know more about you than almost anyone else — including, probably, you. (You can get an idea of what they see about you with a free credit report snapshot on Credit.com.)

Nothing to See Here

Remember the story about the emperor’s new clothes? Basically, he didn’t have any. That’s the deal here. And while Verizon is not alone in perpetrating a consumer data grab, their recent announcement makes them today’s blue-plate special.

As is the way with this kind of offer, Verizon Up will provide users with some perks, but for what? And is it a fair swap?

To be clear, whenever the right to use your data, without limitation, is the ask, saying “yes” is never going to be the answer I recommend. It doesn’t matter what you’re getting for it. In this case, Verizon is asking to monetize the data on products and services that you use (and pay for) as well as far more personal stuff, “including location, web browsing and app usage.”

Does this mean your iPhone Safari browser can be set to “Private” and it doesn’t matter? Internet service providers can see any traffic that doesn’t move via virtual private network. So, is everywhere you go online still visible, able to be sold to a third party no matter how private?

It doesn’t matter. Get in the habit of saying no.

When it comes to privacy, you need to be your own advocate. As Toni Morrison said, “Nothing and nobody is obliged to save you but you.”

Image: serdar_yorulmaz

The post The Hidden Cost of Verizon’s ‘Free’ Rewards Program: Your Data appeared first on Credit.com.

The Apps Your Partner Could Be Using to Spy on You

Someone could be spying on you right now and you might not even know about it.

“These apps are brutal,” Ondrej Krehel told me during a conversation about spyware, or “spouseware” as the software is sometimes called.

“It doesn’t matter what ‘intended use’ these app developers claim in their sales pitches. They are increasingly being used by teens to spy on their love interests,” Krehel said. “It’s quite prevalent.”

Krehel is CEO and founder of LIFARS, a digital forensics and cybersecurity intelligence firm. He sees spyware as a concern for consumers.

“The malware that is used to spy on terrorists and other criminals is not too different from the spyware currently marketed to consumers — although it has fewer features,” Krehel said.

What ‘Spouseware’ Can Do

FlexiSpy, mSpy and Mobile Spy are some of the names in the consumer spyware app business. The applications make it possible to monitor virtually every communication made on a targeted smartphone or computer.

The various spyware, or spouseware, apps available on the market can let users see absolutely everything that happens on a device. It’s like a surveillance camera pointed at the user’s screen.

Here’s an at-a-glance list of what kind of information would-be spies can see:

  • All social media
  • Snapchat
  • Encrypted messaging apps like WhatsApp
  • Dating Apps
  • Text messages
  • Calls
  • Real-time GPS location

At $29.99 a month, pretty much anyone can be a spy. MSpy alone has more than a million users.

The stories of stalkers, jilted lovers and overzealous admirers are legion. In 2014, NPR reported that 85% of 72 domestic violence shelters they surveyed said they were working with victims whose abusers tracked them with GPS. Seventy-five percent said they had worked with victims whose abusers used hidden mobile apps to eavesdrop on them remotely.

While there is sadly no shortage of stories out there, most are told under the cloak of aliases. Although largely anecdotal, Krehel told me the misuse of spyware among teens was without doubt a growing problem.

“I would say 30% of the spyware users out there are young guys spying on their girlfriends,” he said.

The end user agreements are clear. These apps are to be used for legal purposes only. The marketing is not pointed at monitoring fidelity, but rather what a child is getting up to or as an enterprise tool for managing employees.

The app developers make it clear that any monitoring made possible with spyware should be done with the consent and knowledge of the party whose device is being tracked.

MSpy’s user agreement says: “User acknowledges that the Software shall be used for the purpose of monitoring, tracking and obtaining access to certain devices as cell phone and computer (including, but not limited to, email and text messages) of children and employees and other device owners with their consent hereto, including through the use of devices, on which the Software is installed.”

It is illegal to spy on someone without their consent. The problem here is that while it’s illegal, the penalties are not very serious. Krehel stated that while a person might get 30-day jail sentence or pay a fine, the damage inflicted is sometimes life-changing with victims and the people in touch with them suddenly finding themselves in divorce proceedings, losing jobs or even committing suicide.

What to Do

As with all things security-related, it is good practice to assume that the unimaginable — or in this case the prevalent — can happen to you, too. It’s also wise to take the necessary measures to prevent it.

  • While it is possible to install spyware remotely on some Apple products, most often physical possession of a device is required. Never surrender your device to anyone, or leave it unattended.
  • Don’t assume your passwords are unknown to those closest to you. (Check out these tips for better internet safety.)
  • Never share your cloud credentials, since this makes it possible to install some types of spyware.
  • Protect your passwords and change them often. Or use biometric authentication.
  • Don’t assume that just because you don’t see a spyware app on your device that it isn’t there. Check for installed apps and software (this may require programs that review apps and software), and become acquainted with the software and apps out there.
  • If you suspect you’ve got spyware on a device, save what needs to be saved on an external drive and wipe the device, restoring the factory default settings. But bear in mind that there are some snooping techniques (the NSA place their exploits directly on a chip in the device hardware) where a factory reset won’t help you.
  • To further guard against fraud and identity theft, monitor your credit for any suspicious changes. You can get a free credit report snapshot on Credit.com.

It’s rough out there for people concerned about their privacy, but being alert goes a long way.

Image: shapecharge

The post The Apps Your Partner Could Be Using to Spy on You appeared first on Credit.com.

Is Your Gym Exposing More Than Your Abs?

The gym is a great place to burn off steam — and to get scammed.

When Apple announced a serious hardware flaw last week, and the critical security patch that addressed it, my first thought was perhaps arbitrary: “That exploit would work at the gym.” My next thought: what else would?

The discovery of a zero-day exploit affecting hardware—specifically a WiFi chip embedded in the main processors of Apple devices—was serious news. The vulnerability makes it possible for a hacker within range to “execute arbitrary code on the Wi-Fi chip.” A similar vulnerability was announced and patched on the Android platform earlier in the month.

The gym is often seen as a safe space to burn off steam, clear your head and boost your heart rate but it can also be dangerous. The gym stores a lot of personal information and is filled with strangers in close proximity to one another. Because of this, it’s important to think about more than building physical strength — building cyber strength is crucial to making yourself a harder target to hit.

The gym is often seen as a safe space to burn off steam, clear your head and boost your heart rate but it can also be dangerous. The gym stores a lot of personal information and is filled with strangers in close proximity to one another. Because of this, it’s important to think about more than building physical strength — building cyber strength is crucial to making yourself a harder target to hit.

Here are a few things to make your next trip to the gym as scam-proof as possible.

How Is Your Personal Information Stored?

Your gym can require and request a ton of personal information: your Social Security number, driver’s license number, credit and banking information, your home address, and in some cases your medical or health information. When in the hands of the wrong person, this information can lead to identity theft and major breach of privacy.

Your job is to reduce your attackable surface and watch out for scams.

The first question you should ask is how your information is stored, and who has access to it. Don’t accept a vague answer unless it is the correct answer. “I’m not sure,” might indicate an ill-informed point of contact at the front desk or, worse, a total lack of data security. Don’t be surprised if everyone who punches the clock at your gym has access to your information.

Because of this, it’s important to think about what kind of information your gym has and why they need it. Try to limit what information they get, even if it is “required.” While the gym needs to identify you, they don’t need much data to do that. It’s your job to give them the bare minimum they need.

Juice Jacking

Be wary of charging your devices at the gym. Simply plugging your phone into the wall can make you vulnerable to juice jacking, a cyberattack where a charging port does double duty as a data connection that either steals user data or downloads malware to steal it at a later time.

Though it seems unlikely, if your gym’s owner isn’t up to date with scams, the gym may unwittingly allow a hacker to install a data-stealing kiosk for members to use.

Always pay attention to phone pop-ups. Both Apple and Android now have stopgaps to avoid juice jacking exploits, but the warning screen can be distractedly tapped away and ignored, thus opening the door to an intruder.
If you want to reduce the risks while charging your devices at the gym, look into USB cords without data transporting cables. You can also make juice jacking impossible by using the AC adapter your device came with or a back-up battery device.

Public Wi-Fi

Here’s another way your devices can leave you vulnerable to attack. Signing on to your gym’s public Wi-Fi can be risky — such is the case whenever you log on to a public Wi-Fi network. Another thing to remember: Hackers may not always ask for the gym owner’s permission to set up the Wi-Fi network that’s labeled with the gym’s name.

In addition to the fake Wi-Fi set up, there’s the threat of a man-in-the-middle attack. This attack can secretly alter the communication between two parties and even lead to eavesdropping by an unknown third party.

If you are going to log on to the Wi-Fi at your gym, always look for HTTPS in the address and the green lock near the URL of the sites you visit and think long and hard before visiting destinations like banks, credit cards and the like that require or provide access to sensitive information.

Remember, if you ever have any suspicion your information has been compromised, always contact your credit card providers ASAP. It’s also helpful to check your credit for any sudden changes (You can get a free credit report snapshot at Credit.com) While knowing the latest threats out there, and utilizing security updates the moment they are issued is great and absolutely necessary, it’s important to bear in mind that there is no anti-fraud silver bullet. Gyms are neither better nor worse than anywhere else when it comes to data security practices, but they are definitely places where you can be harmed.

If you assume your information is vulnerable, at the gym or anywhere else, and you take the effort to limit your data exposure and minimize your attackable surface, you have the best shot at staying in good shape. If you do find a security problem at your gym, maybe it’s time to demand solutions. At the very least, if you see something, say something. And if you’re really worried, find a new gym that practices better cyber and data hygiene.

Image: BraunS

The post Is Your Gym Exposing More Than Your Abs? appeared first on Credit.com.