|By Harrell Kerkhoff
Busline Magazine Editor
Identity theft is getting worse, with a growing number of people finding themselves at risk every day. There are ways, however, to protect individuals and companies from unexpectedly drained bank accounts and other acts of modern-day thievery, otherwise known as “social engineering.”
A recent presentation was given during a business conference in Orlando, FL, to help guide people through the minefield set by today’s “black hat hackers” and modern day con men. Robert Siciliano, CEO of IDTheftSecurity.com, a personal security and identity theft expert based in Boston, MA, spoke on, “Information/Computer Security and Privacy Protection: Defense Against Hackers, Attackers, Thieves and Organized Criminals.”
According to Siciliano, there is a good reason why data breaches continue to make headlines. Hacking is a lucrative business, with some criminals making more money in a day than many people make in a year. He added that the bleeding will not stop anytime soon, and the more time a person spends uninformed, the better the chance that individual will be targeted.
The good news is there are certain fundamentals that can be followed to protect important personal and business data.
“Security is all about adding layers of protection. The more layers you have, the more secure you are going to be,” he said. “In a home setting, these layers might be a big fence in the yard, a strong lock on the door, a ‘beware of dog’ sign in the window, an alarm system in place, and putting valuables in a safe. My job is to build your awareness, appreciation, desire and drive to protect your family and business from identify theft.”
Siciliano said security has evolved from just providing theft prevention in the physical world. The virtual world is now a large part of many people’s lives, and theft is occurring in this world in staggering numbers.
“Violence is part of today’s virtual world. This includes cyber bullying, stalking and various electronic threats and harassments,” he said. “Primarily, my goal is to speak to you on how to protect the data that you have been entrusted with, both at home and at work.”
For individuals, this data can include Social Security and bank account numbers. For companies, this can include employee records, client information and proprietary data involving a company’s trade secrets.
A lack of security appreciation is one of the leading contributors to human error pertaining to most security breaches, according to Siciliano. Therefore, security needs to be everyone’s responsibility, especially in a work environment.
“Corporations and government agencies are directly responsible for protecting personal information entrusted to them by customers, consumers and general citizens. Thus, measures must be taken to increase awareness in the everyday IT environment and build a secure-minded culture from the ground up,” Siciliano said. “To create this culture, all employees need to be educated and tested on security threats, such as how their day-to-day computer use behavior can negatively influence an organization’s security posture.”
Siciliano asked the audience how many of them have been educated and tested on specific security threats at work. Approximately half those people in the room raised their hand.
“If I were speaking to bankers or mortgage brokers, every single one of them would raise their hand. They are required to be educated and tested on such threats, but with most other industries there are no requirements. This is why the problem keeps getting worse,” he said. “For a criminal, the path of least resistance is not through the bank. The path of least resistance to get your money from a bank account is through your own computer. The bank is relatively secure. The same can’t always be said about personal electronic devices.”
Understanding Social Engineering
In the “good old days,” if someone wanted to take something of value from another individual, he/she usually had to either physically commit a burglary or confront the victim face-to-face, probably with gun or knife in hand. Today’s thieves don’t even have to get dressed for “work,” and their tricks of the trade often involve keyboards, computers and other electronic devices. These people use various forms of social engineering to earn a living, at the expense of their unsuspecting victims.
Siciliano defined social engineering as a collection of techniques used to manipulate people into performing actions or divulging confidential information. While similar to a confidence trick or simple fraud, the term typically applies to trickery for information gathering or computer system access and, in most cases, the attacker never comes face-to-face with the victim.
“If a con man gains your confidence effectively, you are likely to provide that person with the money in your wallet or your bank account password. The thief may also send you a ‘phishing’ email, which is an email that looks like it’s coming from your bank or other credible source, but designed to gain your confidence and take something of value,” Siciliano said. “Once you click on a link from a bad email, it can lead to your personal information being sent to a spoofed Website.”
Other forms of social engineering take a more physical form, but can be just as lucrative for the criminal. This includes people who pose as firemen, policemen, etc., to gain access to a business. From there, they often find easy access to computers and sensitive information.
He added the human gullibility is common, and everyone falls victim at some point. This plays into the hands of those behind today’s social engineering exploits.
“Everyone can be suckered. It’s just a matter of the thief finding the right trigger, pressure point and/or vulnerability of his/her victim,” Siciliano said.
Often the trigger is fear or greed. For example, someone behind a scam calls a person and tells him/or to provide valuable information in order to win a prize or stay out of some type of trouble. It’s a scam, but many well-educated people fall victim to such schemes every day.
“People will say, ‘I’m not that stupid.’ It’s not about being stupid. Some people are lonely, and loneliness sometimes trumps common sense,” he said. “There is also pressure that can negatively influence our decision making. This includes the pressure to get a job done on time or responding to a boss or colleague in a responsible way. This pressure can lead us to make decisions that we might not normally make.”
Siciliano added that a good con man knows all about the principles of influence and the psychology of persuasion.
“You can read book after book on how to influence and persuade people as well as how to negotiate to get what you want,” he said.
Social engineering comes in many forms, some more sinister than others. For example, there is the “lost thumb drive found in the parking lot” trick.
“You see a thumb drive on the ground and pick it up. There are 40 gigabytes on the drive, which is worth around $30. You put the drive in your briefcase and eventually plug it into your computer. That thumb drive was planted by a criminal, and soon launches a virus that affects your device and allows complete control over your personal information,” Siciliano said.
He added the thumb drive can also be found in an unopened package, all in an effort to gain a person’s confidence.
“The person who picked up the thumb drive thinks it simply fell out of someone’s bag. Finders keepers, right?” Siciliano said.
This particular trick was able to severely damage Iran’s nuclear program, with a “lost” thumb drive containing a highly destructive Stuxnet computer worm. According to Siciliano, the same tools that are being used as cyber weapons to fight wars are also being used by thieves to drain bank accounts.
Email scams, meanwhile, are one of the most common forms of social engineering. Siciliano detailed an FBI warning in 2016, highlighting what the agency called a dramatic increase in business email scams.
According to an FBI news release, today’s schemers go to great lengths to spoof company emails and use social engineering to assume the identity of a CEO, company attorney or trusted vendor. These con men research and find unsuspecting employees who manage money, and then use language specific to the company that they are targeting to request a fraudulent wire transfer, using dollar amounts that lend legitimacy.
There are various versions of these scams. Victims range from large corporations to tech companies to small businesses to non-profit organizations. Many times, the fraud targets businesses that work with foreign suppliers and regularly perform wire transfer payments.
Law enforcement officials have received complaints from victims in every U.S. state and in at least 79 countries, according to the FBI. From October 2013 through February 2016, there were 17,642 victims identified, with more than $2.3 billion in reported losses.
“By using the internet, there are criminals who can find out a person’s job responsibility and take advantage of that person through email scams,” Siciliano said. “It can happen to any company. By accepting this, a company can start taking steps to prevent future losses. There could be somebody lurking inside your email program as we speak.”
Siciliano discussed the website, “Have I been pwned?” (www.haveibeenpwned.com), which is designed to show if a person or company’s email address has been breached.
Recognizing Data Breaches
The terms “identity theft” and “identity fraud” refer to crimes in which someone wrongfully obtains and uses another person’s personal data, typically for economic gain, according to Siciliano.
Data breaches that can lead to identity theft and fraud come in several forms. They include:
■ Irresponsible or malicious insiders: “These are people from inside your organization who click a link from a suspect email or do something else to make your network vulnerable. These might be employees who are disgruntled or see an opportunity to get paid at a higher level,” Siciliano said. “There might also be organized criminals working within your organization to gain access to important information. This happens a lot in the banking industry. The New York State Attorney General prosecutes approximately one teller a month. These are people accused of scamming the bank.”
■ Third-party fault: This type of breach could stem from a vendor connected to a company’s computer network;
■ Laptop theft: A computer laptop often contains vital company and/or personal information. Laptops, and other electronic devices, should always be placed in secure locations, whether at home or on the road.
“I never leave my laptop in a hotel room. If your laptop is not password protected, what is keeping the information inside that device from being stolen?” Siciliano asked.
■ Loss: Its easy to lose things. This includes laptops, smartphones and important thumb drives. Therefore, valuable information should always be backed up and password protected.
“A recent study showed, on average, dry cleaners annually find approximately 12,000 thumb drives in pant and coat pockets,” Siciliano said. “How many data breaches do you think this leads to every year?”
■ Physical security vulnerabilities: According to Siciliano, many people don’t have security systems in their homes and/or businesses because they feel their neighborhoods are safe and such security measures are unnecessary.
“If you don’t have an alarm system in your home or office, this is a vulnerability that you are allowing,” he said. “Have you ever read police blotters? They show all the burglaries and home invasions, some of which result in violence and death. I have heard people say, ‘I don’t want a security system because I don’t want to live like that.’ My response is, ‘You don’t want to live securely?’”
■ Hacking is 21st century burglary: According to Siciliano, there is no real mystery to hacking. The people who hack are no more intelligent than those who don’t hack. Hackers are simply “computer scientists.” They understand how to navigate technology a little better than most people. The “black hat” hackers, however, are the ones who seek business and personal vulnerabilities for their own gain.
The Password Dilemma
A common problem in today’s high-tech world is that everything seems to require a password to gain entry. Remembering passwords is difficult for many, and changing passwords on a regular basis is often not done. Many people use the same passwords for different accounts, and there are cases of people using very easy passwords to remember, such as “123456,” “ABCDEF” or, simply, “password.”
Gaining access to important and personal data is made easier thanks to the many deficiencies associated with passwords.
“If you are using the same password across multiple accounts, thieves have a better chance of gaining access to these accounts. They key is to not use the same password,” Siciliano said. “Many people use first names as passwords, usually the names of spouses, kids, other relatives or pets. All of this can be deduced with a little research conducted by a good hacker.”
There is also software available that automatically plugs common words into password fields. This allows password cracking to become almost effortless for hackers.
Siciliano discussed a program called Password Manager, which helps the user manage different passwords needed for different accounts. This program “memorizes” the passwords for the user. It then stores these passwords virtually in a “cloud.” Siciliano recommends backing up all information, such as passwords, in an Excel file.
(back to top)
Robert Siciliano, personal security
and identity theft expert.
“Don’t worry about a program like Password Manager getting hacked. Remember, these are security companies,” he said. “Just like any other organization, occasionally they can suffer vulnerability, but they are on top of such problems. It’s their job to protect us.
“I have over 700 passwords. I know it’s crazy, but it’s the nature of my business. I might know five of these passwords. My Password Manager knows the rest.”
According to Siciliano, not using any password is the worst thing a person can do when operating an electionic device.
“Some people don’t use a password for their desktop or laptop. If these devices are stolen, what kind of access would a thief get?” he said. “I also hope everyone’s mobile phones are password protected. If not, the person who finds or steals that device will have access to all the information not only found on that phone, but the information that the same device connects to, such as social media and bank accounts.”
Siciliano also discussed identity theft protection firms available to consumers. These companies watch applications of credit in real time.
“If you are a client of one of these firms, and the firm’s representative sees an application of credit (in the client’s name), he/she is going to contact you to make sure you, or somebody with your company, has actually applied for the credit. If there is a problem, the firm will shut (the credit application or credit card) down,” Siciliano said.
Identity theft protection firms also watch to see if a client’s personal information appears on the “dark web.”
“They will let the client know if his/her information is up for sale or has been stolen. Their restoration agents will work on your behalf to make the problem go away. This includes working with the IRS and law enforcement officials,” he said. “I believe in getting such theft protection. It’s basically an insurance policy that I don’t think we can live without today.
“It’s like anything else in life, you need to be educated and understand your options.”
Surviving In A Flawed System
It’s not surprising to Siciliano, who has spent a long career in personal security and identity theft protection, that today’s problems are only getting worse.
“We are functioning under a fundamentally flawed security system. The way our system is set up today makes data very attractive to criminals around the world. They are going after us because they can readily access and turn our data into cash,” he said.
One problem that has been felt for decades in the United States is the use of Social Security numbers as primary identifiers of people. Siciliano said Social Security numbers were never meant to be used in such a manner.
“They were only meant to be used for Social Security benefits, but their use crept into other aspects of our lives, and are now considered a primary identifier. Social security numbers are everywhere, and can be found in filing cabinets, data basis, etc.,” he said. “Some people feel their Social Security number is ‘private’ information, but in reality, it’s not. Rather, you should look at it as being ‘sensitive’ or ‘personal’ information, which is not necessarily the same thing as ‘private.’”
He explained that an individual’s “personal identified information” includes his/her’s name, address, phone numbers, email addresses, Social Security number, bank account numbers, credit card numbers, etc.
“These are personal identifying bits of information. Some of them may be more sensitive than others, but they are not private. And so, you really can’t protect any of them, which makes us all vulnerable,” Siciliano said. “Once a person understands that, he/she can begin to understand how to manage data in a way that makes it useless if a criminal gains access.”
Another area of concern with identity theft, in what Siciliano called a flawed system, is the use of credit cards.
“As long as the "bad guy" has your Social Security number, he/she can apply for credit under your name. It’s that simple,” he said.
There are also serious problems today with the easy access to fake identification. Siciliano called the identification process in the United States a joke. This is because many types of official identification come in the form of paper or plastic documentation, which can easily be forged, replicated or purchased online. This includes birth certificates, Social Security cards, driver’s licenses and passports.
“To give you an idea of how flawed the identification system is in the United States, there are 49 versions of our country’s Social Security cards in circulation, 14,000 types of birth certificates, 200-plus forms of driver’s licenses, and 14 states that use some form of ID that does not include a photo,” he said. “This is the situation that we are functioning under today. Do an online search for ‘fake identification.’ You will find companies all over the world that make fake IDs. All you have to do is pay.”
Siciliano added that it’s not his intention to scare people, but rather show how vulnerable and exposed they are, both at home and at work.
“I find most people are blissfully unaware of this threat. My goal is to change a person’s behavior for the better,” he said.
Identifying Various Forms Of Thievery
There are many ways for a thief to obtain something of value without using physical violence. Siciliano outlined some familiar and not-so-familiar ways anyone can get valuable information from an unsuspecting victim or company. They include:
■ Stealing incoming and outgoing mail: “Do you have a locked mailbox? If not, I would suggest getting one — for both your home and business,” Siciliano said. “Both incoming and outgoing mail can include sensitive information.”
He also warned of falling victim to a criminal filling out a change of address form at a post office with a specific victim in mind.
“The mail can then be sent to the thief. The victim will eventually get a notification that his/her mail has been diverted, but it may be too late,” Siciliano said.
■ Dumpster diving: How low will a criminal go? There are people who will sift through a person or company’s garbage to find important information in hopes of stealing someone’s identity.
“I never throw sensitive information in the garbage. This includes prescription bottle labels, which can lead a criminal to a person’s medical information. Prescription bottle labels can be used to scam a person, a pharmacy and/or an insurance company,” Siciliano said. “I also shred all business cards that I no longer need. A criminal can take a business card from the garbage and figure out what the person, whose name is on the card, does for a living. He/she can then send that person an email posing as somebody else. The goal is to get personal information via fake correspondence.
“If a thief does this with 100 business cards, and is successful just one time, he/she may walk away with somebody’s valuable information and a lot of money.”
■ There is safety in using a safe: All important papers and other valuables should be stored in a safe.
“Do you have paperwork stored in a file cabinet that somebody could easily look at or steal, and then use against you? Everybody should have and use a safe, even if it takes extra effort to keep putting things in and taking things out of that safe,” Siciliano said. “Security is not necessarily convenient, but is still necessary.”
■ Keep your wallet/pocketbook light: “Think about how much valuable information is in your wallet or pocketbook,” he said. “If you cannot tell me right now everything you have in your wallet/pocketbook, then you probably have too much in that wallet/pocketbook.”
■ Caller ID spoofing: This is when a criminal obtains a fake caller ID that shows up on a victim’s phone. The victim sees the caller ID, thinking it’s legitimate, such as from the local police department, and ends up getting scammed. Fake caller ID technology is available online for any criminal to purchase and use.
“People fall for this type of scam all of the time, providing personal information to unknown individuals,” Siciliano said.
He added it’s always a good idea to call people back, such as the police department, to find out if a call is, in fact, legitimate.
■ Stay out of the spam folder: “What is in your spam folder?” Siciliano asked the audience, during his presentation. “You should have no idea, because emails sent to spam folders can get people in a lot of trouble.
“These emails are sent to the spam folder for a reason. Your internet service providers generally know what is spam, based on certain aspects of that email. They see the server which an email comes from, and determine whether or not it’s spam. Don’t ever click on a link from an email that has been sent to a spam folder.”
■ Know about spyware: This includes “scareware,” which carries a fake anti-virus; and “ransomware,” which tries to hold data for a ransom.
“Scareware is designed to scare somebody to pay money to get rid of a virus that is not really present,” Siciliano said. “If a pop-up ad appears on your computer stating that you have a virus and need to download a program, I would recommend that you disconnect from the internet, run a scan and, in some situations, back up all data and completely reinstall your operating system. If you see that kind of pop-up, you probably are using an outdated operating system.
“Ransomware, meanwhile, holds data for ransom, including what is in your backup. A hospital recently paid around $18,000 to get its data back. Many such instances have occurred. Unfortunately, if you pay that ransom, you may get your data back, but you are also funding the thieves.”
■ Beware of KeyCatchers: These are small hardware devices that can be plugged into the back of a computer, generally the desktop, and can be used to retrieve important information.
“Let’s say one of your competitors knows a member of a cleaning crew who works in your office. That competitor can pay that crew member to plug in a KeyCatcher in the back of one of your computers to ‘catch’ valuable information. After a week or so, the same person who planted the device retrieves it and gives it back to the competitor,” Siciliano said. “I’ve seen many KeyCatchers in the backs of PCs used by teachers, probably from people trying to get test information.”
■ ATM skimming and independent ATMs: Using ATMs is a convenient way for people to draw money from their bank account. Unfortunately, thieves have found ways to take advantage of this convenience.
Siciliano explained that skimming involves a criminal placing a device over the card slot of an ATM. He advises ATM users to cover the key pad with one hand as they punch in their PIN code.
“That way, if there is a camera nearby (placed by a criminal), it can’t pick up the code. And, pay close attention to your bank statements when using ATMs,” he said. “I also never use an independent ATM. You see them at gas stations, convenience stores, hotel lobbies, etc. Anybody can get into the cash dispensing business and find a way to use your valuable information for his/her gain.”
■ Proper disposal is a must for secondhand devices: “What do you do with your old laptops, desktops, mobile phones and printers? Do you donate them, recycle them, trade them in, sell them? The problem is, they often still have personal information that a thief can use to steal your identification,” Siciliano said. “I would never sell such devices on the secondhand market. It’s also important to remove hard drives from these devices and either send them to an industrial shredder or destroy them yourself.”
■ Learn about, and use, a credit freeze: Siciliano recommends that people check their credit reports three times a year, and use a credit freeze. He said this is a program that has been around since 2008, but remains relatively unknown.
“To get a credit freeze, a person submits specific information to the three main U.S. credit bureaus (Equifax, Experian, and TransUnion). The application process is easy and inexpensive,” Siciliano said. “Prior to your credit being frozen, you will receive a letter that shows a PIN number or password. When you want to lift your credit freeze, you simply go online and type in your provided information.”
He added that using a credit freeze, “Is probably the single best thing you can do to prevent new account fraud. It’s another layer of protection when guarding against identity theft.”
for more information.