MAY 2011
Inside This Issue . . . GAME OVER FOR
PLAYSTATION EPSILON HACKING EXPOSES MILLIONS DON'T BE ANOTHER
QUAKE VICTIM THIS MONTH IN PROTECT
“The big one” is a phrase that often refers to a major earthquake, like the one that devastated large parts of Japan. As we note in this monthʼs PROTECT, within hours of the quake, tsunami and nuclear plant crisis, scammers were wading in with fake charities and websites intended to siphon off needed funds into their own pockets. At the same time “the big one” could also refer to the hacking of sites that contain massive amounts of sensitive personal data. This spring, it happened twice: Epsilon Data Management, a major repository of email addresses for American industry was hit, and then weeks later the Sony PlayStation network fell. It is estimated that between the two events, roughly 80 million people have been exposed. The full extent of the loss is still unknown, but identity theft activities using stolen data from the breach is in full swing across the country.
PROTECT is here to help protect your identity from disasters, whether the attack begins with an act of nature or an act of man. Each issue of this newsletter explains the latest crimes and scams, and how to avoid them. PROTECT is brought to you by the people who operate I.D. SHIELD 360, a leading service that helps shield you from the criminals determined to steal your most important possession – your identity.
FORGET YOUR MOTHER'S NAME
BIG MAC ATTACK JOB SEEKERS BEWARE
Indeed, Sony now says that as a result of the attack, an “unauthorized person” has obtained personal information about account holders, including their names, addresses (direct mail and email), and PlayStation user names and passwords. Sony also warned that other confidential information, including credit card numbers, could have been compromised, and urged potential victims to “remain vigilant” by monitoring for identity or financial theft. After the attack, Sony said it would rebuild the PlayStation network, as well as its Qriocity service, which streams audio and video to high-end Sony televisions and Sony Blu-ray players. The very act of rebuilding makes experts even more nervous because it suggests that the security issue is not a minor one that can be patched up, but a major underlying weakness.
PLAYSTATION NO MORE FUN AND GAMES
Itʼs one of the biggest data breaches in history. In late April, Sonyʼs PlayStation online network failed at the hands of a hacker attack. Worse than being unable to play their beloved games, more than 75 million gamers have been exposed to identity theft.
“If you have provided your credit card data through PlayStation Network or Qriocity, out of an abundance of caution we are advising you that your credit card number and expiration date may have been obtained,” senior director for corporate communications at Sony, Patrick Seybold, wrote in a post on the PlayStation website and in a customer email. He added, clearly concerned about phishing expeditions that: “Sony will not contact you in any way, including by email, asking for your credit card number, social security number or other personally identifiable information. If you are asked for this information, you can be confident Sony is not the entity asking.” As for who the hackers are, that remains hazy. Anonymous, a hacking group that has been blamed for previously attacking the Sony and PlayStation Web sites, denies any responsibility. Theories run the gamut, from some smart kid in his bedroom to the Chinese government. Sony representatives declined to give further details.
Sony is also being criticized for the several day delay between when the hacking took place and they notified customers. And industry observers suggest that the incident, already a severe blow to Sonyʼs reputation, will give its top video game rivals like Nintendo, an advantage in the game market.
ID THIEVES PREY ON JOB SEEKERS Persistently high and long-term unemployment continues to be a gut-wrenching problem for the nation. Almost as sad is the fact that identity thieves are taking advantage of the moment to steal personal information from job seekers and their resumes. And job seekers are more vulnerable than ever because of the proliferation of online job boards and, more so, because desperation leads to mistakes. Here is advice from the experts for protecting your identity during the job search. It can be summed up in a nutshell: Be careful and be patient.
SIMPLIFY YOUR RESUME While some people mask their information by not putting their name on a resume, this is not realistic or favored by recruiters. Rather, you can set up an alternative email address to use for job hunting, and use a cell phone number and a post office box as your address. Yahoo!, Hotmail, Juno, and Netzero all offer free email accounts. Companies today are aware of the identity theft risks associated with resumes, so they don't necessarily expect to see home addresses included on resumes. Also, to protect friends and employers, hold back on providing references until they are requested. INVESTIGATE RECRUITERS Fake recruiters are an increasingly common hazard. Ask for references from friends, ask the recruiter for references, or check out local business associations to see if they are members. You can also use the Internet to find the company's web site and verify the address, phone number, and other information. Check the career page to see if the job opening is listed. Stay away from sketchy job listings, many of which thrive on unmonitored sites such as Craigslist. To identify a legitimate listing, use reputable sites only and look for job postings that identify the company posting the listing. Conversely, avoid job advertisements that list the company name as “private” or “unlisted.” Itʼs not worth the risk. Look for recruiter unprofessionalism: typos, misspellings, a private email address. JUST SAY NO If a recruiter asks for more information than makes common sense — a copy of your driverʼs license, a bank account statement, marital status, a passport or visa, a money transfer for a “starter” or “application”
fee — be suspicious. Respectable recruitment companies start with just the basics, name and contact information. If you feel uncomfortable with a question, just leave it blank. And the legitimate recruiters rarely, if ever, ask for a fee to get the search process started. To protect yourself from becoming the victim of a data breach, sometimes itʼs best just to say no.
GET REAL ABOUT JOBS How many times have you heard this advice? If it sounds too good to be true, it probably isnʼt. Nobody makes a million dollars working from home part time. These types of ads are usually not real, and there is always some catch. Most of these ads will link you to websites that ask for your personal or sensitive information. Do not be fooled.
ASK FOR PRIVACY POLICIES Reputable job sites have a privacy policy. Check it out to see how long your resume will be up on the site and other ways they protect it from the general public. Some sites even let you give them your skills and then have the job openings mailed to you, which keeps you in control. No privacy policy, no deal. PROTECT YOUR RECORDS Educational records are increasingly an area where privacy is breached. Under the Family Educational Rights and Privacy Act (FERPA), you may request that your college or university not release your educational records without your permission. Donʼt let fake recruiters, or anyone else, access these records without your knowing about it. EVEN AFTER YOU ARE HIRED Once a job offer comes, you still must be careful. Avoid providing originals or copies of documents such as passports or birth certificates. Employers can legally record the information on the documents to get you signed on, but you are well within your rights not to hand over documents or copies can be mishandled.
COMPUTER BACKUP BETTER SAFE THAN SORRY
Backing up your computer is always on the “to do” list but never seems to get done. After all, youʼre not a banker or a government official or a medical researcher with trade secrets, millions of records, or proprietary information to protect. But it makes sense to act now.
Letʼs face facts: computers are a big part of our lives, replacing the mail, the stereo, the encyclopedia, the mall, the photo album, the file cabinet, the financial ledger, and so much more. Why take the chance that you will lose useful — or even vital — business or personal information because of your own error or because your computer malfunctions or because your files become corrupt? Generally, there are three ways to back up documents, photos, music, and other data. The least expensive but most time-consuming is transferring your data to CDs or DVDs. This require a CD or DVD burner, patience, and the discipline to do it regularly. If you have a lot of data, using CDs could mean burning a lot of discs. Most DVDs, on the other hand, can hold up to 4.7 gigabytes of data. A simpler solution may be to use an external hard drive to mirror existing information. External hard drives can provide a convenient way to increase storage space,
with the added benefit that the drive may be unplugged and connected to another computer. They generally have tons of storage capacity and modest per-gigabyte costs. Other external storage options include USB flash drives, which are faster and the most portable, but have little capacity. High-capacity solid state drives — fast and relatively free from mechanical failure — cost too much per gigabyte to be affordable for most people, but prices are coming down in 2010.
Finally, there are sites that offer online backup. Most free and commercial backup software allows you to click and highlight the files and folders you want backed up. They also let you schedule when each day or week you'd like the action performed. A few actually back up files continuously. In general, these services are inexpensive, and the best ones wonʼt noticeably slow down your computer. They also encrypt data before, during, and after it's been sent to industrialstrength servers. There's no media to mess with, either. The differences to shop for: ease of use in setup, choosing files and folders for backup; how you get files back if you lose them; and the degree of encryption and security built into their procedures. Any of the three options — do-ityourself, external hard drives, and online sites and services — are relatively inexpensive and easy to use, and protect you from permanent loss of data.
So what are you waiting for?
GOOD BACKUP PRACTICES
ONLINE MUSIC SHARING IS OFF KEY
Illegal music downloading and file sharing seem to have become a right of passage, a part of growing up in the 21st century, a way to get great deals and make online buddies while sticking it to anonymous companies. But, in addition to the fact that it is illegal, the practice opens music sharers to serious security breaches, computer viruses and other ugly side effects. One danger is that it is difficult to verify whether the source of the files is trustworthy. Such files are often used by attackers to transmit malicious codes. This means spyware, viruses, Trojan horses or worms. When the music is downloaded, your computer becomes infected. All kinds of private information about you, such as logins and banking details, may be sent back to a central server owned by the spyware or malware creator. Also, your computerʼs performance is compromised: some experts estimated that as many as 50 percent of all problems that send computers to the shop relate to viruses planted, purposely or not, through such files. Further, music file sharing often leads to identity theft issues because you often give other users access to personal information. Whether it's because certain directories are accessible or because you provide personal information voluntarily, unauthorized people may be able to access your financial or medical data, personal documents, sensitive corporate information, or other personal information.
Yet another concern is that, in the process of sharing and transmitting files, your computer may open certain ports in your firewall. This may give attackers access to your computer or enable them to attack your computer by taking advantage of vulnerabilities in your applications or system. Finally, back to the obvious point: itʼs often illegal and it may have consequences. File shared applications may include pirated software, copyrighted material, or pornography. If you download these, even unknowingly, you may be faced with fines or other legal action. If your computer is on a company network and exposes customer information, both you and your company may be liable. And, as much as you may wish to deny or rationalize, the fact is that artists, musicians, writers, engineers and others in the music business suffer harm, which ultimately costs the consumer – you – as well.
MORE ON THE DANGERS OF MUSIC FILE SHARING FROM MICROSOFT
HERE IS THE WAY THE EARTHQUAKE SCAM UNFOLDED:
Spam email appeals appeared on Facebook, Twitter and YouTube, and fake charity websites spread globally soon after the devastation in northern Japan became clear. Most solicited cash or credit card contributions for nonexistent charities. In one email, the subject line read “Earthquake victims needs our help,” with a woman with a Hong Kong Yahoo address collecting money to set up a foundation to help the Japanese victims; it was all a fake. Equally insidious, some of the email charity solicitations and social network postings contain attachments or links intended to infect computers with malware designed to steal personal information for identity fraud. In another version of this scam, cybercrooks set up “scareware” windows that seek to convince would-be donors that their sites are infected and that they must buy a fix.
DONʼT BE ANOTHER
QUAKE VICTIM Within hours of the perfect storm in Japan, crooks have launched scores of Japan earthquake and tsunami scams. Warning signals have gone out from experts, aid agencies, and even the U.S. Department of Homeland Security for the public to be aware of bogus fundraisers. As happened with the 2010 Haiti earthquake, and, even more recently in New Zealand, scammers are quick to cash in on other people's pain.
Yet another common scam that popped up around the Japanese disasters: websites designed to graphically mimic the likes of Red Cross and UNICEF. These lookalike sites are luring victims into making donations to what appear to be legitimate organizations. In the same vein, some scammers have set up sites with official-sounding names to fool potential donors. Or they typosquat, that is, create a mimicked site that comes up when people misspell the name of a legitimate organization. “Unfortunately, some folks try to take advantage and siphon off dollars from more legitimate efforts," Bennett Weiner, COO of the Better Business Bureau Wise Giving Alliance, a nonprofit charity-monitoring group in Arlington VA, complained to The Wall Street Journal. In yet another twist, the Food and Drug Administration is warning the public about ads circulating on the Internet and elsewhere promoting unapproved products with false claims about their ability to prevent or treat radiation sickness. The FDA has approved three potassium-iodide products to prevent thyroid cancer in people exposed to radioactive iodine but, despite fraudulent claims, the government is not recommending that people in the U.S.
Here are several basic steps that can help you escape becoming another victim:
• Do not click on links or attachments supposedly relating to the earthquake or tsunami, even if they come from people or organizations you know unless or until you can confirm they're for real. • Never click on pop-up security warnings unless you know for sure they're messages from your installed security software. • Be especially careful of emails that claim to show pictures of the disaster areas in attached files, as these files often contain viruses.
• If you are looking for news updates, opt for established news sites and media organizations rather than random ones found through a search engine. • Do not respond to email or door-todoor solicitations for donations. Be wary even of face-to-face fund-raisers you may encounter. • Do not give your credit card details in response to a telephone or email solicitation. Again, most charities don't use this techniques.
• To make donations, visit the websites of established charitable organizations. Research the credentials of charities, or purported representatives, before you give. Lean in favor of established groups. Charity Navigator rates organizations providing relief in Japan
www.charitynavigator.org >
After Hurricane Katrina, the FBI and National Center for Disaster Fraud set up this clearinghouse for investigating disaster-relief fraud 866.720.5721 or disaster@leo.gov
FORGET YOUR MOTHER’S NAME
With Mothers Day celebrated this month, it may seem odd for us to tell you to forget your motherʼs name. But in the world of identity theft, honoring your mother by using her maiden name as a code word, password, or secret phrase is a big problem.
The ugly truth is that many corporations employ the maiden name as a security function. These may include your bank, credit card issuer, or utility company. While the use of the name is intended to provide an additional layer of protection to transactions, the problem is that this once-useful safeguard has been compromised through overuse.
Identity thieves and cybercriminals know that your motherʼs maiden name may well be a key to a big pay day. Once they have your email or bank account number or credit card number, the maiden name can be easily discovered. It is the kind of information that people often inadvertently mention on social media sites, for example. Indeed, just this spring in Kansas City MO, a computer hacker stole $700,000 dollars from 250 victims by taking advantage of two common mistakes: providing a motherʼs maiden name on online registration forms, and then using the same user name and password on multiple online accounts According to the case laid out by prosecutors, the man hacked into the websites of several businesses, accessing email addresses, passwords and the password reminder question, “What is your motherʼs maiden name?” Armed with this information, he was able to buy gift cards and airline tickets, and to make bank wire transfers all around the globe. Looking ahead, one way to reduce the risk is to ban the maiden name from use as a password and to be willing to forego doing business with any company that insists upon it as an identifier. Looking backwards, you may wish to consider getting in touch with companies with whom you do business and change to a different security question. The point is to reduce identity theft by protecting your mother's maiden name, and which helps assure that her name is associated with only loving memories.
ONLINE DATING
DANGEROUS LIAISONS
In todayʼs fast-pace and fully-wired era, it is
no surprise that more and more people are turning to the internet to meet prospective partners. Online dating can be a satisfying and rewarding experience. Still, the growing popularity of the practice — and the fact that people can hide anonymously behind their computer profiles — is leading to a rising tide of identity thefts and related scams.
Among the most common problems encountered in the online dating scene: the person on the other end is not who they claim to be, perhaps older or less genteel, heavier or poorer, married on the side, or even emotionally unstable; or the person is part of a scheme to get your email address for marketing or spamming; or your prospective date is really looking
for a shakedown to get you to send money for a visit or an emergency or to help a sick friend or aid a Nigerian prince; or your online pal is really looking to obtain your phone number, credit card, bank information or passport to steal your identity. HERE ARE THE BASICS FOR PROTECTING YOURSELF FROM ONLINE DATING SCAMS:
AVOID FREE DATING SITES These sites donʼt make much of an effort to run background checks to identify or filter out fakers and scammers.
SET UP AN ANONYMOUS EMAIL ACCOUNT Use an email service and change the account information to not give out your full name. This protects your privacy.
USE A CELL PHONE NUMBER A person armed with your home number can more easily find your home address.
QUESTION PERFECTION Carefully scrutinize the dating profile to look for obvious signs of fraud such as the person being too perfect or the information too generic.
MEET IN A PUBLIC PLACE This includes driving yourself to the destination so that a stranger does not know where you live.
DONʼT OFFER TOO MUCH INFORMATION Resist the urge to tell your life story, occupation, details, even your address, until you feel more confident about the other person. DO EXTRA RESEARCH If you are interested in this person, run your own background check or at least use Google for the basics. FEAR LOVE AT FIRST SIGHT While having someone fall instantly in love with you may be flattering, be wary. They may try to gain your trust through flattery, only to abuse it later. Time is on the side of honest people, and against desperate scammers. DONʼT SEND MONEY Be concerned when people ask for money. Keep it where it belongs, in your pocket.
TRUST YOUR GUT If someone or something makes you uncomfortable or sends up too many red flags, stop communicating with this person. Like in all aspects of life, online dating requires listening to your instincts.
AVOID ONLINE DATING SCAMS
EPSILON HACKING EXPOSES MILLIONS
This springʼs security breach of Epsilon has shocked the American public. The attack on the firm— one of a growing number of companies that stores potentially sensitive personal data for major retailers, banks and other consumer companies — exposed millions of names and email addresses, and focuses attention on the vulnerability of such outsourcing companies to hackers.
Among the 2,500 clients and their customers that may have been compromised by the attack on Epsilon: Disney, JPMorgan Chase, Hilton, Kroger, 1-800-Flowers, Dress Barn, TiVo, Best Buy, Walgreen and Capital One. These companies have notified the effected customers; most of the messages refer only to stolen email addresses, and it still remains somewhat unclear what other data may have been taken. Epsilon calls itself “the worldʼs largest permission-based email marketing provider,” sending more than 40 billion email messages a year. The incident is the second massive email marketing company breach within six months since Silverpop — a provider to more than 100 clients including McDonaldʼs — was hacked in December. Phishing scams based on the emails stolen in the Epson scam have already started to show up around the country, with the scammers turning to “spear fishing,” which makes the communication look as though they are coming from a trusted company of which the recipient is a customer. Given the widespread nature of the Epsilon loss, experts are advising you: 1. Do not reply to emails that come from businesses, even if you recognize the brand name. If there are links on such emails, do not click them. 2. Do not give out personal information via email even if the requester claims they are from your bank or a company you frequent. 3. Know the red flags of spam such as grammatical mistakes, sloppy presentation, and misspelled words. 4. If you are suspicious of an email, go directly to the website of the company that purportedly sent it to see if the offer is real. 5. Consider unsubscribing from email communications and re-subscribing with a new address for commercial communications. 6. Spread the word. Discuss phishing scams with friends and family who have e-mail addresses. 7. Use the latest security software to protect you from going to malicious phishing sites. 8. Protect yourself from additional harm by signing up with an identity theft service.
TRUE STORIES PUMPED UP A Long Island gas station attendant has been arrested for allegedly stealing the identities of his customers. Police say 20-year-old Dany Diaz, a night shift attendant at a gas station on Route 112, used a skimming device to collect debit and credit card numbers from customers making purchases at the location. He also used a laptop computer connected to a camera to capture images of customers swiping their cards and entering their PIN numbers. Police say when he was arrested, Diaz was in possession of the devices, a fraudulent Department of Homeland Security Permanent Resident Card, and a fake Social Security card. GEM OF A CASE Three jewelry stores in New Jersey were raided by the FBI in a multimillion dollar identity theft and credit card scheme. The three stores, in the Jersey City, NJ neighborhood known as Little India, are alleged to welcome identity thieves, who would bring stolen credit card information to the cooperating store owners and make fraudulent purchases. Credit card companies would then charge the accounts, send the money to the merchants. The merchants, in turn, split the proceeds with thieves. Sources say approximately $10 million dollars in phony sales were reimbursed this way. BIG MAC ATTACK Two managers of a Savannah, GA McDonaldʼs have been indicted in a scheme to sell stolen identities to people seeking employment at the restaurant. Oscar Lazo of Peru, Maurcio Cruz and Manuel Cruz, both Mexican citizens, and U.S. citizen Eva Ramos, conspired to sell stolen identities of American citizens
TEED OFF
Mark Moyers of Waxahachie TX likes golf but does not like the greens fees. Dozens of times in recent months, Moyers has reserved golf clubs for “a charity outing,” organized fake golf tournaments, and escaped without paying. Police say that he has scammed local businesses out of thousands of dollars for phony tournaments, food drives and charity fundraisers. He would solicit entry fees, donations, gift cards, door prizes and other valuables from area businesses but would skip town before the events were to take place or, at least in one case, played a few rounds with some friends before high-tailing it away. Moyers keeps the food donations for himself, say police officers investigating the case.
to prospective McDonaldʼs employees who could not otherwise be hired. In a related charge, Lazo and Ramos are being held for harboring illegal immigrants. Nina Gompels, owner of the McDonaldʼs franchise in Savannah, states: “The alleged actions by these employees in no way reflect the values of my restaurant organization. I care very much about my customers and the community and take matters like these seriously.” Experts suggest the Savannah case could be indicative of a new trend. That is, as the federal government's cracks down on illegal immigration, companies enterprises that want to hire them are providing false identity documents COUNCILMAN CONNED Constituents on Logan, UT Councilmember Dean Quayleʼs email list recently received an urgent message from Quayle. It stated that Quayle had to rush to England for something important, but that he had been robbed of plane tickets, cash, phones and other valuables, and needed money sent to him — immediately. "Somebody got into my email account,” Quayle told the Cache Valley News, “and had been emailing all the people on
my address list, telling them of my dire situation in a far away place. Of course it's a bogus thing.” Quayle has been advised by police to change his password and his email account. It is not known if anyone responded to the false emails.
TAXING CRIMINAL Randall Heath, known to local police as the king of Colorado Springs, CO identity thieves, struck during the weeks before tax time at a chain of Liberty Tax services in the surrounding area. Turns out Heath was making fake picture ids and fake W-2 tax forms based on stolen identities. He would file the returns at the storefronts, and get loans and cash up front. He hit as many as five Liberty Tax places in one day. The investigation has identified at least eight identity theft victims. Police say this isn't Heath's first run-in with the law. He's been arrested several times before for identity theft, most recently for using stolen identities to buy cars.
ID THEFT MARATHON
A California who had passed himself off as a Florida man in a nearly two-decade long identity-theft marathon has been sent to state prison. Joseph Kidd had been going under the name of Larry Smith since 1993. Kidd obtained Smithʼs date of birth and Social Security number 18 years ago and, after settling in the Golden State was arrested and convicted numerous times, under his false moniker for forgery and drug abuse. Kidd even spent time in state prison as Smith. The theft of his identity caused continuing problems for the real Smith, who had no criminal record but has had liens placed against tax refunds, been denied medical care, and had his driverʼs license suspended. He was even put in jail for eight days because of Kiddʼs criminal activities on the West Coast.