Posts

Mobile Provider Data Breaches: Know Your Risks

Last week, AT&T reported the latest in a series of high-profile data breaches. The company announced that approximately 9 million customer records, including names, email addresses, phone numbers and account numbers, were stolen from a third-party marketing firm that had been given access to the data by AT&T.

How do these large-scale data breaches happen?

In several recent cases, criminals targeted marketing firms that provide advertising to mobile carriers or that develop campaigns for mobile users. In the AT&T case, it was noted that the stolen data included eligibility for phone upgrades, making it reasonable to assume that the data breach was related to customer marketing. AT&T gave its customer data to a marketing firm to sell upgrades. The marketing firm was breached.

In other cases, companies that display ads on mobile devices have suffered significant data breaches exposing millions of customer records. In all of these cases, criminals did not target the mobile provider itself, but the third-party agency. Mobile providers typically have strong cyber security practices; the third parties they share your data with may not, making you vulnerable.

What are the risks from mobile data breaches?

Mobile data breaches can carry a particular risk for customers. As reported by Axios, criminals can use personal data from these breaches to launch SIM-swapping attacks, where a criminal clones a SIM card and then uses it to steal multifactor authentication codes. Ordinarily, a criminal who steals your username and password cannot access your accounts if you have two-factor authentication that sends a confirmation code to your phone. If the criminal can clone your phone number with information stolen from a data breach, they can then get the code and access your accounts.

In other words, criminals can defeat two-factor authentication, log in to your accounts and steal or wreak havoc at will. If you see authentication code requests that you did not initiate, log in to the affected accounts immediately and change your password, because it could mean someone is trying to gain access.

A lower level of risk comes from the exposure of phone numbers and email addresses. These will be sold to criminals for spam emails and phishing attempts. If you are a high-value target for hackers, you need to change your passwords and your multifactor authentication method.

What should I do to protect myself from criminal misuse of my data?

Assume that some of your personal data has been compromised. More than 74 million personal records have been posted to the Dark Web so far in 2023, according to Cyble. Next, think like a criminal.

Criminals gather several types of personal information to carry out hacks and phishing attacks. They need your name, address, email and phone number to start. Any additional information they can gather, including passwords or usernames, makes it easier for them to launch an attack.

The best defense is to change your passwords frequently and to be vigilant. Set up two-factor authentication with immediate alerts to your mobile device. The safest way to do this is to have a separate email that you use only for authentication that you never share or use for any other purpose. Have alerts sent to you whenever there is an authentication request sent, rather than having text alerts sent directly to your phone. In many cases, this thwarts SIM swapping.

If you have significant concerns, you may need to get a new phone number, which renders information stolen from data breaches useless. This poses a significant challenge for most people. Acquiring a low-cost second phone that you use solely for authentication can solve the problem without requiring you to change your primary number.

Whenever you can, opt out of data-sharing programs with your mobile provider. They will attempt to discourage this, but doing so removes one avenue that criminals can use to compromise your cyber security.

Are you vigilant with your personal data? Are you vigilant with data on the job? Would you be able to stop a phishing attack launched by a phone call from a criminal? Explore our CSI Protection Certification to develop the skills you need to stop cyber criminals at home and on the job.

Erase the Data on Your Devices: The Secure Way

With the holidays here, many of us will be receiving new digital devices. And many of those devices may end up on Facebook marketplace or eBay in a secondhand market. And I will buy them so I can find out what data you have left on them. I didn’t study not too long ago where I bought about 30 devices and ran forensics tests on them and found sensitive information on 17 of 30. Enough to steal lots and lots of identities.

data securityHave you sold or recycled an old phone or other device after you got a brand new one? What about an old laptop? Did you sell them to someone else or recycle them? If you have done any of the previous actions, it is likely that you have put yourself at risk.

A study from the National Association for Information Destruction discovered that approximately 40 percent of electronic devices that are sold second-hand still has personal information on them. This includes phones, tablets, and computers.

The data that was discovered on these devices include usernames, passwords, tax information, and credit card information. To make things even worse, the info was collected by using very simple methods; methods that almost anyone with a bit of computer knowledge can use.

Thankfully, there are things you can do to securely erase your device, including the following.

Correctly Prepare Your Device

It doesn’t matter if you are going to throw your device away (which you shouldn’t because that’s horrible for the environment) or sell it, you have to make sure that it is prepared correctly. First, you want to back up the data, and then you can erase the drive.

If you have a Mac, it is easy to do this by using the OS X Disk Utility, and if you have a PC, you can use software like Active KillDisk. If you are trying to do this with a smartphone, you can use software like SafeWiper for Android and then do a factory reset and remove the phone’s SIM card. Also, if you are throwing it away, smash it with a hammer before doing so. Yes, that’s a bit dramatic, but it ensures that people can’t get information on it.

Format the Drives

If you are getting rid of a hard drive or flash drive, or you have recently bought one, you should make sure to format them to get rid of any software that is left on them. Here’s how to do it:

Windows: 

  • Connect the device to your computer.
  • Open up Windows Explorer and find the drive on your system.
  • Right-click the drive and choose the “Format” option.
  • Choose the type of file system you want, and then under “Volume Label,” click “Quick Format” and then “Start.”

Mac 

  • Go to your computer’s Finder, and then click Applications/Utilities, then “Disk Utility.”
  • Click on the drive and choose “Erase.”
  • Next, click “Format,” choose the file system, and then create a name for the drive.
  • Click on “Erase.”

Formatting a Hard Drive on a Computer

To go about formatting a hard drive, you will find that it is a little more complex. To begin, you need a USB drive or a CD, and the goal is to completely erase the drive. Once you do this, you then have to re-install the operating system with the USB drive or the CD. Also, don’t forget to back up your data before you begin, or you will lose everything you have.

When doing this with a Mac, you should select the option on the computer to install from scratch. This will erase the drive. For Windows, you have to use the Windows Installer, and then choose “Drive Options.” Choose “Format,” “Next,” and then install Windows.

Even when this is all done, it is still possible for someone who has the knowledge to get data from your device. This is why it’s so important to educate yourself via security awareness training and remain vigilant.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

What the Equifax Data Breach Can Teach Us About Security Fatigue

If you buy anything, anywhere, you are at risk of a cyber threat. Though you probably know that cyber threats exist, if you are like most of us, you don’t’ know what to do when it comes to being safe online, and if you become a victim, you really don’t know what to do. This is all important as we prepare for the next big breach like the one that happened with Equifax. If you use credit, you are a potential victim here.

According to Equifax, more than 147 million people were affected by the breach, and most of us had or have no idea what we can do about it, or how it might affect us in the future. On top of this, when we look at statistics, we can see that almost 27 billion…not million, but billion…additional records were exposed due to data breaches in 2020, and things are only going to get worse.

The issue is that people are frustrated, scared, and confused, and because these cyber-attacks are so common now, people are just getting apathetic about it. Of course, this is very dangerous. Additionally, there are other issues, too, specifically “security fatigue.”

What does this mean? It means that people just want nothing to do with worrying about computer security at all, and they get annoyed when they hear all of the rhetoric that comes from security experts like “keep an eye out for blah, blah, blah.”

Cyber Attacks are More Common Now Than Ever in the Past

It should be no surprise that cyber attacks are more common today than they were in the past. That also means that the chances of becoming a victim of identity theft are higher. Internet fraud is playing a big role in this, but it’s not just human error and bad passwords that are causing this. Instead, it’s the lack of people doing anything to stop it. And here’s the thing…if you think it can’t happen to you, you are wrong.

Tips for Protecting Yourself Online

It is not difficult to protect yourself online. Here are seven tips to keep yourself safe:

  • Download a program for your browser that tells you if a site you are going to go to is dangerous. These can be seen right from your browser, and if a site is safe, you will immediately know. A full suite of antivirus should include a browser plug-in to serve this purpose.
  • Keep your passwords safe with a password manager. It is very important to use a different password for every account.
  • Get some type of ID theft coverage through your employer, your bank, or other business. It’s not easy to 100% fully protect your identity, but using something like this can make things much, much easier.
  • Set up two-factor authentication and text alerts for sensitive accounts like bank accounts, email, and social media.
  • Freeze your credit. This way, a scammer can’t open any new accounts in your name.
  • Learn more about common internet scams. You should understand what ransomware is, phishing, scareware, and more.

One of the biggest things you should take away from this is to understand that if you become a victim of something like this, it doesn’t just affect you; it also can affect your family, friends, co-workers, and more. Yes, it might be annoying to some to have to take these steps, but it could be the difference between staying safe and becoming a victim.

Written by Robert Siciliano, CEO of Credit Parent, Head of Training & Security Awareness Expert at Protect Now, #1 Best Selling Amazon author, Media Personality & Architect of CSI Protection Certification.

Beware of Job and eWork at Home Scams

Pandemics can be quite stressful. There are millions of people out of work, and there we really don’t know when the economy will truly bounce back. Those who are out of work are seeking other jobs, at least temporarily, and many are looking for jobs that they can do from home…right from Google.

jobsSince people have been losing their jobs, searches for terms like “laid off,” “unemployment benefits,” and “unemployed” have skyrocketed. Though some people are finding legitimate search results, others are falling for sites that are scams, and Google is allowing these sites to stay.

We have often used Google search data to determine what type of economic anxiety people are feeling, and this is certainly true right now.

Google makes its money through advertising, so it’s not totally surprising that these sites are allowed to stay on. When people are searching for information on unemployment, advertisers are seeing this, and are able to determine where they should market. This includes those working for predatory companies, who are targeting people who are unemployed.

One such example is “unemploymentcom.com.” This is a site that seems, at first, like it might be a good resource for someone who is unemployed. While there are some legitimate links there, in general, the site is trying to get people to sign up for “site profiles” and other things. It also urges people to sign up for access to your credit score…for a fee, and it absolutely sells all of the data it gets to other organizations.

When you look at the privacy policy of this website, you can see that it is owned by OnPoint Global, a conglomerate, which claims it has around 11 million people filling out unemployment surveys each month. However, what people doing this don’t realize is that the information the site is collecting is likely being complied into a package for advertisers, which also includes any other public information they can find about the person filling out the survey.

Keep in mind that it is not just the pages for people looking for information on unemployment that we are talking about. It can really be anything similar, like “unemployment insurance.” Some of these searches can even lead you to sites that can hijack your browser. Other sites simply collect as much data as they can, and then sell the information to marketers.

Everyone who is out there scared and unemployed are still considered to be consumers to these companies, and they still are seen as people who have money to spend. So, Google is still pushing sites like these to the top of search results, and still making a pretty penny from clicks. So, do yourself a favor and start being aware of the ads you are clicking, and better yet…don’t click them at all.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity and Personal Protection security awareness training program.

DoorDash Admits 4.9 Million Affected by Data Breach

DoorDash has admitted that it has been the victim of a data breach, which has affected about 4.9 million merchants and people.

In a recent blog post, DoorDash announced that it noticed some odd activity early in September from a third-party service. After looking into it, the company found that an unauthorized third party was accessing user data from DoorDash on May 4, 2019. DoorDash immediately took steps to stop any future access and to improve security.

Those who were affected by this breach joined DoorDash on April 5, 2018 or before. Those who joined after that specific date were not part of this breach. The company said it will contact those customers who were affected.

This breach involved data including email addresses, names, order history, delivery addresses, phone numbers, and encrypted passwords. In some situations, bank account numbers and the last four digits of payment cards were also released. Additionally, the driver’s license numbers of approximately 100,000 delivery people were accessed. Bank account information and full payment card numbers were not compromised.

This data is called PII or Personal Identifying Information that could be used to open new accounts, take over existing or “socially engineer” you. Going forward, as with all data breaches be on the lookout for scammy emails and phone calls. Be suspect every time the phone rings and make sure unless you are 100% sure, you aren’t clicking links in emails even if you recognize the sender.

DoorDash also said that it has added additional layers of security in order to protect the data of its customers, and it has improved the protocols that are used to get access to this data. The company has also told customers that it is a smart idea to change their passwords, even if they were not affected.

ROBERT SICILIANO CSP, is a #1 Best Selling Amazon author, CEO of CreditParent.com, the architect of the CSI Protection certification; a Cyber Social and Identity Protection security awareness training program.

The “Mother of All Data Breaches?” It Could Be Here…

You have probably heard of one data breach after another these days, but this is one that you should really pay attention to: more than 772 million unique emails, along with more than 21 million unique passwords, have been exposed.

data breach

Troy Hunt, who runs the website “Have I Been Pwned,” first reported this breach, and he says that a huge file (87 GB) was uploaded to MEGA, a cloud service. This data was then sent to a popular hacking site, and now hackers have access to all of these passwords and email addresses.

This data breach, known as “Collection #1,” is very serious. However, it could just be the tip of the iceberg. There are claims that there are several more “collections” out there, and it could be as much as one full terabyte worth of data. This could be the newest “mother of all data breaches” if this is found to be true.

So, what does all of this mean for you? It not only means that your information could be part of this breach, but it also could mean that these password and email combinations could be used in a practice known as “credential stuffing.” What is this? It’s when a hacker uses known email and password combinations to hack into accounts. Basically, this could have an impact on anyone who has used an email/password combination on more than one site.

This, of course, is concerning because this particular breach has about 2.7 billion email/password combinations. On top of that, around 140 million of the emails, and 10 million of the passwords, were brand new to the hacking database, which gives the hackers even more ammunition to wreak havoc. The big lesson to be learned here is that you should always use good security practices when you create accounts online. You should never use passwords from one account to another, and you should definitely use two-factor authentication if it is available. If you don’t have a password manager, you might want to set that up, too.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video

2017 Was the Worst year for Data Breaches EVER!

It seems like 2017 broke records for all the wrong reasons…one of them being the worst year for data breaches in history.

According to reports, hacking was the most common way to collect this data, but almost 70% of exposures occurred due to accidental leaks or human error. This came down to more than 5 billion records. There were several well-known public leaks, too, including the Amazon Web Services misconfiguration. More than half of the businesses using this service were affected, including companies like Verizon, Accenture, and Booz Allen Hamilton. The scariest part of this, however, is the fact that the number of breaches and the number of exposed records were both more than 24% higher than in 2016.

Big Breaches of Big Data

Another interesting thing to note is that eight of the big breaches that occurred in 2017 were in the Top 20 list of the largest breaches of all time. The top five biggest breaches in 2017 exposed almost 6 billion records.

Part of the reason for the big numbers is because huge amounts of data were exposed from huge companies, like Equifax. There was also a huge breach at Sabre, a travel systems provider, and the full extent of the breach isn’t even known at this point. All we do know is that it was big.

When looking at all of the known 2017 data breaches, almost 40% of the breaches involved businesses. About 8% involved medical companies, 7.2% involved government entities, and just over 5% were educational entities. In the US, there were more than 2,300 breaches. The UK had only 184, while Canada had only 116. However, until now, companies in Europe were not forced to report breaches, so things could change now that reporting is mandatory.

What were the biggest breaches of all time?  Here they are, in order:

  • Yahoo (US company) – 3 billion records
  • DU Caller Group (Chinese company) – 2 billion records
  • River City Media (US company) – 1.3 billion records
  • NetEase (Chinese company) – 1.2 billion records
  • Undisclosed Dutch company – 711 million records

Though none of this is great news, there is a silver lining here: none of the breaches of 2017 were more severe than any other breach in history, and overall, the occurrence of breaches dropped in the fourth quarter.

Because of so many breaches occurring due to human error, it’s very important that businesses of all sizes enact security awareness training, including helping staff understand what makes a business a target and what type of info the hackers want.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Protecting Yourself from a Data Breach requires Two Step Authentication

Have you ever thought about how a data breach could affect you personally? What about your business? Either way, it can be devastating. Fortunately, there are ways that you can protect your personal or business data, and it’s easier than you think. Don’t assume that protecting yourself is impossible just because big corporations get hit with data breaches all of the time. There are things you can do to get protected.

  • All of your important accounts should use two-factor authentication. This helps to eliminate the exposure of passwords. Once one of the bad guys gets access to your password, and that’s all they need to access your account, they are already in.
  • When using two-factor authentication, you must first enter your password. However, you also have to do a second step. The website sends the owner of the account a unique code to their phone also known as a “one time password”. The only way to access the account, even if you put the password in, is to enter that code. The code changes each time. So, unless a hacker has your password AND your mobile phone, they can’t get into your account.

All of the major websites that we most commonly use have some type of two-factor authentication. They are spelled out, below:

Facebook

The two-factor authentication that Facebook has is called “Login Approvals.” You can find this in the blue menu bar at the top right side of your screen. Click the arrow that you see, which opens a menu. Choose the Settings option, and look for a gold colored badge. You then see “Security,” which you should click. To the right of that, you should see Login Approvals and near that, a box that says “Require a security code.” Put a check mark there and then follow the instructions. The Facebook Code Generator might require a person to use the mobile application on their phone to get their code. Alternatively, Facebook sends a text.

Google

Google also has two-factor authentication. To do this, go to Google.com/2step, and then look for the blue “get started’ button. You can find it on the upper right of the screen. Click this, and then follow the directions. You can also opt for a text or a phone call to get a code. This also sets you up for other Google services, including YouTube.

Twitter

Twitter also has a form of two-factor authentication. It is called “Login Verification.” To use it, log in to Twitter and click on the gear icon at the top right of the screen. You should see “Security and Privacy.” Click that, and then look for “Login Verification” under the Security heading. You can then choose how to get your code and then follow the prompts.

PayPal

PayPal has a feature known as “Security Key.” To use this, look for the Security and Protection section on the upper right corner of the screen. You should see PayPal Security Key on the bottom left. Click the option to “Go to register your mobile phone.” On the following page, you can add your phone number. Then, you get a text from PayPal with your code.

Yahoo

Yahoo uses “Two-step Verification.” To use it, hover over your Yahoo avatar, which brings up a menu. Click on Account Settings and then on Account Info. Then, scroll until you see Sign-In and Security. There, you will see a link labeled “Set up your second sign-in verification.” Click that and enter your phone number. You should get a code via text.

Microsoft

The system that Microsoft has is called “Two-step Verification.” To use it, go to the website login.live.com. Look for the link on the left. It goes to Security Info. Click that link. On the right side, click Set Up Two-Step Verification, and then follow the prompts.

Apple

Apple also has something called “Two-Step Verification.” To use it, go to applied.apple.com. On the right is a blue box labeled Manage Your Apple ID. Hit that, and then use you Apple ID to log in. You should then see a link for Passwords and Security. You have to answer two questions to access the Security Settings area of the site. There, you should see another link labeled “Get Started.” Click that, and then enter your phone number. Wait for your code on your mobile phone, and then enter it.

LinkedIn

LinkedIn also has “Two-Step Verification.” On the LinkedIn site, hover your mouse over your avatar and a drop-down menu should appear. Click on Privacy and Settings, and then click on Account. You should then see Security Settings, which you should also click. Finally, you should see the option to turn on Two-Step Verification for Sign-In. Turn that on to get your code.

These are only a few of the major sites that have two-step verification. Many others do, too, so always check to see if your accounts have this option. If they don’t, see if there is another option that you can use in addition to your password to log in. This could be an email or a telephone call, for instance. This will help to keep you safe.

Amazon

Amazon’s Two-Step Verification adds an additional layer of security to your account. Instead of simply entering your password, Two-Step Verification requires you to enter a unique security code in addition to your password during sign in.

Without setting up Two Step authentication for your most critical accounts, all a criminal needs is access to your username, which is often your email address and then access data breach files containing billions of passwords that are posted all over the web. Once they search your username/email for the associated password, they are in.

Two factor locks them out.

Robert Siciliano personal security and identity theft expert and speaker is the author of Identity Theft Privacy: Security Protection and Fraud Prevention: Your Guide to Protecting Yourself from Identity Theft and Computer Fraud. See him knock’em dead in this Security Awareness Training video.

Security training: the Human Being is impossible to fix

As long as humans sit at computer screens, there will always be infected computers. There’s just no end to people being duped into clicking links that download viruses.

12DA report at theregister.co.uk explains how subjects, unaware they were guinea pigs, fell for a phishing experiment.

  • Subjects were sent an FB message or e-mail from an unfamiliar sender, though 16 percent of the subjects who ultimately clicked reported they knew the sender.
  • The sender announced they had images from a New Year’s Eve party but not to share them.
  • 43.5% clicked the FB message link and one-quarter clicked the e-mail link.
  • Many of the subjects denied making these clicks, but most who admitted it named curiosity as the reason.
  • 5% claimed they thought their browser would protect them from an attack.

Obviously, there will always be that percentage of the human population who will allow curiosity to preside over common sense and logic. The idea of simply never, never, ever clicking a link inside an e-mail is an impossible feat for them—perhaps more difficult than quitting smoking or losing 50 pounds.

This is the battle that businesses have with their employees, which is how businesses get hacked into and massive data breaches result.

However, says the report, rigid training of employees may backfire because valid e-mails may be ignored—though it seems that there has to be a way for companies to get around this—perhaps a phone call to the sender for verification if the company is small. For large businesses, maybe executives could just resort to the old-fashioned method of reaching out to employees; how was this done before the World Wide Web was invented?

Digital signing of e-mails has been suggested, but this, too, has a loophole: some employees misinterpreting the signatures.

Nevertheless, security training is not all for nothing; ongoing training with staged phishing e-mails has been proven, through research, to make a big difference. Unfortunately, there will always exist those people who just can’t say “No” to something as mundane as images from a New Year’s Eve party from a sender they’ve never even heard of.

Robert Siciliano personal security and identity theft expert and speaker is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen. See him knock’em dead in this identity theft prevention video.

Three Quarters of a Billion Records breached

Last year, says the security firm Gemalto, over 700 million records were breached. Or, to put it another way, this translates to two million stolen or lost records every day.

3D2015 Breach Level Report

  • 1,673 hacking incidents
  • 398 were triggered from the inside of the attacked company: employees and even IT staff who were tricked (social engineering) by hackers into clicking on malicious links or attachments
  • Government agencies suffered the greatest data leaks.
  • Following that were nation states and healthcare enterprises (remember the big Anthem breach?)

Gemalto also says that the U.S. is the leading target of cyber attacks, with the UK, Canada and Australia following behind in that order. But don’t let Australia’s fourth place standing fool you. It reports only 42 publically reported incidents, while the U.S. has reportedly had 1,222.

How can you tell your computer has been compromised by an attack?

  • Your computer is running slowly; you’re not simply being impatient—the device really is moving at a crawl. This is a possible sign the computer is infected.
  • Another possible sign of infection: Programs open up without you making them, as though they have a mind of their own.

Protecting Your Computer

  • First and foremost, businesses need to rigorously put their employees through training. This includes staged phishing attacks to see if any employees can be tricked into revealing sensitive company information. Training for workers must be ongoing, not just some annual seminar. A company could have the best security software and smartest IT staff, but all it takes is one less-than-mindful employee to let in the Trojan horse.
  • If you receive an e-mail with a link or attachment, never rush to open them. Pause. Take a few breaths. Count to 10. No matter what the subject line says, there is always plenty of time to make sure an e-mail is from a legitimate sender before opening any attachments or clicking any links.
  • Use firewall and anti-virus software and keep them updated.
  • Use a virtual private network to scramble your online activities when you’re using public Wi-Fi so that cyber snoopers see only scrambling.
  • Use the most recent version of your OS and browser.
  • Regularly back up your data.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.