Criminals Phish for Passwords to Re-Use on all Sites

Group of anonymous hackers or terrorists with laptop.It’s probably no surprise to most that cyber criminals have been targeting big brands of late. According to a survey from the Anti-Phishing Working Group (APWG), more than 54% of all targeted phishing attempts were toward just three brands in the second half of 2014: Apple, PayPal, and Chinese company Taobao.

The surprising news from this study was that it seems the phishers are now changing their tactics and targeting smaller companies more often. The companies that were victims fluctuated a lot toward the end of the year, indicating that perhaps the criminals are trying new strategies to see what works, while maintaining their success with the top brands. Seventy-five percent (75%) of the all phishing during the survey period involved the top ten brands, with over 1,000 separate instances per month.

Within the report is a suggestion that victims re-use passwords across various online sites. If the phishers can get those credentials from smaller sites in niche industries, perhaps they will be used in other places and result in success.

Most of us have multiple online accounts and it can get overwhelming to remember separate user name and password combinations for all of them. However, it is important to do just that for reasons such as this. This is a common strategy for cyber criminals and even though perhaps you are a frequent online shopper at a small local businesses that may be completely unknown to most, and therefore suspected to be less of a risk for a breach, re-using those credentials may get your bank account drained at some point.

Often smaller organizations are easier targets for hackers because they often cannot or do not invest the resources in hardened information security measures. After all, it’s not cheap initially. Cyber criminals know this and will take advantage of any open doors. And even if a company isn’t well-known outside of your small town, if it’s on the internet, it can be scanned and found by the bad guys. If they do find it and there is a weakness, they will exploit it.

So, don’t re-use login credentials. This was blamed in a breach of Yahoo! systems, as well as a theory in the Apple “naked celebrity” incident, the Uber breach of last year, and many others.

The most targeted sector for phishing attempts in this survey period was e-commerce with 39.5%. Not too far behind were banking (22%) and money transfer services (20.7%).

© Copyright 2015 Stickley on Security

Toss or Shred?

identity-theft-shreddingWith all the horror stories out there about identity theft, it can feel like the best policy is to shred any document that has any tidbit of information about you. While you certainly do that if it makes you feel more secure, you don’t necessarily have to destroy every single thing. Rather than run down everything that should be shredded, it’s helpful to think of types of information that should be shredded instead of types of documents.

The information you want to make sure gets shredded is anything relating to:

  • Applications for credit
  • Date of birth
  • Driver’s license number
  • Financial institution or credit card account numbers
  • Insurance coverage information
  • Medical information
  • Mother’s maiden name
  • Passwords
  • PINs
  • Place of birth
  • Signatures
  • Social Security number

These are the main treasures identity thieves are looking to capture, so be aware of the presence of this information and deal with it accordingly. Quality crosscut shredders—the kind that dice your documents instead of just cutting them into strips that can be taped backed together—can be found for under $30, so it’s better to make that small investment than to be out thousands of dollars because of your information falling into the wrong hands.


© 2012 BALANCE

Fight Fraud with a Credit File Freeze

credit_freezeIdentity theft can catch even the most vigilant off guard. Once a thief has possession of your personal information, s/he has the ability to open accounts and borrow in your name—leaving you with the bill and credit damage. In consumers’ interest, states have enabled consumers to “freeze” their credit file. Attaching a credit file freeze, also called a security freeze, prevents the credit bureaus from releasing your credit report and score to new lenders and other businesses, which can stop a thief from getting new credit in your name. However, it does not prevent businesses that already have a relationship with you from accessing your report.

How It Works

In most cases, financial institutions will need to see your credit report or score when you apply for credit. If your credit file is frozen, they can’t access it and won’t be able to approve a new loan or credit line. Insurance companies, employers, and landlords that you don’t already have a connection with will also be prevented from checking your file. Thus, thieves will have a very hard time opening fraudulent accounts as long as the credit file freeze is in place.

When They Work

Credit file freezes are only effective against the type of fraud where a thief tries to open new accounts. If s/he has possession of your existing credit cards or account information, s/he may be able to use them. (This is why you should notify your financial institutions immediately if you believe you were the victim of identity theft.)

Additionally, while it is the norm to check your credit report, some businesses don’t check credit reports at all. These businesses may grant a loan or provide a service in your name if the thief can provide them with your identifying data.

How to Add and Remove a Freeze

To place a freeze on your report, contact each credit bureau. The cost of this service varies by state. Generally, you do not have to pay a fee if you were the victim of identity theft. As proof, you may have to provide the bureaus with a police report or another affidavit.

Once the request is received and processed, the credit bureaus will send you a private personal identification number that you can use to lift the freeze. You will need to lift it before applying for credit or if you want a potential employer, landlord, or other business to check your credit. Depending on your state, there may be a fee to lift the freeze as well as a fee to add it again.

Credit Bureau Contact Information

  • TransUnion  Attn: Fraud Department P.O. Box 6790 Fullerton, CA 92834; 1-888-909-8872;
  • Equifax  Attn: Fraud Department P.O. Box 105788 Atlanta, Georgia 30348; 1-800-685-1111;
  • Experian  Attn: Fraud DepartmentP.O. Box 9554Allen, TX 75013; 1-888-397-3742;


Copyright © 2005 Balance

Samsung Galaxy Owners Vulnerable to Spying

SamsungIt’s been a busy couple of months for the cybersecurity world. The U.S. government announced recently that it had been a victim of two serious data breaches on the Office of Personnel Management (OPM). In addition password management company LastPass released notifications that it also had been hacked and urged customers to change master passwords and use multi-factor authentication. Now, a security company has reported that it found a security flaw in Samsung Galaxy phones last November that still hasn’t been fixed.

The flaw has to do with the keyboard on those devices. Technology firm, SwiftKey is the maker of the keyboard, but says the flaw is within the implementation of it on the Samsung devices. The way it is installed may allow hackers to access some of the core parts of the computer system on the phone, if they catch it at the right time.

For now, it is being advised that Galaxy owners with versions S3 to S6 avoid using unsecured public WiFI or even the carrier’s network to download updates for the phones. It is because the vulnerability allows the potential for exploit when an update is being installed. It’s not necessarily easy to pull it off, but it can be done. It is safer to install updates from a secured wireless network instead.

The issue may allow users to be exposed to spying. For example, when company executives or government employees travel abroad, it may make it easier for others to eavesdrop; a practice that is well-known to occur for those traveling to China. The U.S. recently approved the Samsung Galaxy for use by government employees. This has become a topic of conversation recently after sensitive information about federal employees was breached in the OPM incidents. The fear is that the information stolen may be used against them and the U.S.

SwiftKey claims it only found out about the issue recently. Although Samsung was notified about it over six months ago, the company that reported it to them said Samsung asked for over a year to fix it before notifying the public about it. Samsung claims it didn’t know the full details and severity of it until this week. Now that the cat is out of the bag, the company has said it will have a fix ready in a few days.

However, it is up to the phone service carriers to release it to their users and that has historically been a long process. When they do, apply it right away; from a secured location.

© Copyright 2015 Stickley on Security

Tips For Travelers

business-travel-safety-tips1Whether you’re traveling for business or pleasure, be on the alert for opportunities that identity thieves may try to take advantage of:

  • Receipts—Do not leave credit card receipts on the table at restaurants; sign them and hand them directly back to the server. Keep your copy of all receipts.
  • Wallets—Stolen wallets frequently lead to identity theft, so instead of carrying your wallet in your pocket or having it easily accessible in your bag, use travel pouches that are worn inside your shirt.
  • Checks—Leave checkbooks at home in a locked safe or drawer. Checking account takeover is one of the hardest types of financial fraud to clear up.
  • Camera phones—That tourist with a camera phone may actually be taking a shot of your credit card or driver’s license. Keep important personal information out of view from others.
  • Mail—Put your mail on postal hold whenever you travel, and arrange for mail to only be picked up by you at the post office when you return.
  • Hotels—Lock up all valuables in room or hotel safes while you are out, including laptops, passports and other documents that contain your personal identifying information. Do not leave these items with a hotel doorman to transport or hold—carry them yourself.
  • Airplanes—Do not put any items that contain your card numbers or financial institution account numbers in checked luggage. Never carry your social security number with you, whether local or abroad.


The Ins and Outs of Skimming Scams

Scammers can quickly read a card’s information and use it to access your account fraudulently. With a small device, your card’s information gets stored so that criminals can easily get to it later. Skimmers may be installed on ATMs, and sometimes you can’t even notice them. A small device goes over the normal card reading slot and reads your card’s magnetic stripe. skimming-how-to Skimmers can also be handheld devices that a dishonest merchant can keep in his pocket. While charging your card while you’re out at dinner, for example, a scammer can run your card through a skimmer as well. To avoid any hassles, use these tricks to avoid getting caught in a skimming scam:

  • Use secure ATMsthose inside of a bank or credit union lobby are less likely to be tampered with.
  • Cover the ATM keypad as you’re entering your PINjust in case there’s a hidden camera around.
  • Skimming devices will stick out a few extra inches from an ATM. If something looks suspicious, find another ATM. Don’t fall for a poor fitting device (or a sticker or sign that says “Swipe Here First,” or “Use This Machine Only”).
  • If a machine keeps your card, call the financial institution immediately and report it.
  • Don’t accept “help” from anybody hanging around the ATM machine. They may say they were having trouble also and you just need to enter your PIN again.
  • Keep your eyes on your card if you have any doubts. Don’t let a merchant walk off with your cardeven for a few seconds.

Article courtesy of