Resource Center

MyIDMatters Contentfor Issue 39, Q1 2019

View document here.

read more

Credit Freezes Are Now Free (Legal)

Consumers in most states were required to pay to put a freeze on their credit file, but as of September 21, 2018 it is now free. This article will explain what a credit freeze does, why consumers might choose a freeze and how to put freezes in place at the three major credit bureaus. Link: https://www.consumer.ftc.gov/blog/2018/10/new-credit-law-faqs Link: https://krebsonsecurity.com/2018/09/credit-freezes-are-free-let-the-ice-age-begin/ Link:...

read more

From the Internet of Things to the Internet of Bodies (Privacy)

“The line between human and machine is blurring — and creating new concerns about consumer safety and privacy rights,” says Mary Lee, a mathematician for the RAND Corporation. The Internet of Things (IoT) has seen us connecting everything from cars to toasters to light switches to the Internet. New medical devices connect our bodies to the Internet as well—creating the “Internet of Bodies.” Implanted devices not only monitor the functioning of a body, they have the potential to control it. Having your phone hacked could be annoying and expensive. Having your pacemaker hacked could be fatal. This article will explore the current state of the Internet of Bodies and what the future may hold. Link: https://motherboard.vice.com/en_us/article/gvyqgm/the-internet-of-bodies-is-coming-and-you-could-get-hacked Link: https://www.washingtonpost.com/news/theworldpost/wp/2018/10/15/health-data/ Link:...

read more

Agent Tesla Malware (Crimeware)

Keyloggers are nothing new, but Agent Tesla takes the capabilities of simple keyloggers to new levels. Among other capabilities, Agent Tesla can steal passwords from all major browsers, and capture snapshots of the victim’s keystrokes, their desktop, and pictures from their webcam at timed intervals. Although Agent Tesla has been around for a few years, there has recently been an increase in its popularity with more than 6,300 customers paying subscription fees to license the malware. This article will look at what Agent Tesla does and how it is spread. Link: https://krebsonsecurity.com/2018/10/who-is-agent-tesla/ Link: https://www.digitrustgroup.com/agent-tesla-keylogger/ Link: https://www.securityweek.com/new-agent-tesla-spyware-variant-discovered Link:...

read more

Soon, the Majority of Mobile Calls Will Be Fraudulent (Scams)

After analyzing more than 50 billion calls made to mobile customers over 18 months, technology company First Orion predicts that nearly half of all calls to mobile phones will be fraudulent in 2019 unless the industry adopts and implements more effective call protection solutions. Over the past year, First Orion’s data shows a drastic increase in mobile scam calls—from 3.7% of total calls in 2017 to 29.2% in 2018—and that number is projected to reach 44.6% by early 2019. This article will look at reasons for the surge in fraudulent calls, and suggest steps consumers can take to reduce the number of scam calls they receive. Link: https://firstorion.com/nearly-50-of-u-s-mobile-traffic-will-be-scam-calls-by-2019/ Link: https://www.aarp.org/money/scams-fraud/info-2018/scammer-calls-increasing.html Link: https://www.cnbc.com/2018/06/12/you-think-its-your-friend-calling-but-its-actually-this-growing-phone-scam.html Link:...

read more

How Scammers Gain Your Trust (Scams)

One reason scammers are so effective is that they are skilled at getting their victims to trust them and fall for their scams. However, consumers who know the signs of a scam are better prepared to resist. This article will discuss some of the common tricks employed by scammers and how consumers can protect themselves. Link: https://www.rd.com/advice/relationships/con-artists-win-trust/ Link: http://home.bt.com/tech-gadgets/computing/security/six-tricks-fraudsters-use-to-gain-your-trust-11364184899041 Link: https://www.ajc.com/marketing/things-scammers-tell-you/f1bIl7nvZa0pa14K07VmeN/ Link:...

read more

Biometric Privacy (Privacy)

Imagine not having to remember log in IDs and passwords, and using a fingerprint or retinal scan for all of your log ins. It is called biometrics, and it is already happening. For example, the newest iOS and Android phones use facial recognition to unlock the phones and authorize transactions. Although this new technology is convenient, it comes at a price. For biometrics to work there has to be a database of biometric scans to match against. That leads to questions about the security of stored biometric data. This article will look at the present and future of biometrics and the legal and privacy issues involved. Link: https://www.eff.org/issues/biometrics Link: https://computer.howstuffworks.com/biometrics-privacy.htm Link: https://privacypolicies.com/blog/privacy-policy-biometrics-laws/ Link: https://www.epic.org/privacy/biometrics/ Link:...

read more

Quarterly Newsletter:

Get Rid of Unused Apps (Privacy) The typical smart phone user has many more apps on their phone than they actually use. They download the hot new app, use it for a while, and then forget about it, leaving it to take up space on the phone. But filling your phone with unused apps poses more serious dangers than simply maxing out your phone’s storage. It can leave you open to cyberattacks, phishing, and scams. This article will discuss the dangers of keeping old, unused apps on your phone, and the best ways to clean up Android and iOS phones.          Link: https://www.kaspersky.com/blog/my-precious-data-report-one/14093/ Link: https://www.consumer.ftc.gov/blog/2017/12/get-rid-unwanted-apps Link: https://www.androidpit.com/android-apps-you-should-remove-immediately Link: https://www.popsci.com/delete-your-apps Link:...

read more

Podcast: Security Resolutions to Keep Your Identity Safe

The New Year is a perfect time for making resolutions. So while you are resolving to work out more often, eat healthier and get out of debt, take a few minutes to make and implement these simple resolutions that will help protect you from hacking and identity theft.

read more

Five Identity Theft Terms You Need to Know

Credit Freeze Credit Report Medical Identity Theft Phishing Synthetic Identity Theft

read more

Do We Over-Monitor Our Kids, Just Because We Can?

“We are tracking our children’s every move, and they can feel it.” “We are tracking our children’s every move, and they can feel it,” says lawyer and educator Elizabeth Small in the Washington Post. Small’s concern is that children do not have a space that is private, where every moment of their lives is not monitored and shared by parents, teachers and others. Children are being observed and photographed at school, their computer activity is monitored by parents at home, and their cell phones are tracked by parents who want to know where their children are and what they are doing every minute of the day. An article in the New York Times says, “One danger of these technologies, of course, is that many parents will be tempted to overuse them, and in intrusive ways. A parent who constantly micromanages a teenager’s life — Why did you stop here? Why did you go there? — risks stifling the independence needed to develop into an adult.” Small recounts a conversation with her daughter after the daughter was called to her school office. She was afraid that she was in trouble for something. Small asked if her teacher had spoken to her about anything, and her daughter said no, but she worried that cameras in the hallway had caught her whispering to a friend in line. Cameras? “Yes mama, there are cameras everywhere.” While Small loves having the information about her children that she receives through their teachers’ online journals, videos and social media posts, she wonders if it is healthy to have so much real-time access to her children’s lives. “I also remember what it was like to be a student. I loved school mostly because it was a place I could be invisible from my strict family. School gave me the freedom to experiment with my identity,” says Small. Some experts are concerned that children have little or no say over how much of their lives are monitored and shared. Danah Boyd, the founder of Data & Society and a visiting professor at New York University, said that sharing digital information can be a sign of trust and respect between people with close relationships, but that it can become an abuse of power in unequal relationships. She said that when she was working with teenagers she was disturbed to find that the privacy norms established by parents influenced the children’s relationships with their peers, such as sharing their passwords for social media and other accounts with boyfriends and girlfriends. “They learned this from watching us and from the language we used when we explained why we demanded to have their passwords,” said Boyd. “And this is all fine, albeit weird, in a healthy relationship. But devastating in an unhealthy one.” Parents want to protect their children and be involved in their daily lives; however, Small recommends that parents be “deliberate about giving them spaces where we don’t, even by accident, seek a window into their world, or a way to monitor their lives. Parents need to make sure they are giving their kids age-appropriate levels of privacy, and letting them know what information they are...

read more

Watch Out for Unclaimed Property Scams

Does your state have money waiting for you? The letter seems to promise good news. It says the state is holding money that belongs to you, and all you have to do to claim it is send your personal information or pay a fee. Although it appears to be legitimate, the letter may be from fraudsters looking to steal your money or your identity. Every state has an unclaimed property fund. According to the National Association of Unclaimed Property Administrators (NAUPA), in 2015 the states collected $7.763 billion in unclaimed property and they were able to return $3.235 billion to the rightful owners. What money goes into the unclaimed property funds? According to Unclaimed.org, these assets are from accounts that have been dormant for at least one year. Common forms of unclaimed property include savings or checking accounts, stocks, uncashed dividends or payroll checks, refunds, traveler’s checks, trust distributions, unredeemed money orders or gift certificates (in some states), insurance payments or refunds, life insurance proceeds, annuities, certificates of deposit, customer overpayments, utility security deposits, mineral royalty payments, and contents of safe deposit boxes. There are companies that obtain information about the owners of funds held by the states and send letters offering to claim the funds for them for a percentage of the amount received. Although this is legal, it is not necessary to use these intermediaries, as consumers can recover their funds directly from the states. Some states charge a small administrative fee to return the property, but there is usually no charge. The scammers, however, are sending mass mailings to people who may or may not have unclaimed funds in an effort to collect an upfront fee or simply get them to provide their personal identifying information so the scammers can steal the consumer’s identity. “These scams are just rampant,” said David Milby, director of NAUPA. The best way to avoid getting scammed or paying unnecessary fees is to ignore these letters and do your own search to determine if you are owed money. Even if you haven’t received a letter from anyone, you can start at MissingMoney.com, a site that allows you to search the records of almost every state at once. There are, however, a few states that do not include their data on that site, so you can also find links to each state’s database at Unclaimed.org. Be sure to check in states where you used to live and work, as well as your current state. And check under other names you may have used, such as a maiden name or business name. If you find that funds are being held in your name, you can file a claim to recover...

read more

A New Kind of Phishing Scam

A phishing attack where you don’t have to enter your personal info. In a typical phishing attack, users are tricked into keying in their passwords or other sensitive data on fake websites. However, the recent Google Docs phishing scam used OAuth, meaning that users didn’t have to enter any information to give the bad guys access to their email accounts. What is OAuth? OAuth is an open authorization standard that allows users to log in to third-party websites using their account with a site such as Google, Facebook, Twitter or Microsoft without disclosing their password for those services to the third-party sites. Some sites allow you to log in using, for example, your Facebook account. To log in to the site, you are sent to Facebook where you enter your Facebook credentials, if you are not already logged in to Facebook. The third-party site never sees your Facebook password, but Facebook sends a token that lets them know who you are. The third-party site then gives you access. Depending on what permissions you set, you may also choose to give the third-party site access to some of your Facebook data, such as the names of your friends, or allow your Facebook friends to see what you are listening to on Spotify. What happened in this scam? OAuth is convenient when you are dealing with legitimate apps and websites, as you do not have to remember and enter a large number of passwords. You can use your credentials for a site such as Google or Facebook to log in to another site without revealing your Google or Facebook credentials to the other site. In this scam, though, a fake app was created that caused users to believe they were dealing with a Google Docs app. Instead of a legit document, the email link initiated a process to give a phony app masquerading as “Google Docs” access to the user’s Google account. If the user was already logged in to Google, the connection routed that app into an OAuth permissions page asking the user to “Allow” access to the user’s legitimate Google Drive. It appeared authentic to most users, and there was nothing that would alert security software that the page was not legitimate. Although Google shut the scam down quickly, an estimated one million users were affected. Because Google revoked the permissions granted by the scammy app, users’ information is now safe. How can users avoid these scams? Many experts expect that there will be many more of these attacks, and there is currently no automated way to detect a phishing email. You should follow best practices for avoiding phishing attacks of all kinds. Because an attack using OAuth can be especially hard to detect, technology expert Bob Rankin offers the following: “My policy is to avoid OAuth unless I know the party asking to use it is legitimate. I will register the tedious way instead, creating a username and password and providing a throwaway email address if necessary. Under no circumstances would I grant OAuth privileges to any sender of email that I was not expecting, even if it appears to come from a friend or trusted...

read more

Pacemaker Data Used to Convict Arsonist

The Tell-Tale Pacemaker Anyone who watches police procedurals on television is aware that law enforcement often uses data from cell phones and electronic toll tags to verify a suspect’s movements and actions. With the advent of smart devices there is much more data available, and law enforcement is using it to help identify the guilty parties and clear the innocent in a variety of crimes. Data collected from connected devices, including Amazon Echo, fitness bands, smart refrigerators, thermostats, cars and others, are increasingly being used in court to prove or disprove the claims of law enforcement, defendants and witnesses. One recent case involved a man who was charged with arson, at least in part because of data from his pacemaker. When a house fire destroyed Ross Compton’s Middletown, Ohio home, he told investigators that he had been sleeping when the fire broke out. He said that he was able to pack some items into suitcases, break out a window and escape the fire with some of his belongings. Investigators learned that Compton has an artificial heart implant with an external pump and electronic pacemaker. They got a search warrant to obtain data from his pacemaker, which they had reviewed by a cardiologist. The cardiologist’s opinion was that, “[I]t is highly improbable Mr. Compton would have been able to collect, pack and remove the number of items from the house, exit his bedroom window and carry numerous large and heavy items to the front of his residence during the short period of time he has indicated due to his medical conditions.” Based on this data, in addition to other physical evidence, Compton was arrested and charged with arson and insurance fraud. This is not the only example of law enforcement using data from an electronic device to obtain evidence. As one example, in 2015 a woman in Pennsylvania told police she had been sexually assaulted in her sleep. Data from her Fitbit, a wearable fitness-tracker, showed that she was awake and walking around during the alleged crime. That information was used to charge her with making a false report. Arkansas police found an Amazon Echo at a murder scene in Bentonville that they hope will help them with their investigation into the death of a man strangled in a hot tub. Although Echo only records what’s said to it after it’s triggered by someone saying its wake word (e.g., “Alexa”), police are hoping the Echo may have inadvertently recorded something that might be of use to them. Amazon, however, is not eager to hand over this kind of customer information to law enforcement. Amazon stores voice recordings from the Echo on its servers to improve its services, but they declined to provide the voice recordings that were sought via a search warrant. Amazon has since turned over the data after the customer gave them permission to do so. As the Internet of Things (IoT) records more data about our daily lives, it is inevitable that the courts will have to weigh privacy concerns against the interests of law enforcement. Jules Polonetsky, chief executive of the non-profit Future of Privacy Forum, said that while legal issues are still being debated, “you should always know if you have a device that is sending data...

read more

Leaked NSA Tools Infect Computers Worldwide

Weaponized software stolen from NSA, leaked. Hacking group The Shadow Brokers has leaked more than a gigabyte worth of weaponized software exploits stolen from the United States National Security Agency (NSA). This toolkit gives anyone, even those without sophisticated technical knowledge, the technology to potentially compromise systems around the world. The Shadow Brokers had attempted to auction off the stolen technology, but when no buyers appeared they released it online for free. One tool leaked by the group has been used to infect Windows computers with malware. Known as DoublePulsar, the malware is an extremely stealthy backdoor through which other malware can be loaded onto infected computers. The infected machines can then be used to distribute malware, send spam, and launch attacks on other computers. Once infected, those machines may be open to other attacks. Initial reports were that more than 10,000 computers may have been infected. According to Dan Tentler, founder of security consultant Phobos Group, “People [who] have gotten their hands on the tools just started exploiting hosts on the Internet as fast as they could.” The good news is that patches exist to fix the vulnerabilities exploited by these tools. Microsoft has said that the exploits disclosed by The Shadow Brokers have already been addressed by previous updates to supported products, so customers with up-to-date software are already protected. The bad news is that some users are unable (or unwilling) to apply the critical Windows updates, leaving those systems open to infection. This would include users running systems that are no longer supported, such as Windows XP or Vista. Systems running Windows 10 were not affected. The most important action consumers and businesses can take to protect themselves from these and similar threats is to keep their operating systems current and install all timely updates. As threats are discovered, Microsoft patches Windows to remove...

read more