On Q Professional Investigations

Biometric identifiers, in one form or another, have been a part of the security industry for some time. While most biometric access control solutions use a fingerprint or an iris scan to identify an individual, Toronto-based Bionym is taking a unique approach to the market with a newly launched solution called the Nymi. Unlike other biometric devices that make the user submit to a physical read of their finger or eye, the Nymi is a wearable authentication device that uses a person’s heartbeat to verify their identity.

According to Karl Martin, co-founder and CEO of Bionym, the idea of using someone’s heartbeat as a way to uniquely identify them goes back nearly 40 years. Over the past 10 years, however, he said that research groups around the world have been working to develop automated robot systems that could use electrocardiograms (ECGs) as a biometric. Researchers at the University of Toronto, including Bionym co-founder and CTO Foteini Agrafioti, recently made a breakthrough by finding an automated way of extracting features that relate to the shape of a heart wave that are unique to each person, explained Martin.

“It was a very robust method that could work in the real world. A lot of the other research in the area, they used methods that involved finding very specific points on the wave and looking at relative measures between those points. It’s very unreliable,” said Martin “The method at the University of Toronto looked at the overall shape and was not as sensitive to things like noise, which you see in real life. By looking at the overall shape and unique algorithms to extract those features, it was found that you could have a relatively reliable way to recognize people using a real world ECG signal.”

Martin, who along with Agrafioti worked on biometric, security and cryptography technologies as doctoral students at the University of Toronto, said they founded Bionym as a way to commercialize their work.

“We decided there was an opportunity to make a more complete solution with our technology,” he said. “We looked at what was happening with wearable technology and we realized that’s what we had with biometric recognition using the heart. It married very well with wearable technology and we could essentially create this new kind of product that was an authenticator that you wear rather than something embedded in a mobile phone, tablet or computer.”

Although other promising biometric technologies and companies have made a splash in the security industry only to flame out a short time later, Martin believes that the approach his company is taking sets it apart from others.

“We’re really driven by our vision, which is to enable a really seamless user experience in a way that is still very secure. So many of the security products and the biometric technologies out there – it’s almost kind of like a solution looking for a problem,” said Martin. “Somebody comes up with a new method and says, ‘oh, we can use it like this,’ but the question is what really new are you enabling? In many cases, you’re talking about access control – whether it’s physical or logical access control. Fingerprint is still sort of the most common because it’s robust, people know it, they understand it, but the other technologies haven’t really brought anything new to the table. What we’re doing with this technology and bringing something new to the table is it’s not so much in the core technology itself using the ECG, it’s the marriage of that technology in a wearable form factor.”

Because the Nymi is wearable, Martin said that identity can be communicated wirelessly in a simpler, more convenient way than what’s previously been available.

“The person only has to do something when they put the device on, so they put it on, they become authenticated and then they can essentially forget about it,” he added. “We’ve had a somewhat consumer focus because we are very focused on a convenient user experience, but we found that we actually were able to achieve almost that Holy Grail, which is convenience plus security.”

Read More

The distraught-sounding man told the 9-1-1 operator he shot a family member and might kill others in the house. A SWAT team was urgently dispatched to the address corresponding to the caller’s phone number. But when the tactical team arrived, ready for a possible violent encounter, they found only a surprised family panicked by the officers at their door.

It’s called “swatting”—making a hoax call to 9-1-1 to draw a response from law enforcement, usually a SWAT team. The individuals who engage in this activity use technology to make it appear that the emergency call is coming from the victim’s phone. Sometimes swatting is done for revenge, sometimes as a prank. Either way, it is a serious crime, and one that has potentially dangerous consequences.

Since we first warned about this phone hacking phenomenon in 2008, the FBI has arrested numerous individuals on federal charges stemming from swatting incidents, and some are currently in prison (see sidebar). Today, although most swatting cases are handled by local and state law enforcement agencies, the Bureau often provides resources and guidance in these investigations.

“The FBI looks at these crimes as a public safety issue,” said Kevin Kolbye, an assistant special agent in charge in our Dallas Division. “It’s only a matter of time before somebody gets seriously injured as a result of one of these incidents.”

There have already been close calls. A police officer was injured in a car accident during an emergency response that turned out to be a swatting incident, Kolbye said, and some unsuspecting victims—caught off guard when SWAT teams suddenly arrived on their doorstep—have suffered mild heart attacks.

“The victims are scared and taken by surprise,” he said. Law enforcement personnel, meanwhile, rush to the scene of a swatting incident on high alert. “They believe they have a violent subject to apprehend or an innocent victim to rescue,” Kolbye explained. “It’s a dangerous situation any way you look at it.”

It is also expensive. It can cost thousands of dollars every time a SWAT team is called out. And although there are no national statistics on how many swatting incidents occur annually, Kolbye guesses there are hundreds. A recent trend, he said, is so-called celebrity swatting, where the targeted victims are well-known actors and musicians.

“People who make these swatting calls are very credible,” he said. “They have no trouble convincing 9-1-1 operators they are telling the truth.” And thanks to “spoofing” technology—which enables callers to mask their own numbers while making the victims’ numbers appear—emergency operators are doubly tricked.

Most who engage in swatting are serial offenders also involved in other cyber crimes such as identity theft and credit card fraud, Kolbye said. They either want to brag about their swatting exploits or exact revenge on someone who angered them online.

Kolbye suggests making a police report about any swatting threats you receive online. Such threats typically come from the online gaming community, where competitors can play and interact anonymously. With a report on file, if a 9-1-1 incident does occur at your home, the police will be aware that it could be a hoax.

“The FBI takes swatting very seriously,” Kolbye said. “Working closely with industry and law enforcement partners, we continue to refine our technological capabilities and our investigative techniques to stop the thoughtless individuals who commit these crimes. The bottom line,” he added, “is that swatting puts innocent people at risk.”

Read More

Mobile identity theft is one of the fastest growing types of identity theft due to the prevalence of mobile devices such as smartphones and tablets. With over one billion smartphones being used globally and research predicting this number will double by 2015, the soaring sales of mobile devices come at a time when identity theft is at an all-time high.

There was one victim of identity theft every three seconds in the U.S. in 2012, totaling 12.6 million consumers—an increase of over one million victims compared to the previous year and accounting for more than $21 billion, according to Javelin Strategy & Research’s 2013 Identity Fraud Report. These numbers are expected to rise, especially as our use of mobile devices continues to increase.

Preventing Mobile Identity Theft

Whether it’s for email, instant messaging, surfing the web, shopping online, paying bills, or even banking, we store and share an immense amount of personal data on our mobile devices. Unless steps are taken to protect it, this data is vulnerable to identity thieves who want to use it to create fake identities and steal money.

Other than being convenient to use everywhere we go, it’s important to remember that smartphones are no different than desktops or laptop computers when it comes to hackers, viruses, malware, and spyware. Their apps and mobile browsers enable us to store personal information such as passwords, credit card numbers, and bank account data in addition to our contacts and other sensitive information. When this data is breached, however, the resulting identity theft can have severe and long-lasting consequences.

Tip:

Make sure you are shopping on secure websites by verifying that the “s” is in the “https://” in the address bar. Websites using “http://” at the beginning of the website address are unsecure.

Fortunately, there are many actions you can take to secure your hand-held devices and avoid mobile identity theft. Here are a few tips:

-Create a strong password that is required to unlock your phone and access data. Make sure to set up the phone to automatically lock when it has not been used for a specified period of time.
-Never share sensitive data such as passwords or credit card numbers over an unsecured Wi-Fi connection. Even something as simple as purchasing movie tickets on an iPhone using a public Wi-Fi network can give a nearby hacker the opportunity to steal your data and use it to create a fake identity.
-Carefully review your phone bills for sudden increases in data usage. You also want to be on the lookout for charges from third-party content providers for services and apps you haven’t authorized. These can be signs that your phone has been hacked and puts you at risk for mobile identity theft.
-Keep your operating system and apps up-to-date. These updates are important for keeping your smartphone or tablet current with all of the latest security enhancements.
-Make sure you are shopping on secure websites by verifying that the “s” is in the “https://” in the address bar. Websites using “http://” at the beginning of the website address are unsecure.

When trusted professionals or businesses use mobile devices to share information with clients, the same types of mobile identity theft are possible. Take, for example, healthcare professionals. Over 80 percent of physicians polled in an ABA Health survey revealed that they have used personal mobile devices to access the protected health information of their patients. This puts their patients at risk for mobile medical identity theft even when patients haven’t done anything to put their own identity in jeopardy.

Healthcare professionals can help secure medical records on mobile devices by creating passwords to authenticate access to patient information, and never sharing data over an unsecured Wi-Fi connection.

Mobile Identity Theft Protection Services

In spite of all the safeguards you put in place, hackers will always try to stay one step ahead of you and the available technology. Unfortunately, it’s not a matter of “if” but “when” your identity will be compromised. When it happens to you, don’t be caught without a mobile identity theft prevention plan.

There are a number of free mobile identity theft services, such as AVG, that offer anti-virus plans for mobile devices. Phones can be locked and located remotely, suspicious calls or text messages can be blocked, and widgets can detect questionable website activity.

The best identity theft protection service on the market is ID Theft Solutions. Managed by law enforcement professionals, ID Theft Solutions is the most comprehensive way to ensure your identity is recovered when it is stolen.

View Source

PHILADELPHIA—An indictment was unsealed today charging Penn Choice Ambulance Inc., operating from Philadelphia, Huntington Valley, and Camp Hill, Pennsylvania; its owner Anna Mudrova; and operators Yury Gerasyuk, Mikhail Vasserman, Irina Vasserman, Aleksandr Vasserman, Valeriy Davydchik, and Khusen Akhmedov with conspiracy to commit health care fraud. The alleged scheme involved more than $3.6 million in fraudulent claims submitted to Medicare. The defendants were also charged with related crimes including making false statements in connection with health care matters, aggravated identity theft, paying kickbacks to patients, and money laundering, announced United States Attorney Zane David Memeger.

Valeriy Davydchik, 58, and Khusen Akhmedov, 22, Mikhail and Irina Vasserman, both 50, and Aleksandr Vasserman, 29, all of Philadelphia, were arrested this morning. Mudrova, 40, Gerasyuk, 41, also of Philadelphia, will make a court appearance tomorrow. According to the indictment, the defendants conspired to defraud Medicare by recruiting patients who were able to walk and could travel safely by means other than ambulance and who therefore were not eligible for ambulance transportation under Medicare requirements. It is alleged that the defendants, and others acting on their behalf, falsified reports to make it appear that the patients needed to be transported by ambulance when the defendants knew that the patients could be transported safely by other means and that many of them walked to the ambulance for transport. It is further alleged that the defendants themselves, or through others, paid illegal kickbacks to the patients as part of scheme. The defendants allegedly billed Medicare for these ambulance services as if those services were medically necessary and, as a result of the allegedly fraudulent billing, the Medicare program sustained losses of more than $1.5 million for this medically unnecessary method of transportation.

If convicted, the defendants face substantial terms of imprisonment and fines. If convicted, Penn Choice Ambulance Inc. faces significant financial penalties, including substantial criminal fines, restitution, and forfeiture obligations. All defendants could also be excluded from participating in federal health care programs.

Bank accounts and other assets were seized which are subject to criminal forfeiture proceedings.

The case was investigated by the Federal Bureau of Investigation and the U.S. Department of Health and Human Services, Office of the Inspector General. It is being prosecuted by Assistant United States Attorney M. Beth Leahy.

View Source

STATESBORO, GA—The federal grand jury sitting in Savannah, Georgia returned six indictments yesterday charging 12 defendants with 115 violations of federal law involving fraudulent tax returns. The federal crimes charged in these indictments range from a conspiracy to defraud the Internal Revenue Service to identity theft from medical records. All these indictments allege that the defendants illicitly obtained personal identifiers, such as names, dates of birth, and Social Security numbers, and used these means of identification to prepare and submit fraudulent tax returns in order to obtain tax refunds that were then converted to the defendants’ use.

Based on these federal charges and related state crimes, law enforcement officials are arresting 21 individuals today in Georgia, one defendant in Ohio, and one defendant in Florida, who are listed below. These arrests are part of the same long-term investigation that led to the execution of multiple search warrants in Statesboro, Georgia, in September 2012. Initial federal court appearances for the federally indicted defendants who were arrested in Statesboro, Georgia, are scheduled for April 4, 2013, in Savannah, Georgia.

United States Attorney Edward J. Tarver said, “These indictments and arrests demonstrate the commitment of the United States Attorney’s Office to protecting the privacy of medical records and the hard-earned money of honest taxpayers. While April 15th is traditionally seen as the end of tax season, this investigation is ongoing. Our law enforcement partners will continue to trace electronically filed fraudulent tax returns to track down these identity thieves and put them in handcuffs.”

IRS-Criminal Investigation Special Agent in Charge Veronica Hyman-Pillot said, “Today’s announcement exemplifies IRS-Criminal Investigation’s intense focus and rigorous pursuit of perpetrators of identity theft and refund fraud. IRS is extremely grateful for the cooperation and assistance we have received from our partners at the local, state, and federal level. Be assured that IRS Criminal Investigation, with our law enforcement partners, will continue to be proactive in the investigation of those individuals who engage in similar behavior.”

Mark F. Giuliano, Special Agent in Charge, FBI Atlanta Field Office, stated, “Today’s extensive joint law enforcement actions resulting in almost two dozen arrests demonstrates the growing problem involving tax refund related fraud and, more importantly, the growing law enforcement response to address it. The FBI will continue to work with its various law enforcement partners, to include providing additional resources, to disrupt such groups engaged in these types of tax fraud activities.”

Statesboro Director of Public Safety Wendell Turner said, “The Statesboro Police Department has been working with our local and federal counterparts to apprehend the persons responsible for defrauding the government and individuals through a variety of criminal schemes. We are very proud of these partnerships and the results they yield for our citizens. This investigation is just another example of everyone working together, sharing resources, information, and expertise for the common good of our community.”

If convicted, each federal defendant faces a maximum penalty of 20 years’ imprisonment for the conspiracy charge, 20 years’ imprisonment for each count of filing fraudulent tax returns, 10 years’ imprisonment for the charge of misusing medical records, and a two-year mandatory, consecutive prison sentence for each charge of aggravated identity theft. Each of these charges also carries a fine of up to $250,000.

United States Attorney Edward J. Tarver emphasized that an indictment is only an accusation and is not evidence of guilt. The defendants are entitled to a fair trial, during which it will be the government’s burden to prove guilt beyond a reasonable doubt.

FBI Special Agent Marcus Kirkland, IRS Special Agent Gwen Weston, and SPD Sgt. James Winskey, assisted by their agencies’ colleagues, are conducting the investigation that led to these indictments and arrests. Also assisting in today’s arrests are the U.S. Secret Service, Georgia Bureau of Investigation, Georgia State Probation Office, and the sheriff’s offices for Bulloch and Richmond Counties. Assistant United States Attorneys David Stewart and Lamont A. Belk are the federal prosecutors in these cases. For additional information, please contact First Assistant United States Attorney James D. Durham at (912) 341-7842.

List of 12 federal defendants with their ages and current residences:

Erica Baldwin, 31, of Statesboro, Georgia
Tracy Denson, 44, of Statesboro, Georgia
Shakita Eason, 30, of Statesboro, Georgia
Yolando Edmond, 36, of Statesboro, Georgia
Gloria Evans, 44, of Statesboro, Georgia
Joshua Mincey, 20, of Statesboro, Georgia
Porsche Pinkney, 19, of Augusta, Georgia
Dwan Scott, 32, of Statesboro, Georgia
Jenna Scott, 28, of Jacksonville, Florida
Gregory Smith 21, of Statesboro, Georgia
Tidaesha Taylor, 27, of College Park, Georgia
Andrew Webb, 31,of Register, Georgia

List of 11 individuals arrested on state warrants with their ages and current residences:

Santravis Jerrod Brown, 23, of Statesboro, Georgia
Reginald Raynard Ellison, 29, of Statesboro, Georgia
Sanchez Ortega Harden, 28, of Statesboro, Georgia
Chrystal N. Harlie, 32, of Statesboro, Georgia
Victoria Quinn Johnson (Baldwin), 28, of Statesboro, Georgia
Sean Lee, 34, of Statesboro, Georgia
Myron Kelsey Rawls, 30, of Statesboro, Georgia
Vera Richmond, 69, of Statesboro, Georgia
Lanika Loyonda Walden (Mincey), 37, of Statesboro, Georgia
Melissa Shantel Whitfield, 33, of Statesboro, Georgia
Lasharett Genet Wilkerson, 30, of Statesboro, Georgia

View Source

BALTIMORE – Special agents of U.S. Immigration and Customs Enforcement’s (ICE) Homeland Security Investigations (HSI) arrested two men in Maryland Wednesday morning after both were indicted on document fraud related charges.

Antonio Abraham Cruz-Cruz, 26, a Mexican citizen residing in Adelphi, Md., and Henry Ramos Agustin, 37, a Guatemalan citizen residing in Cambridge, Md., were indicted by a federal grand jury on charges relating to the sale and transfer of fraudulent identification documents. The superseding indictment was returned on March 20 and unsealed Wednesday upon the arrest of the defendants.

“Document fraud poses a threat to national security and puts the security of our communities at risk because it creates a vulnerability that may enable terrorists, criminals and illegal aliens to gain entry to and remain in the United States,” said HSI Baltimore Special Agent in Charge William Winter.

“This investigation resulted in the arrest and indictment of an alleged document mill leader and co-conspirator operating out of Maryland. Homeland Security Investigations will move aggressively to investigate and bring to justice those who potentially compromise the integrity of America’s legal immigration system.”

The 13-count indictment alleges that from Oct. 17, 2012 through Feb. 19, Cruz-Cruz and Agustin conspired to manufacture and transfer fraudulent identification documents. According to the indictment, Cruz-Cruz manufactured documents, including permanent resident cards and social security cards, which he sold to customers, and which he provided to Agustin for sale to customers.

The indictment alleges that the defendants solicited and took orders for false identification documents from customers who provided the defendants with photographs and personal information. Agustin allegedly provided the photographs and personal information to Cruz-Cruz, who manufactured the requested fake documents, which he then delivered to Agustin in exchange for a portion of the sales price. The indictment alleges that Cruz-Cruz sold such manufactured fake documents to his own customers as well.

The defendants face up to 15 years in prison for the conspiracy and for each count of transfer of false identification documents; 10 years in prison for each count of fraud and misuse of immigration documents; five years in prison for each count of social security number fraud and a mandatory two years in prison, consecutive to any other sentence, for aggravated identity theft. An initial appearance and arraignment was held Wednesday in U.S. District Court in Baltimore. Cruz-Cruz and Agustin are detained pending trial.

The case was investigated by HSI Baltimore and HSI Ocean City with the assistance of the Anne Arundel County Police Department and Baltimore County Police Department.

The case is being prosecuted by Assistant U.S. Attorney Tamera L. Fine for the District of Baltimore.

View Source

The Federal Trade Commission’s annual look at its Consumer Sentinel Network database of complaints found that 2012 was the first year the agency got more than 2 million complaints overall.

And, has been true for the past 13 years, Identity theft was the top consumer complaint the commission received.

Eighteen percent or 369,132 of 2012′s complaints were related to identity theft. Of those, more than 43% related to tax- or wage-related fraud, the agency stated.

A closer look at the identity theft trend finds:

Government documents/benefits fraud (46%) was the most common form of reported identity theft, followed by credit card fraud (13%), phone or utilities fraud (10%), and bank fraud (6%). Other significant categories of identity theft reported by victims were employment-related fraud (5%) and loan fraud (2%).

Complaints about government documents/benefits fraud increased 27 percentage points since calendar year 2010; tax or wage-related fraud accounted for the growth in this area, with 43.4% of identity theft victims reporting this problem in 2012. Employment-related fraud complaints, in contrast, have declined 6 percentage points since calendar year 2010.

Forty-two percent of identity theft complainants reported whether they contacted law enforcement. Of those victims, 68% notified a police department.

Fifty-four percent of these indicated a report was taken.

Florida is the state with the highest per capita rate of reported identity theft complaints, followed by Georgia and California.

Rounding out the Top 10 most complained about activities are:

-Debt collection 199,721 10%
-Banks and lenders 132,340 6%
-Shop-at-home and catalog sales 115,184 6%
-Prizes, sweepstakes and lotteries 98,479 5%
-Impostor scams 82,896 4%
-Internet services 81,438 4%
-Auto-related complaints 78,062 4%
-Telephone and mobile services 76,783 4%
-Credit cards 51,550 3%

Steps taken

The Internal Revenue Service recently said it had taken a big shot at the identity theft problem completing what it called a massive national sweep targeting 389 suspects in 32 states and Puerto Rico. The IRS Criminal Investigation unit cited the total number of identity theft investigations to more than 1,460 since the start of the federal 2012 fiscal year on Oct. 1, 2011.

In addition to the criminal actions, IRS auditors and criminal investigators conducted a special compliance effort starting on Jan. 28 to visit 197 money service businesses to help make sure these businesses are not assisting identity theft or refund fraud when they cash checks. The compliance visits occurred in 17 cities the IRS labels “high-risk” such as New York, Philadelphia, Atlanta, Tampa, Miami, Chicago, Houston, Phoenix, Los Angeles, San Diego, El Paso, Tucson, Birmingham, Detroit, San Francisco, Oakland and San Jose.

The identity theft push over the last several weeks reflects a wider effort under way at the IRS. Among the highlights:

-The number of IRS criminal investigations into identity theft issues more than tripled in fiscal year 2012. The IRS started 276 investigations in fiscal year 2011, a number that jumped to 898 in fiscal year 2012. So far in fiscal year 2013, there have been more than 560 criminal identity theft investigations opened.

-Total enforcement actions continue to rapidly increase against identity thieves. This category covers actions ranging from indictments and arrests to search warrants. In fiscal year 2012, enforcement actions totaled 2,400 against 1,310 suspects. After just four months in fiscal 2013, enforcement actions totaled 1,703 against 907 suspects.

-Sentencing of convicted identity thieves continue to increase. There were 80 sentencing in fiscal year 2011, which increased to 223 in fiscal year 2012.

-Jail time is increasing for identity thieves. The average sentence in fiscal year 2012 was four years or 48 months—a four-month increase from the average in fiscal year 2011. So far this fiscal year, sentences have ranged from four to 300 months.

-By late 2012, the IRS assigned more than 3,000 IRS employees—over double from 2011—to work on identity theft-related issues and the IRS has trained 35,000 employees who work with taxpayers to recognize identity theft indicators and help people victimized by identity theft.

Read More

Ten people have been arrested as part of an investigation into international cybercrime rings that steal millions of computer users’ credit card, bank account and other personal information, the FBI said.

Individuals from Bosnia and Herzegovina, Croatia, Macedonia, New Zealand, Peru, Britain and the U.S. were arrested in an operation carried out with the assistance of the Facebook social network and numerous international law enforcement agencies, the FBI said.

The FBI said the operation identified international cybercrime rings that are linked to multiple variants of the Yahos malware, which is linked to more than 11 million compromised computer systems and over $850 million in losses through the so-called Butterfly botnet.

Botnets, short for robot network, are made up of compromised computer systems and can be used by cybercriminals to execute denial of service attacks, send spam emails and conduct underground organized criminal activity, to include malware distribution, the FBI said.

Facebook’s security team assisted law enforcement by helping to identify the root cause, the perpetrators and those affected by the malware. Yahos targeted Facebook users from 2010 to October 2012, and security systems were able to detect affected accounts and provide tools to remove these threats, the FBI said in a news release Tuesday.

The FBI recommended that computer users update their applications and operating system on a regular basis to reduce the risk of compromise and perform regular anti-virus scanning of their computer system. The agency said it also is helpful to disconnect personal computers from the Internet when the machines are not in use.

Computer users who believe they have been victimized can file a complaint with the FBI’s Internet Crime Complaint Center at www.ic3.gov.

View Source

You have a secret that can ruin your life.

It’s not a well-kept secret, either. Just a simple string of characters—maybe six of them if you’re careless, 16 if you’re cautious—that can reveal everything about you.

Your email. Your bank account. Your address and credit card number. Photos of your kids or, worse, of yourself, naked. The precise location where you’re sitting right now as you read these words. Since the dawn of the information age, we’ve bought into the idea that a password, so long as it’s elaborate enough, is an adequate means of protecting all this precious data. But in 2012 that’s a fallacy, a fantasy, an outdated sales pitch. And anyone who still mouths it is a sucker—or someone who takes you for one.

No matter how complex, no matter how unique, your passwords can no longer protect you.

Look around. Leaks and dumps—hackers breaking into computer systems and releasing lists of usernames and passwords on the open web—are now regular occurrences. The way we daisy-chain accounts, with our email address doubling as a universal username, creates a single point of failure that can be exploited with devastating results. Thanks to an explosion of personal information being stored in the cloud, tricking customer service agents into resetting passwords has never been easier. All a hacker has to do is use personal information that’s publicly available on one service to gain entry into another.

This summer, hackers destroyed my entire digital life in the span of an hour. My Apple, Twitter, and Gmail passwords were all robust—seven, 10, and 19 characters, respectively, all alphanumeric, some with symbols thrown in as well—but the three accounts were linked, so once the hackers had conned their way into one, they had them all. They really just wanted my Twitter handle: @mat. As a three-letter username, it’s considered prestigious. And to delay me from getting it back, they used my Apple account to wipe every one of my devices, my iPhone and iPad and MacBook, deleting all my messages and documents and every picture I’d ever taken of my 18-month-old daughter.

Since that awful day, I’ve devoted myself to researching the world of online security. And what I have found is utterly terrifying. Our digital lives are simply too easy to crack. Imagine that I want to get into your email. Let’s say you’re on AOL. All I need to do is go to the website and supply your name plus maybe the city you were born in, info that’s easy to find in the age of Google. With that, AOL gives me a password reset, and I can log in as you.

First thing I do? Search for the word “bank” to figure out where you do your online banking. I go there and click on the Forgot Password? link. I get the password reset and log in to your account, which I control. Now I own your checking account as well as your email.

This summer I learned how to get into, well, everything. With two minutes and $4 to spend at a sketchy foreign website, I could report back with your credit card, phone, and Social Security numbers and your home address. Allow me five minutes more and I could be inside your accounts for, say, Amazon, Best Buy, Hulu, Microsoft, and Netflix. With yet 10 more, I could take over your AT&T, Comcast, and Verizon. Give me 20—total—and I own your PayPal. Some of those security holes are plugged now. But not all, and new ones are discovered every day.

The common weakness in these hacks is the password. It’s an artifact from a time when our computers were not hyper-connected. Today, nothing you do, no precaution you take, no long or random string of characters can stop a truly dedicated and devious individual from cracking your account. The age of the password has come to an end; we just haven’t realized it yet.

Passwords are as old as civilization. And for as long as they’ve existed, people have been breaking them.

Read More

When hackers broke into computers at Abilene Telco Federal Credit Union last year, they gained access to sensitive financial information on people from far beyond the bank’s home in west-central Texas.

The cyberthieves broke into an employee’s computer in September 2011 and stole the password for the bank’s online account with Experian Plc, the credit reporting agency with data on more than 740 million consumers. The intruders then downloaded credit reports on 847 people, said Dana Pardee, a branch manager at the bank. They took Social Security numbers, birthdates and detailed financial data on people across the country who had never done business with Abilene Telco, which has two locations and serves a city of 117,000.

The incident is one of 86 data breaches since 2006 that expose flaws in the way credit-reporting agencies protect their databases. Instead of directly targeting Experian, Equifax Inc. and TransUnion Corp., hackers are attacking affiliated businesses, such as banks, auto dealers and even a police department that rely on reporting agencies for background credit checks.

“This is profoundly important, because it illustrates a growing problem when it comes to data breaches and security –the chain is only as strong as its weakest link,” Senator Richard Blumenthal of Connecticut, a former attorney general who has investigated credit-rating agencies before, said in an interview. “If their customers have inadequate security practices, so do the credit bureaus.”

Six States

This approach has netted more than 17,000 credit reports taken from the agencies since 2006, according to Bloomberg.com’s examination of hundreds of pages of breach notification letters sent to victims. The incidents were outlined in correspondence from the credit bureaus to victims in six states — Maine, Maryland, New Hampshire, New Jersey, North Carolina and Vermont. The letters were discovered mostly through public-records requests by a privacy advocate who goes by the online pseudonym Dissent Doe and who asked not to be identified to preserve the separation between profession and advocacy.

Experian, based in Dublin, and Chicago-based TransUnion said in statements that the breaches began with infections of customers’ computers, an area over which they have little control. The credit bureaus said that their databases weren’t breached directly.

Tim Klein, a spokesman for Atlanta-based Equifax, and Clifton O’Neal, a spokesman for TransUnion, declined to comment on specific cases. Neither would provide details about any breaches they’ve had involving the compromised log-ins of clients.

Protect Consumers

“We continue to invest in the security systems we have in place to protect our clients and consumers,” Gerry Tschopp, a spokesman for Experian, said in an e-mailed statement. “Of course, the first line of defense lies with end users who are obligated to manage and protect their credentials, which in all these instances were compromised through malware that infected their hardware and other illegal means.”
Representatives of Abilene Telco said no bank employees were involved in the data breaches.

“We don’t know what happened and we don’t know how it happened — we just know we didn’t do it,” said Pardee, the branch manager at Abilene Telco, now renamed First Priority Credit Union, recalls telling victims who called the bank after discovering that someone had viewed their credit reports.

Experian’s database was breached 80 times for a total of almost 15,500 credit reports, Equifax’s was breached four times for more than 1,200 reports, and TransUnion’s was breached two times for almost 500 reports, according to the DataLossDB.org website, where Dissent Doe and other advocates have posted the documents. All of the incidents involved hackers stealing online log-in credentials from the credit bureaus’ customers.

Congress Investigation

The incidents shed new light on security weaknesses at credit bureaus at a time they are under investigation by both houses of Congress over how much data they collect and how it’s used. While security hasn’t been a focus of the probes, the breaches are cause for further investigation, Blumenthal said.

Dissent Doe has filed a complaint with the Federal Trade Commission, arguing for a formal investigation into Experian’s security practices and urging lawmakers to enact legislation that creates a national database of breach reports.

The FTC declined to comment specifically on the incidents. The agency has punished data brokers when hacking attacks on their customers led to the theft of credit reports. Last year, the FTC sued three credit-report resellers when compromised client log-ins resulted in more than 1,800 stolen reports. The agency also filed a lawsuit in 2008 against a mortgage lender after at least 400 credit reports were stolen.

Failure to Check

The commission faulted the companies for failing to check whether their customers had sufficient security and for not adequately monitoring suspicious behavior coming from them. The cases were settled, with the companies agreeing to 20 years of security audits.

“If you are providing access through an online portal, it’s your responsibility to secure that portal,” Maneesha Mithal, associate director of the FTC’s division of privacy and identity, said in an interview.
Credit reports are highly coveted in an identity theft industry that the U.S. Department of Justice estimates affected more than 8.6 million people and cost U.S. households $13.3 billion in direct financial losses in 2010.

FTC Crackdown

When criminals steal a credit report, they get enough information to take out new credit cards, qualify for loans, get a driver’s license and even obtain medical treatment, according to Chris Jay Hoofnagle, director of information privacy programs for the Berkeley Center for Law & Technology.

“One basic problem is that unsophisticated companies tend to treat their own customers as insiders, and not treat them with the type of skepticism and controls aimed at outsiders (hackers),” he wrote in an e-mail. “Of course, the insider risk is a massive problem.”

A crackdown by the FTC almost a decade ago led to stronger security measures among information brokers, including credit bureaus, according to Jay Foley, a partner with the consulting firm ID Theft Info Source, who has followed the industry since 1999. Those efforts, though, have focused mostly on preventing the data providers from being tricked into giving criminals accounts that give them access to credit reports, Foley said.

A series of breaches at ChoicePoint and Seisint, data brokers that were bought by LexisNexis parent Reed Elsevier Plc, led to landmark settlements that served as a warning to the industry. The newly disclosed breaches show that credit bureaus haven’t invested enough in fraud-detection technology to spot odd behavior coming from customers, Foley said.

The company has since improved its security with a number of measures including audits and additional fraud-detection technologies, Stephen Brown, a spokesman for Reed Elsevier’s LexisNexis division, said in a statement.

“The industry has cleaned up its act, but the act it was cleaning up was who they were allowing to have credentials,” Foley said in an interview. So instead, criminals are going through the third parties that have already gotten approval, he said.

View Source