Tag Archives: social security number

No Vaccine for Social Media Theft

Whether you are new to college, single and dating or newly divorced (because you panicked and confessed when news of the Ashley Madison hack hit the media), I’ll bet there is at least one socially transmitted disease you haven’t started worrying about: identity theft.

If you use Facebook, you’re making easy work for identity thieves. The same goes for the whole cosmos of social media whether you favor Twitter, Instagram, Reddit, Pinterest, YouTube or LinkedIn or prefer to Tumblr your thoughts, preferences and predilections to anyone who cares to know what they are. The more you put out there in publicly viewable spaces, the more your personal identity mosaic is exposed. An identity thief’s day job is piecing together that mosaic into a passable, or usable, version of you: one that will get through the authentication process of financial, medical or governmental organizations.

The echo of another kind of disease here is intentional. Like the more widely known kind of STD, the socially transmitted diseases that fall under the rubric of identity-related crimes are contracted by unsafe personal information practices. Unlike the more familiar variety, where safety is taught in high school, tacked to college community boards and heralded by countless other media new and old, not as many people these days know how to stay as safe as possible from the threat of identity theft, especially online.

How to practice “safe social”:

  1. Don’t overshare. It’s okay to let the world know you’re on vacation so long as you have a great security system at home or you have a house sitter. Traditional trespassers use social media to know when houses are unguarded. It is far better to share the memory than report the experience as it’s unfolding.
  2. Be careful when posting pictures. While it’s fun to brag about a purchase—whether that be a diamond ring, a car or the smartest TV on the market, just be aware that anyone following you now knows where they can get your newest trophy or indulgence for free.
  3. Geotagging is for victims. There is no upside for you here. Companies like geotagging photos and other people-powered media assets because it gives them bankable information that could lead to future sales. Whether you are letting Twitter or Facebook or FourSquare narrowcast (or broadcast, depending on your privacy settings) your location, failure to disable location services on your device permits geotagging, which also gives thieves bankable info that could lead to future crimes.
  4. Know your privacy settings. Make sure you understand how your posts are being displayed or distributed by the social network you use. For instance, on Facebook you can set a post to “Public” or “Only Me,” with many choices in between.
  5. Lying is good. Facebook, especially, is a perfectly acceptable place to not be forthcoming about your age, hometown, place of employment or even the college you attended and what years you were there. Identity thieves comb social sites for information to complete dossiers of personally identifiable information that will allow them to correctly answer security questions and thus open new financial accounts or empty existing ones. If you don’t want to actively fabricate answers to these questions, just don’t fill out those parts of your profile.
  6. Beware of quizzes that require personally identifiable information. Make no mistake, your email address and name count.

There is no immunization

Unlike the other kind of STD, the socially transmitted disease of identity theft is not avoidable. There is no immunization, no safe way to avoid it—not even complete abstinence. There have been too many breaches with too much data for anyone but those living entirely off the grid to be completely safe. (And even still you can’t be sure.)

Your best bet, in my opinion, is a system detailed in my book (forthcoming in November). A key element to that approach is acceptance. Specifically, you need to come to terms with the fact that it’s no longer a question of “if” but “when” you will become a victim of at least one type, if not multiple types, of identity theft. Anyone who tells you that they can keep you from getting got is selling snake oil. In fact, they are running afoul of the Federal Trade Commission. There is no guarantee. There are, however, best practices.

THE THREE M’S

If you accept the basic premise that you are at risk for identity theft no matter what you do, here are some thoughts as to how you might stay as safe as possible. The good news may actually be that you are a seasoned and intelligent user of social media, because that means you already have several of the habits in place that you will need.

Minimize your exposure

The same strategies you can adopt to make yourself a harder-to-hit target on social media go for the rest of your life. Whether that means saying “no” when asked for your Social Security number, limiting the amount of sensitive personal information you provide to anyone who contacts you, making sure all your accounts (email, social networking, financial or retail) have different user names paired with unique, long and strong passwords, properly securing your computers and mobile devices or freezing your credit—there are a variety of things you can do to make your attackable surface smaller.

Monitor your accounts

If you use social media regularly, you are used to checking in on a regular basis—the Pew Research Center found that 70% of Facebook users check in daily, as did about half of Instagram users, and nearly 40% of Tweeps. The same behavior, applied to your financial life, may keep you from getting got … or help you undo or minimize the damage in case you do. Check your bank and credit card accounts daily. Other things you can do include signing up for free transactional monitoring alerts at your bank, credit union or credit card provider, or purchasing more sophisticated credit and noncredit monitoring programs.

Manage the damage

When the dark day comes that your daily practice of monitoring your credit or financial life yields a compromise, you need to get on it immediately by informing the institution of the account that is involved, as well as law enforcement and the fraud department of at least one credit reporting agency. Because many insurance companies, a number of financial services organizations and the human resources departments at a number of companies offer complimentary or low-cost identity theft assistance as a perk of your relationship with the institution, check to see if you are covered or, if not, how you can get covered. Resolution experts can greatly help you speed your way back to normalcy.

Identity theft is a permanent threat. The best way to stay safe is to change your behavior. The above tips are only some of the ways to do that. In the age of universal data vulnerability, practicing safe information hygiene is a must—lest you contract the one STD that may haunt you for the rest of your life.

Identity Theft Services Explained

As thieves discover more and more ways to steal personal information, it is critical that people use identity theft protection services that involve a wide security sweep of all personal identifiable information and high-risk activity. The marketplace for identity theft protection now includes all kinds of monitoring services and features. Make the best choice by understanding each feature available, how they differ from each other and their capacity for sustaining protection.

Credit Monitoring

Credit monitoring is the process of reviewing a consumer’s credit activity with the credit bureau. It monitors the activity and changes to a credit report, including inquiries made by a creditor to request a copy of a report. Monitoring provides an alert system for potential fraudulent activity or accounts being established. Credit monitoring provides an alert system to activity affecting your credit report and credit score. Monitoring enables you to stay on top of fraudulent activity so that you can address the inaccuracies immediately. It also reduces the financial impact that identity theft can cause, by reporting the fraud earlier and reducing potential out-of-pocket losses.

Identity Monitoring

Identity monitoring looks at more than just credit information; it encompasses all personal identifiable information: name, birth date, address, email, phone number, Social Security number, etc. This could include monitoring the Internet, national databases, credit files, public records and more. If thieves have your personal identifiable information, it’s the perfect cover for their crimes because everything will point to you, not them. Even kids can become victims of identity theft: Each year, more than 140,000 identity theft cases involve children.

Social Security Number Monitoring

It’s exactly how it sounds – protection for one of the most important pieces of information that a person has. This type involves monitoring hundreds of millions of records for unauthorized use of a Social Security number (SSN). 70% of people are worried about the safety of their SSN. Monitoring an SSN is particularly important for children because thieves have plenty of time to use the child’s information for their own gain before the child finds out by applying for an account or a line of credit and is denied because of the thieves’ damage.

Data Sweeps

Unlike previous monitoring services that focus on particular data or activities, data sweeps encompass a plethora of touch points and personal information. Data sweeps monitor the Internet for instances of criminals using stolen phone numbers, addresses, birth dates and more. How many data points are included and how often the data sweeps occur vary from plan to plan. Data sweeps cover the information that consumers are worried about, like mailing addresses (50%) and phone numbers (60%). It can also help a person feel more secure about online presence because data sweeps can lead to removing exposed personal information on the web.

Credit Card Monitoring

The lending institutions that issue credit and debit cards will usually monitor transactions and notify cardholders of suspicious activity. Credit card monitoring, as offered through an identity monitoring service, will monitor the Internet for fraudulent activity involving credit card and debit account numbers, PIN numbers and other personal information in Internet hacker chat rooms and the dark web. Credit card monitoring looks at activity outside of the credit report and outside of activity monitored by the cardholder’s bank or issuing institution. As a result, it can detect fraud that may or may not make it to a credit report or be captured by the bank.

Recovery Assistance

Most services will not only keep you informed but help you resolve any suspicious activity. Features could include assistance from a credentialed professional. Some assistance features may only provide victims with next steps or resources, while others may actually take on some of the activities a victim must complete to rebuild his or her reputation. 47% of victims who spent 6-plus months fixing the issue(s) felt severe emotional distress vs. the 4% of victims who felt that way after resolving issues within 24 hours. Victims can limit the health and financial costs of recovery by using a protection plan that includes assistance from professionals who know how to get quick results.

Lost Purse or Wallet Assistance

Whether you misplace your wallet or it actually gets stolen, most identity theft protection services will help you contact the correct institutions and minimize the damage if a thief tries to use your stolen information. Despite the growing threat of malware and hacking, physical theft is still a problem, and 43% of physical theft happens at work.

Service Guarantee

Most companies have a service agreement that provides some sort of refund for customers if there’s a defect in the company’s service. New technological advances are made every day for security and thievery, so you need to make sure that a company will help you if its protection services can’t keep up with thieves’ new tricks.

Some identity theft protection services go above and beyond with the layers of security and assistance they offer, in addition to the commonly included products listed above. Some of those extra special features are:

Additional Databases

While most services monitor your personal identifiable information online or on credit reports, not all of them will monitor databases like criminal records and sex offender registries. Some companies charge extra for monitoring these additional databases. Thieves don’t just use your personal information to empty your bank account. Thieves will steal reputable citizens’ identities and use them as aliases when committing crimes.

Medical Fraud Assistance

Monitoring for medical fraud involves protecting insurance records from criminal use and assisting victims when a thief tampers with a victim’s medical history or racks up medical debt. The crime rate for medical identity theft increases by 32% each year, and more than $12.3 billion in out-of-pocket expenses were spent in the past year because of medical identity theft.

Tax Fraud Assistance

Products include giving victims an action plan and providing forms and contact information for working with the IRS. Services that actually do recovery work for victims must have certified tax specialists who are approved for working with the IRS on behalf of the victims. In 2014, the FTC’s 1.5 million fraud-related complaints revealed that consumers have paid a total of $1.7 billion because of fraud, and a third of those complaints were tax-related. Tax fraud could include IRS phishing schemes, phone scams and stealing taxpayers’ information to file phony tax returns and get their refunds.

Family Coverage

Protection plans may allow members to add family members to their plan; however, adding family members often comes with additional charges. When family members share accounts (e.g. bank, music, email), passwords, etc., everyone feels the consequences if one of them becomes a victim.

Other

Other pieces of your personal information that may or may not be included in the common types of monitoring: loan/lease information, driver’s license, computer security, bank account information, passports, etc. Thieves’ use of hacking, malware and social media have skyrocketed over the past few years. As fraudsters improve their tactics, they gain access to more and more information.

Each type of monitoring covers important information that could lead to serious damage if taken into the hands of a fraudster, and no one type covers everything. Likewise, each feature has importance, but they’re most effective when working together because they create sustainable, comprehensive coverage.

People need to make sure that their identity theft protection plan includes all the necessary data points with multiple types of monitoring, assistance and recovery features, so their information stays secure.

Questions on Massive Government Hack

True or false? There was no way the Office of Personnel Management could have prevented hackers from stealing the sensitive personal information of 4.1 million federal employees, past and present.

If you guessed “False,” you’d be wrong. If you guessed, “True,” you’d also be wrong.

The correct response is: “Ask a different question.” Serious data breaches keep happening because there is no black-and-white answer to the data breach quagmire. So what should we be doing? That’s the right question, and the answer is decidedly that we should be trying something else.

The parade of data breaches that expose information that should be untouchable continues because we’re not asking the right questions. It persists because the underlying conditions that make breaches not only possible, but inevitable, haven’t changed—and yet we somehow magically think that everything will be all right. And of course we keep getting compromised by a short list of usual suspects, and there’s a reason. We’re focused too much on the “who” and not asking simple questions, like, “How can we reliably put sensitive information out of harm’s way while we work on shoring up our cyber defenses?”

According to the New York Times, the problems were so extreme for two systems maintained by the agency that stored the pilfered data that its inspector general recommended “temporarily shutting them down because the security flaws ‘could potentially have national security implications.’”

Instead, the agency tried to patch together a solution. In a hostile environment where there are known vulnerabilities, allowing remote access to sensitive information is not only irresponsible — regardless of the reason — it’s indefensible. Yet according to the same article in the Times, the Office of Personnel Management not only allowed it, but it did so on a system that didn’t require multifactor authentication. (There are many kinds, but a typical setup uses a one-time security code needed for access, which is texted to an authorized user’s mobile phone.) When asked by the Times why such a system wasn’t in place at the OPM, Donna Seymour, the agency’s chief information officer, replied that adding more complex systems “in the government’s ‘antiquated environment’ was difficult and very time-consuming, and that her agency had to perform ‘triage’ to determine how to close the worst vulnerabilities.”

Somehow I doubt knowing that protecting data “wasn’t easy” will make the breach easier to accept for the more than 4 million federal employees whose information is now in harm’s way (or their partners or spouses whose sensitive personal information was collected during security clearance investigations, and may have been exposed as well).

A New Approach

The game changer — at least for the short term — may be found in game theory. In an “imperfect information game,” players are unaware of the actions chosen by their opponent. They know who the players are, and their possible strategies and actions, but no more than that. When it comes to data security and the way the “game” is set up now, our opponent knows that there are holes in our defenses and that sensitive data is often unencrypted.

Because we can’t resolve vulnerabilities on command, one way to change the “game” would be to remove personal information from systems that don’t require multifactor authentication. Another game changer would be to only store sensitive data in an encrypted, unusable form. According to Politico, the OPM stored Social Security numbers and other sensitive information without encryption.

This fixable problem is not getting the attention it demands, in part because Congress hasn’t decided it’s a priority.

The U.S. is not the only country getting hit hard in the data breach epidemic. The recent attack on the Japanese Pension Service compromised 1.3 million records, and Germany’s Bundestag was recently hacked (though the motivation there appeared to be espionage, according to a report in Security Affairs).

According to an IBM X-Force Threat Intelligence report earlier this year, cyberattacks caused the leak of more than a billion records in 2014. The average cost for each record compromised in 2014 was $145 and has increased to $195, according to Experian. The average cost to a breached organization was $3.5 million in 2014 and is now up to $3.8 million. More than 2.3 million people have become victims of medical identity theft, with a half million last year alone. Last year, $5.8 billion was stolen from the IRS, and the Treasury Inspector General for Tax Administration predicts that number could hit $26 billion by 2017.

If you look at the major hacks in recent history — a list that includes the White House, the U.S. Post Office and the nation’s second largest provider of health insurance — it would seem highly unlikely that a lax attitude is to blame. But a former senior administration adviser on cyber-issues told the New York Times about the OPM hack: “The mystery here is not how they got cleaned out by the Chinese. The mystery is what took the Chinese so long.”

During this period when our defenses are no match for the hackers targeting our information, evasive measures are necessary. I agree with White House Press Secretary Josh Earnest, who said, “We need the United States Congress to come out of the Dark Ages and actually join us here in the 21st century to make sure that we have the kinds of defenses that are necessary to protect a modern computer system.”

But laws take a long time, and we’re in a cyber emergency. The question we need to ask today is whether, in the short term, the government can afford not putting our most sensitive information behind a lock that requires two key-holders — the way nukes are deployed — or storing it offline until proper encryption protocols can be put in place.

Yet Another Data Breach in Healthcare

CareFirst BlueCross BlueShield stepped forward on Wednesday to disclose yet another major breach of a health care insurer, this one affecting 1.1 million people.

Hackers accessed a database to steal the names, user names, birth dates, email addresses and subscriber ID numbers of about 1.1 million current and former CareFirst customers and business partners.

The company said that no passwords were taken because those are encrypted and stored in a separate system, and that no Social Security numbers, medical claims or credit cards appeared to be compromised.

But Richard Blech, CEO of encryption company Secure Channels, was critical of CareFirst, saying the company trivialized what was hacked in the data breach.

“The data stolen is enough to ruin someone’s life,” Blech says. “Trying to mitigate the damage should not be the goal. Heath insurance firms cannot ignore the responsibility to protect their customers.”

Dave Frymier, chief information security officer at Unisys, concurs. “Breaches like this can literally create life-or-death issues for consumers,” Frymier says. “If stolen health records are used to obtain care by a criminal, fraudulently purchased medical procedures are listed on the records of people who did not have the procedures. That can create critical medical issues in the future. Organizations seem to only invest in cybersecurity after they are attacked. Few seem willing to invest to prevent the attacks in the first place.”

Baltimore-based CareFirst is the third health care insurer to disclose a major data breach this year, following Anthem, which had the records of 80 million people compromised, and Premera Blue Cross, which saw data for 11 million people exposed.

Why is the healthcare industry being targeted by data thieves? The basic explanation is two-fold: The type of data that health care organizations amass – ranging from research work to patient records – has high value in the cyber underground; and the industry currently exhibits uniformly poor security policies and practices.

​“Healthcare companies are prime targets for hackers,” says Greg Kazmierczak, CTO of data security vendor Wave Systems. “Not only should the database have been encrypted, but access to the database should have been protected by two-factor authentication. Without strong encryption and access management, expect medical fraud and identity theft to run unchecked.”

The question of the moment: How many more major data breaches will have to be disclosed before healthcare organizations move assertively to shore up security?

“It’s time for the healthcare entities to shift gears to modern data-security defenses and join their peers in other industries who’ve already learned how to mitigate these threats,” says Mark Bower, global product management director at HP Security Voltage.

The data breach was discovered after CareFirst retained forensics firm Mandiant to audit its security systems. Mandiant found evidence of access to a single database containing data originating from CareFirst’s websites and online services. Anyone who created profiles on the insurer’s website before June 20, 2014, was affected.

Other healthcare organizations are likely to conduct similar audits. Security experts predict that disclosure of other major hacks will be forthcoming, for some time to come.

“The medical industry as a whole has to up its game in security maturity, especially basics like patching, security controls and incident detection,” says Gavin Reid, vice president of threat intelligence at network security firm Lancope.

Ken Westin, senior security analyst at Tripwire, adds: “In general, healthcare organizations are not prepared for the level of sophistication associated with the attacks that are coming at them. As we saw with the recent tidal wave of retail breaches, attackers often take advantage of vulnerabilities that are endemic within an industry.”

In the meantime, the burden rests with the individual consumer to limit dissemination of personal data in the health care field.

“Share only with trusted providers that have a need to know,” Lancope’s Reid advises. “Be vigilant if you ever come across a medical bill in your name that covers services you didn’t receive – even if there is no associated bill or charge.”

Meanwhile, healthcare organizations need to embrace a security mindset from the board room to the patient room. Until that happens, data thieves will continue to plunder their employee, patient and partner data.

“Ongoing assessments and tests are critical to identifying areas of vulnerability before sensitive data is at risk, especially since many breaches aren’t obvious to the organization,” says Jay Schulman,  managing principal at Cigital. ‘It’s not only about building effective software that adhere to compliance standards, but healthcare  organizations also need to build security in so that applications and software can tell you when something is going wrong.”