28
Jun 18

Plant Your Flag, Mark Your Territory

Many people, particularly older folks, proudly declare they avoid using the Web to manage various accounts tied to their personal and financial data — including everything from utilities and mobile phones to retirement benefits and online banking services. The reasoning behind this strategy is as simple as it is alluring: What’s not put online can’t be hacked. But increasingly, adherents to this mantra are finding out the hard way that if you don’t plant your flag online, fraudsters and identity thieves may do it for you.

The crux of the problem is that while most types of customer accounts these days can be managed online, the process of tying one’s account number to a specific email address and/or mobile device typically involves supplying personal data that can easily be found or purchased online — such as Social Security numbers, birthdays and addresses.

Some examples of how being a modern-day Luddite can backfire are well-documented, such as when scammers create online accounts in someone’s name at the Internal Revenue Service, the U.S. Postal Service or the Social Security Administration.

Other examples may be far less obvious. Consider the case of a consumer who receives their home telephone service as part of a bundle through their broadband Internet service provider (ISP). Failing to set up a corresponding online account to manage one’s telecommunications services can provide a powerful gateway for fraudsters.

Carrie Kerskie is president of Griffon Force LLC, a company in Naples, Fla. that helps identity theft victims recover from fraud incidents. Kerskie recalled a recent case in which thieves purchased pricey items from a local jewelry store in the name of an elderly client who’d previously bought items at that location as gifts for his late wife.

In that incident, the perpetrator presented a MasterCard Black Card in the victim’s name along with a fake ID created in the victim’s name (but with the thief’s photo). When the jewelry store called the number on file to verify the transactions, the call came through to the impostor’s cell phone right there in the store.

Kerskie said a follow-up investigation revealed that the client had never set up an account at his ISP (Comcast) to manage it online. Multiple calls with the ISP’s customer support people revealed that someone had recently called Comcast pretending to be the 86-year-old client and established an online account.

“The victim never set up his account online, and the bad guy called Comcast and gave the victim’s name, address and Social Security number along with an email address,” Kerskie said. “Once that was set up, the bad guy logged in to the account and forwarded the victim’s calls to another number.”

Incredibly, Kerskie said, the fraudster immediately called Comcast to ask about the reason for the sudden account changes.

“While I was on the phone with Comcast, the customer rep told me to hold on a minute, that she’d just received a communication from the victim,” Kerskie recalled. “I told the rep that the client was sitting right beside me at the time, and that the call wasn’t from him. The minute we changed the call forwarding options, the fraudster called customer service to ask why the account had been changed.”

Two to three days after Kerskie helped the client clean up fraud with the Comcast account, she got a frantic call from the client’s daughter, who said she’d been trying her dad’s mobile phone but that he hadn’t answered in days. They soon discovered that dear old dad was just fine, but that he’d also neglected to set up an online account at his mobile phone provider.

“The bad guy had called in to the mobile carrier, provided his personal details, and established an online account,” Kerskie said. “Once they did that, they were able transfer his phone service to a new device.”

OFFLINE BANKING

Many people naively believe that if they never set up their bank or retirement accounts for online access then cyber thieves can’t get access either. But Kerskie said she recently had a client who had almost a quarter of a million dollars taken from his bank account precisely because he declined to link his bank account to an online identity.

“What we found is that the attacker linked the client’s bank account to an American Express Gift card, but in order to do that the bad guy had to know the exact amount of the microdeposit that AMEX placed in his account,” Kerskie said. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled. In this case, had the client established an online account previously, he would have received a message asking to confirm the fraudulent transaction.”

After tying the victim’s bank account to a prepaid card, the fraudster began slowly withdrawing funds in $5,000 increments. All told, thieves managed to siphon almost $170,000 over a six month period. The victim’s accounts were being managed by a trusted acquaintance, but the withdrawals didn’t raise alarms because they were roughly in line with withdrawal amounts the victim had made previously.

“But because the victim didn’t notify the bank within 60 days of the fraudulent transactions as required by law, the bank only had to refund the last 60 days worth of fraudulent transactions,” Kerskie said. “We were ultimately able to help him recover most of it, but that was a whole other ordeal.”

Kerskie said many companies try to fight fraud on accounts belonging to customers who haven’t set up a corresponding online account by sending a letter via snail mail to those customers when account changes are made.

“But not everyone does that and if the thief who’s taking advantage of the situation is smart, he’ll simply set up an online account and change the billing address, so the customer never gets that notice,” Kerskie said.

MARK YOUR TERRITORY

Kerskie said it’s a good idea for people with older relatives to help those individuals ensure they have set up and manage online identities for their various accounts — even if those relatives never intend to access any of the accounts online. Helping those relatives place a security freeze on their credit files with the four major credit bureaus (and with another, little known bureau that many mobile providers rely upon for credit checks) can go a long way toward preventing new account fraud.

Adding two-factor authentication (whenever it is available) and/or establishing a customer-specific personal identification number (PIN) also can help secure online access. For those who can’t be convinced to use a password manager, even writing down all of the account details and passwords on a slip of paper can be helpful, provided the document is secured in a safe place.

This process is doubly important, Kerskie said, for parents and relatives who have just lost a spouse.

“When someone passes away, there’s often an obituary in the paper that offers a great deal of information about the deceased and any surviving family members,” she said. “And the bad guys absolutely love obits.”

Eschewing accounts on popular social media platforms also can have consequences, mainly because most people have enough information about themselves online that anyone can create an account in their name and start messaging friends and family members with various fraud schemes.

“I always tell people if you don’t want to set up an online account for social media that’s fine, but make sure you tell your friends and family, ‘If you ever get a social media request from me, just ignore it because I’ll never do that,'” Kerskie advised.

In summary, plant your flag online or — as Kerskie puts it — “mark your territory” — before fraudsters do it for you. And consider helping less Internet-savvy friends and family members to do the same.

“It can save a lot of headache,” she said. “The sad reality is that criminals very often only need to answer two or three questions to commit fraud in your name, whereas victims typically need to spend hours of their time and answer dozens of questions to undo the resulting fraud.”

Tags: , , , ,

76 comments

  1. Great article. I hadn’t thought about my parent’s refusal to go onlilne…

  2. The Sunshine State

    Good article !

  3. Great article.

    Two factor identification is fine up to a point.

    I set up two factor with a major domain seller and then just forgot it. I changed my cell phone to a different number, so when I wanted to get into the account, it took two weeks because they slow walk everything through to change the two factor.

    • I recently changed phones and spent a bit of time ensuring all of my 2FA stuff (and I have it set up on a fair amount of accounts) was recoverable. Since I knew when I was getting the phone I added a secondary number where possible and temporarily killed it where that wasn’t an option. In some other cases I changed the method from an authenticator app to one time codes if SMS wasn’t possible. Then, once I got the new phone, I went back through everything and set whatever I had to make less secure (SMS) back to something more secure. It was a process but, in the end, I didn’t lose access to anything. Just something you need to keep in mind. And, like you say, it’s something you really, really need to remember.

      • Why would you change your phone# just because you got a new phone? Phone# portability is a real thing. Even if you change carriers you can keep your phone number. Since 2006 I’ve kept the same number in spite of 3 carrier changes and 5 phone upgrades. Your 2FA trevails are definitely a cautionary tale on the wrong way to get a new phone. Keep the number, not the phone or carrier. I’m keeping my phone# until death do us part.

        • It makes sense for a company to keep a number that’s in phone listings, on business cards, and the side of delivery trucks.

          But there’s no cost pressure for individuals to stay married to their phone numbers.

          Phone numbers are easy to change. It’s equally easy to inform the friends, family, and businesses who matter of that change.

          One could question your sanity for not changing your phone number. 🙂

          • Regularly changing phone numbers is a personal decision motivated by a lot of different things. Myself personally I don’t understand why people change there phone number or email address religiously and then complain about not having a lot of long term friends. Duh, you eliminated their ability to keep in touch with you.

            Anyway, both viewpoints needlessly consider the other viewpoint irrational.

            • Perhaps they don’t want “long term friends.”

              Or their friends are. . . you know. . . people. Not computer accounts.

              • yeah people have some strange attachment to a phone#… i have had probably 30-40 number in the past 20 years. But hey i also dont have FB or any social accounts… yet still have friends in the real life, weird!?

        • Even better, keep a virtual contact phone number (google voice for example) and change your actual phone number. Use 2FA on both accounts. The virtual number should be associated with an email account that is used only for that purpose. Firewall yourself, both physically and virtually.

  4. The examples in the article demonstrate the folly of using SSN for authentication. This fraud is the fault of the specific bank and business that used SSN to authenticate.

    It should not be necessary for everyone to “plant a flag”. It should be hard, really hard, to set up an on-line account.

    • As I have complained about before on this forum, there are scammers posing as “Staffing Companies” that get convince targets to give up SSNs. Combine that information with the use of SSNs as two factor and resume information, a lot of damage can be done to individuals.
      That is why Krebs and others like him should be warning people away from giving up SSNs or even partial numbers to ‘staffing compaines’ before face-to-face interviews take place.

    • KoSReader6000000

      I agree with vb

      Almost any bank or major site will try to get your phone number and your Social Security number. They both are usually closely associated. The SSN system must be altered are abandon with a safter system. Americans have a target on thier collective backs.

      In fact, I am not so sure about “planting your flag” everywhere with your real personal information willy nilly. That would seem to highly increase your attack surface. The plant your flag things seems to say any online banking and/or online anything should be signed up for no questions asked. Where does it end?

      Brian Krebs doesn’t advertise for every site and I am sure he doesn’t mean to do so but telling your grandpa, grandma, mother and father to sign up of on line banking and various other sites for purchases and social media with no boundaries and is kind of like a big advertisement.

      Other questions include: should the person use his real name, address, SSN and so in doing so? What are the necessary sites, and the necessary information give in this plant your flag projects.

      Is it 5 to 10 sites or 20 to 80 sites? What real data should be handed out to these sites? When spreading real SSNs and phone numbers when to we reach a point of safety and when do we go over the edge? The very real danger of spear fishing emails and fake popups and key loggers goes up the more sites were have.

      If anybody has an answer to how many sites grandma and grandpa should sign up for and the actual data to give these sites let us know.

      Shoring up your attack surface is good but there is a point where you may over enlarge and weaken your attack surface. What are the boundries of this plant your flag saftey thing?

      • The point is to “plant your flag” at the organizations where you already have an existing affiliation.

        For example:

        You shouldn’t go sign up (using a bunch of valid personal information) for an online account at a random bank where you have no existing affiliation.

        You should, on the other hand, sign up for online access to EVERY institution that 1) offers that access, and 2) that you already have an affiliation with – like the bank where you have a checking account, or the credit card company who issued your VISA card.

        Brian isn’t suggesting anything that could be characterized as “enlarging your attack profile.”

  5. There is a lot of personally identifying information found on a site called “familytreenow.com” I first read about the site in mainstream news sites (including the Washington Post). All a person has to do is enter a target’s name and they get all kinds of genealogical information as well as DOB and a list of past addresses the target has lived at. No credit card is required to get all that information. Without a credit card there is no record of a person looking up a target’s information (yes, experienced scammers use pre-paid debt cards that they buy with cash.).

    Those addresses are often used as security questions by credit reporting companies.

    https://www.washingtonpost.com/news/the-intersect/wp/2017/01/12/youve-probably-never-heard-of-this-creepy-genealogy-site-but-its-heard-all-about-you/

    I read on other news sites that Law Enforcement Officers are worried that they can be targeted since this “Genealogy” site includes their current addresses.

    • I frequently use familytreenow to supplement research when conducting investigations. There are a ton of these free and paywalled type of sites. Most of them have an opt out link that will allow you to have your name removed. It should be noted though that:

      1. You should check for various name spellings of your name.
      2. Also have the info of relatives removed as just removing your own info is not enough. You can still be found on these sites after removal indirectly through a relative’s info.
      3. Make sure you check for phone numbers to.

      While there are different places that you can pay to do this for you, it can be expensive and very limited as to the number of sites that they remove you from.

      A free way is to do it yourself. Here’s some info with direct links to most of these databrokers opt out page.

      https://www.worldprivacyforum.org/2015/08/consumer-tips-top-ten-opt-outs/

      https://www.stopdatamining.me/opt-out-list/

      And anything and everything at privacyrights.org

  6. myself have already been doing this for my elderly parents who are in their 80s. planting the flag before any bad guy does. my mom is always saying she rather do things the “old fashioned way”. but nowadays there are a lot of things that could fall through the cracks and potentially be taken over by the bad guys. so, plant your flag.

  7. Love the analogy!

  8. The crux of the matter is that it is on the person whose identity was compromised to provide proof innocence. The law should be such that when it is clear you are a victim of identity theft all of the the financial burden automatically falls on the institution that accepted the fake credentials. There should be no 60 days warning periods, banks should not be able to claim houses from people that are victims of mortgage fraught, the benefit of the doubt should go to the person who said “it was not me”. And any legal cost should be absorbed by the institution that accepted the fraudulent credentials.

    With this change in law we will suddenly see dramatic improvements in security procedures at most places.

    • The crux of the matter is that it is on the person whose identity was compromised to provide proof innocence. The law should be such that when it is clear you are a victim of identity theft all of the the financial burden automatically falls on the institution that accepted the fake credentials. There should be no 60 days warning periods, banks should not be able to claim houses from people that are victims of mortgage fraught, the benefit of the doubt should go to the person who said “it was not me”. And any legal cost should be absorbed by the institution that accepted the fraudulent credentials.

      Wrong. Very wrong. I the business don’t have capacity to absolutely vet your identity. The amount of identification I need for my customer should be reasonable to what I am selling. If I am a lender who is letting you open a credit card then I need better verification than if I am selling you a custom kitchen knife online. Changing the burden of proof allows a lot of manipulation by customers. Most businesses already work with their customers. If we changed this the large businesses would basically centralize all verification information. We already have major examples of the insecurity of centralized databases.

      This type of change will also cause an increase in prices because the amount of fraud committed by customers will increase a lot. I have worked in customer care. While I have sided with customers to credit unexpected charges I have declined to credit charges that I would have had to credit under your policy far more often.

      With this change in law we will suddenly see dramatic improvements in security procedures at most places.

      Not in a good way though. The solution will be centralizing customer verification. We already have enough examples of that being done wrong. You don’t provide an incentive for them to do it even adequately.

    • There ought NOT be a new law.

      Customers should do their due diligence before opening accounts and periodically reassess the accounts they already use for security vulnerabilities.

      As security conscious people, we should be helping our elderly relatives and ignorant neighbors with those assessments.

      Institutions ought to be shamed into closing vulnerabilities created by their desire to minimize their workforce by putting all this crap online.

      Victims of identity theft ought to be protesting at the offices of companies that made it easy to get ripped off.

      There are already laws regarding fiduciary responsibility and fraud. Identity thieves should be JOINED BY CORPORATE EXECUTIVES in jail for reckless disregard in the handling of customer data accessible on the Internet and poor stewardship of customer funds.

      And our civil courts should be filled with lawyers fighting for the pain and suffering of identity theft inflicted by identity theft and corporate greed and job reductions wrapped in the convenience of Internet portals.

      • I agree that cost recovery for identity theft is out of whack. I don’t have a good recommendation for solving that problem though.

        On the topic of automation equaling corporate greed. I disagree strongly there. The WordPress software that powers this site eliminated the need for a group of system administrators to manually edit the site to post a new article online. Our host, Brian, can do that by himself. He also doesn’t have to convert email replies into new comments on the site either. An old static website would require a team of a 3 or 4 people to maintain and they couldn’t do it as well as WordPress does.

        Automation is a major boon to the economy if applied correctly. Smaller staffing requirements at companies does make smaller businesses more competitive. Both in the sense of the larger company can “maximize” profit by downsizing and by giving the small business the ability to enter markets that used to require far more human capital to enter. Our host wouldn’t be able to operate as an independent writer without WordPress.

        To really simplify the problem with data portals. The portal operator must trust the identity of whoever shows up. People who say, I don’t want to give a site owner my information, but they want the site owner to prevent someone from impersonating them on the site are simply delusional. Identity verification removes anonymity, period.

        Way to many people equate privacy, data security, and anonymity.

        In many ways this debate parallels the debate about does the 4th amendment mean an expectation of security for my data or privacy of the data. If it means privacy then I loose that privacy when I share the data. However, my refusal to share the data means I can be impersonated. If the 4th means security, then I still have a reasonable claim to the data I shared with a third party. This allows for restrictions on who they can share the data with.

        Part of the discussion in the cell phone location data Supreme Court case was over is there an expectation of privacy or security according to the 4th amendment. We need to drop the privacy argument. Argue for security. Security is control.

  9. Ir has been my experience that brokerages take security way more seriously than banks. Since some of these brokerages have a captive bank, you really dont need a traditional bank these days. You should have some money in the market anyway. ETFs suggested for diversity, but that is another discussion.

    Once you establish that email account for the luddite, I suggest setting up alerts on credit card purchases. In a perfect world, these alerts would be geographically based. But alas, they are only trigfered by dollar amount. I obviously do this for myself as well.

    I really wish more fiancial institutions would accept Yubikey.

    • Alas geographically based alerts aren’t as useful as they used to be. Sites are letting criminals target victims in their vicinity to bypass a fraud detection based on location.

      Last time I had a CC stolen (Jimmy John’s breach from a couple years ago) the criminal purchased items from a gas station a few miles from where I work, then drove along a major highway stopping every 10 miles or so to buy more items, each time from a gas station, until they maxed the card. Apparently this kind of fraud is a common enough strategy in my area that my bank actually has an separate alert for purchases from gas stations.

      The Jimmy Johns store that got breached was only a mile or so away from the initial fraudulent purchase, so it was obviously close enough to my usual pattern to not raise any red flags.

  10. In the email Brian sent about this subject, he also included a short discussion about the futility of websites using CAPTCHAs. He also provided a link to a video that explains how easily CAPTCHAs can be bypassed. Unfortunately, the link he provided redirects to a Shape security company page and you are required to submit your first and last names, name of the company you work for, your job title and your work email address before you can view the video. Fortunately, Shape’s page accepted my totally phony (but plausible) personal information. It’s a pretty informative video although a little tech heavy. But it does a good job of showing exactly how easy it is for BOTs to bypass a CAPTCHA requirement.

    I enjoy Brian’s regular posts and articles, but I was a little put off by being given a link to an outside web page that asks for personal information before it allows you to view the content.

    • Dave, with all due respect, advertisers here help keep this content free to everyone. Asking for name and email is pretty basic stuff for white papers and videos. And as you discovered, none of them require you to be truthful.

      • Good answer.

        I despise sites with “pay walls”, and sites with obnoxious types of advertising. I use an adblocker but whitelist a few sites that I consider well worth it – and which use ads that are tastefully made and presented. This site is definitely one of those on the whitelist, and I know there are many others who do likewise for this site. Brian’s content is absolutely high-value, timely and accurate.

        • Seriously. This is one of the few sites out there I would happily pay to subscribe to.

          • I see there is a “donate” button on the web site. Or you could buy his book (no doubt Amazon etc. gets for $ than him). Better yet do a review of his book based on your knowledge of him. There seems to have been a smear campaign on it as of late, showing once more that he does have devious enemies.

          • patreon supporter

            brian: have you thought of doing patreon? would gladly do something like at least a $1 monthly subscription to support you. myself do patreon for a couple on my favorite creators on youtube.

        • @Steve

          Off topic for the article but addressing what appears to be your attitude that you are entitled to free quality content.

          If you don’t want to pay for content how do you expect people to put energy into providing quality content. You don’t expect people to provide you quality food for free, why should food for the mind be any different? I think the idea that content should be free is a driver of the race to the bottom for so much internet content.

          Brian’s site is free and I consider it a privilege to have access to it. However I would gladly subscribe to his site should he put up a paywall.

          • Paywalls require a mechanism to collect payments, maintain a customer database, deal with customer service, and limit views. These are not the things a self-employed, independent journalist would want.

            Also, paywalls attract stolen credit card payments and create a market for login credentials. Handling all this requires a large investment and constant management. They’re suitable only for large legacy media.

            Paywalls decrease page views in two ways.
            1, if the content sucks, no one will pay for it.
            2, if the content is great, few will pay for it, as great content will be written about on other sites, often the same day.

            Decreased page views = lower ad revenue. Period.

            Any site seeking increased revenue ought to stick to providing great, free content with unobtrusive advertising hosted on the same site. Do follow the example of Krebs and KOS.

            If you like his work, check out his advertisers. Buy his book. Make a donation.

            Paywalls and third-party advertising networks are symbols of dying media.

  11. I’m into genealogy. Yes, you can get all the SS records, birthdates,schools, pets cars driven, photographs, etc.
    Off the web. And, it’s worse then that, you can get right on down to the DNA. And, you don’t even have to be a member of a society to use the free sites. Oh yeah, there are free sites, that collect this data also. One of the best is wikitree. But worse yet. Guess who has the least accurate information on you, and you can get a free once a year report, and you cannot dispute the information to correct it? It took two years to correct bad address. On wikitree fifteen minutes to correct a place of birth to get it on screen.
    Which one asked me to verify who and why the information change was necessary?

    • The one who only assets are accurate data and their reputation for having accurate data. Not the one who gets paid to simply warehouse data.

    • I hate guessing. Just tell.

      • Wikitree.

        More people need to understand that have shifed to an attention based economy. By that I mean attention is the scarce resource. Not money, but time.

  12. A real wakeup call and another truly excellent article. It’s unfortunate that only people who are already tuned in will be reading this.

  13. Very eye opening. I’m always watching for fraud but this is not an area I’ve thought about before.

  14. I don’t have any social media accounts and my family already knows that I am a privacy “nut”. I do have online banking.

    I won’t use 2FA because companies insist they need my personal cell phone number or other information that I want to keep private. It should be a felony to use info provided for a 2FA in any database that is used for marketing.

  15. This all is going on in wich country ?
    Usa ? Perhaps canada and usa ??
    Uk use to be very attractive to the cyber thieves not anymore.
    After 2008 small economic crisis in uk banks improved security.
    In usa and canada best solution will be to start using offline password cards !!

  16. How is this the customers problem? Why is the customer forced to register because of lack of security by the company or government for the convenience of corporations? A more secure registration process would seem to be the solution.

    • I agree. So contact your congress reps to get that moving.

      Obviously corporations and government agencies aren’t doing it on their own, too convenient.

  17. I keep thinking “Luddites in the Headlights”… might be my new band name.

    @SeymourB, every credit card I have (both of them) have the “Gas station charge was made” alert configurable, based on the ease of pay-at-the-pump fraud. I had to explain to my daughter why she had a $2 charge from the SuperAmerica station sitting on her card two days later (fraud validation temporary hold). I was proud she has heeded my training and checks her account regularly AND set the alert (millennials! 🙂

  18. A lot of notifications by companies are done thru your cell phone.
    So what do they do when they encounter someone like me who is on another continent for two months at a time?

    • Forget about notifications. They’re a nuisance and don’t matter.

      All you need to check is your itemized statement every month and notify the bank in writing if you find an error, whether it’s due to fraud or clerical mistake. That’s it.

      Phone calls and text messages and app notifications and emails do not secure your rights. So don’t bother with them.

  19. Marking one’s territory is merely the first step, which must really then involve monitoring in some fashion with sufficient frequency and effectiveness to defend the integrity of said territory. Riding the fencelines (to make any repairs needed at any location or point in time they’re found) from the 1880s onward seems the apt historical analogy…

  20. Brian, this is something I’ve been telling people about for YEARS now. I’m surprised that this exploit isn’t spoken about more often. I strongly recommend the suggestions you posted and would like to also add that one start using non cell phone numbers that are not tied to anything other than for financial accounts due to sim jacking. I like the Burner App for this purpose as it’s able to accept SMS short codes. If set up correctly, using a prepaid cell phone account tied to an anonymous name, protonmail account and Visa gift card you can almost guarantee that no one will be able to crack your 2fa. I would also ask all of your financial and utility service providers to allow you to set up a verbal password.

  21. 2 factor not help !!
    Best solution will be password cards or pin calculators.
    But very big secret is that, fraud helps The feds to print more money.
    All fraud reinbursement will be classified as double money..
    As debt to person name who make fraud complaint.
    Such as person will be collateral himself.
    If there is no fraud in usa the usa economy will collapse today 100% fraud keeps this cpurresell to going on and on

  22. This is absurd. The number of agencies and accounts we must monitor in order not to be ripped off keeps growing with no sign of stopping. This is because of laziness and perhaps colllusion of the politicians that make the laws. The law should place the burden of knowing who they are disbursing funds to squarely on those doing the disbursing. If they get it wrong, they should refund all improperly disbursed funds, and a penalty, perhaps 10x the damages. If they have to have tissue samples and a DNA scan before issuing the money – so be it. It’s their duty to know who is their customer and who is a thief.

  23. The NCTUE website now offers online security freezes. However, in 2 of 3 attempts to use it, it was out of service.

  24. Yeah, this is basically the go-to excuse for a lot of folks I encounter that “Hate computers”.

    “I never go online or do any of my banking or anything online- so I’m okay!”

    And your article here makes most of the same points I’ve made to those people.

    Being ignorant of something isn’t going to protect you. Being “uninvolved” in it doesn’t stop you from being affected by it.

    And the person who brought up Equifax makes an excellent point- as well as bringing up the perfect case-in-point.

    Did any of us WILLFULLY provide all that information to Equifax? Were we involved in that collection? Did we have to be?

  25. Brian, I’ve left messages for you at several sites but you haven’t responded . I totally understand that you probably don’t have the time to do paid private consulting but will you recommend someone else? I have a nephew who was diagnosed with two conditions that are damaging his liver. Primary sclerosing cholangitis has no treatment or cure and he’ll need a liver transplant. Mason is 15 and was diagnosed five years ago. I use the Internet and online accounts constantly to pay for and manage his care. I don’t have a secure network and don’t know what security measures I should be implementing. I’m overwhelmed by all the information! I’m terrified of the consequences of being hacked. Thank you so much for any advice you can give me.

    Sherry Dixon

    • Contact the closest college. Ask for their information technology or computer science department. Or ask if they have a computer club.
      You can even try a high school technology advisor.

      Or your local library. Or community center. Or adult education classes at the local vocational board.

      Each can point you to a local resource for your tech questions.

      Additionally, you can contact your closest business association or chamber of commerce for referrals about professional technology services.

      The doctors you deal with didn’t set up their computers slone. Ask who did their technology arrangements.

      If you contact the manufacturer/salesperson of your computer, they may have classes, as well.

  26. Pinoy channel

    That’s really worth sharing and wonderful. keep it up Man.

  27. “So the bad guy called the 800 number for the victim’s bank, provided the client’s name, date of birth, and Social Security number, and then gave them an email address he controlled.”

    And the bank just accepted it without confirming it through a contact method it already knew to be good, or in person? You’re lecturing people on security, and you just let that pass? None of the pieces of information the thief gave is a valid proof of identity. (Dammit, I remember when you needed more than that to open an account at Blockbuster.) Accepting them as such without positive confirmation is reckless in the extreme, breathtakingly so, and the bank should have been held liable for the entire loss. No excuses.

    “The sad reality is that criminals very often only need to answer two or three questions to commit fraud in your name.”

    Indeed. And that is the problem, not people who mistrust online interactions. The failure of incompetent businesses to take security seriously is not the fault of their customers.

  28. Smart and clever people know that world economics will crash soon, old system will disapere soon, thats why they take as much is possible from the old order.
    Coz when there is new world there will be nothing about old anymore max time 2 years and everything will be collapsing.

  29. This is why I don’t like it when people say we don’t need a general data protection law here in the U.S., because “you’re agreeing to the terms of service, so you use the Internet at your own risk.” Everyone uses the Internet now whether you like it or not, if you do refuse the TOS, you’re just letting others use the Internet on your behalf. No one can reasonably opt out, and any one person is essentially powerless before Google/AT&T/etc., so there needs to be regulation to protect the consumer.
    This needs to be said over and over until companies and the government cannot just brush it off.

  30. i’d still recommend NOT to create or enable an online account what with all the burden of setting up a secure password, enabling 2FA, making sure to periodically update the information, blah, blah.

    the real problem here are the companies (ISP, bank, etc.,) who never validates the new account. they should validate by calling the actual, live person themselves and speaking to them to verify if they are the actual owner. there is a lot you can tell when talking to a person.

    physical security plays a big role here to prevent identity theft.

    • So, the thing is, if you don’t create/enable it, someone else will FOR you.

      Someone will show up with enough identifying information about you to make an account in your stead and ride it like a stolen clown car.

      Again- to be TOTALLY clear: you can create it yourself- and deny the identity thief the space to plant his flag, or you can leave that space wide open.

      Your choice.

Leave a comment