Social Engineering Expert Quoted in CSO Article

Quoted from the original CSO Online story:

Social engineering stories: The sequel

Two more social engineering scenarios demonstrate how hackers still use basic techniques to gain unauthorized access, and what you can do to stop them

By Joan Goodchild, Senior Editor
May 27, 2010 —

John Sileo, an identity theft expert who trains on repelling social engineering, knows from first-hand experience what it’s like to be a victim. Sileo has had his identity stolen—twice. And both instances resulted in catastrophic consequences.

The first crime took place when Sileo’s information was obtained from someone who had gained access to it out of the trash (yes, dumpster diving still works). She bought a house using his financial information and eventually declared bankruptcy.

“That was mild,” said Sileo, who then got hit again when his business partner used his information to embezzle money from clients. Sileo spent several years, and was bankrupt, fighting criminal charges.

Now that he has come out of it all innocent, he spends his time assisting organizations train employees on what social engineering and identity theft techniques look like.

ow that he has come out of it all innocent, he spends his time assisting organizations train employees on what social engineering and identity theft techniques look like.

“I’m trying to inspire employees to care about privacy,” he said. “If they don’t care about it at a human level, they are not going to care about the company’s privacy policy or IT security. You’ve got to get it at a primal personal level.”

Sileo ran through some memorable social engineering scenarios he’s heard during his years as a security lecturer. The first is taken from his upcoming book

Continue Reading Social engineering stories: The sequel

If you are serious about training your staff on social engineering scams, fraud detection and protecting your business from a costly data breach, start with the items above and then bring a professional social engineering expert to your next meeting or conference. Email us for more information or contact one of us directly on 800.258.8076.

Identity Theft of H&R Block Customers | Sileo Group

The number of identity theft victims rose 22% last year! Although it’s important to always protect your identity, tax season makes people more vulnerable to this crime and you should be especially cautious.

H&R Block identity Theft

A recent article in the New York Times uncovers an H&R Block office in the Bronx that was infiltrated by identity thieves (apparently it was not the only office affected).

Last year, Kevin Johns, a construction worker in the Bronx, did his taxes at the H&R Block store on Riverdale Avenue that he had used for the past 20 years or so. The next day, though, he got a call from the tax preparer: his return was rejected because he had already filed. Or at least, someone had filed in his name. That someone helped himself or herself to a $8,499 refund.

Sharon Hawa, a disaster-relief coordinator with the Red Cross and another longtime customer at the same office, had a similar experience. Ms. Hawa said she went to have her taxes done, only to be told that someone had already e-filed her taxes and collected $6,145.

Both Ms. Hawa and Mr. Johns said they were told by police detectives investigating their cases that at least 20 customers of the branch and possibly many more had been robbed by identity thieves who were very likely H&R Block employees. Both said the fraudulent filers used their previous year’s adjusted gross incomes as proof of identity.

Top Tips for Tax Time Identity Theft Protection Safe Preparation

Your greatest risk of identity theft during tax season comes from your tax preparer. In this case it was because they are dishonest, but sometimes it is because they are careless with your sensitive documents. Just ask yourself how easy it would be for your tax preparer or anyone in their office to walk off with a few client folders containing mounds of profitable identity. Here are a few effective solutions:

Choose your preparer wisely

How well do you know the person and company preparing your taxes? Did they come personally recommended, or could they be earning cash on the side by selling your personal information. Do they have an established record and are they recommended by the Better Business Bureau? Don’t be afraid to ask for references.

Interview your preparer before you turn over sensitive information. Ask them exactly how they protect your privacy (do they have a strong privacy policy?). Are they meeting with you in a room full of client files, or do they take you to a neutral, data-free, conference room or office? Do they leave files out on their desk for the cleaning service to access at night, or do they lock your documents in a filing cabinet or behind a secure office door? Do they protect their computers with everything listed in the next section?

Asking professional tax preparers these questions sends them a message that you are watching. Identity thieves tend to stay away from people they know are actively monitoring for fraud. Remember, losing your identity inside of their accounting or bookkeeping business poses a tremendous legal liability to their livelihood. When it comes to the case with H&R Block it causes a huge loss of clients due to a damaged reputation.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

[youtube https://www.youtube.com/watch?v=A0fcQyqBtfQ&rel=0]

Top 5 Reasons Corporations Educate Employees on Identity Theft

Why do corporations care (and spend money) to educate employees about protecting personal identity?

After all,  most businesses are profit-driven and only have time and resources to concentrate on initiatives that affect their bottom line. In effect, that is the answer to the question…

Businesses educate their employees and even their end customers on identity theft because it positively affects the corporation’s bottom line (by lowering the costs of data theft). Here’s how organizations benefit:

  1. Minimizing employee downtime. Serious individual cases of identity theft can take up to 600 hours in recovery time. Because banks and creditors are generally open when employees are at work, the employees are forced to recover on company time. Even if they only spend 40 hours during work recovering, this is a huge cost to the company. Roughly 10% of households will have to recover from identity theft at least once this year.
  2. Personal privacy leads to professional privacy. How can corporations expect employees to care about the sensitive information they handle every day (customer data, employee records, intellectual capital) if the employees don’t first respect their own private data? As employees discover how much their identity is worth, they are far more likely to protect the data they handle at work as if it were their own. After all, they begin to understand that next time it might be their identity that is stolen from a corporation.
  3. Corporate data breaches are expensive. Smart corporations understand that safe data is profitable data. Just ask TJX, a company that lost somewhere in the neighborhood of 94 million customer identities (far above what they initially reported) and could spend up to $1 billion recovering from the data breach. Not only are they being sued by customers, but by credit card companies and banks whose customer data has been compromised. Add to this the costs of providing a year’s worth of credit monitoring for every affected individual (a maximum of 94 million X $10 per month X 12 months), the damage it has done to their brand (almost everyone has seen this on the news), the hit taken by their stock and the thousands of hours spent in damage control, and you can see why investing in prevention is wildly inexpensive compared to recovering from a corporate data breach. And corporate prevention begins at the personal, employee level.
  4. Safe and happy employees are good employees. I have found that many corporations out there truly care about the quality of their employees’ lives. In addition, many of them hire me simply because they understand that safe and happy employees are more loyal to the corporation, speak well of the company, remain longer in the organization and drive more business. These companies consider their employees’ financial health to be as vital as their physical health, and it pays off over the long run. Identity theft poses the highest risk to their workers’ financial health.
  5. Educated customers cost less. I often speak to the end customers of corporations (e.g., the clients of a bank, the customers of a financial planner) who improve their security dramatically even when the just follow the basic recommendations in my ID Theft Tool Box. When a bank customer knows how to prevent identity theft, they are far less likely to become a victim and therefore less likely to lose money for which the bank is ultimately responsible. When someone steals your identity and drains your bank account, the bank generally covers the cost. If your identity is never stolen in the first place, neither your nor the bank has the expense.

If you feel that your organization would benefit from increased awareness about personal and workplace privacy, learn more about bringing in an Identity Theft and Social Networking Expert. You can also order you employees the Identity Theft Prevention and Recovery Workbook – All Privacy is Personal – Help them protect your company and your bottom line today!

 

John Sileo became one of America’s leading Social Networking Speakers & sought after Identity Theft Experts after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.

Electronic Information Privacy – Securing Your Job: Part II

Picture 6As we discussed in Electronic Information Privacy – Securing Your Job Part I, if you are an employee at a corporation, association, university or small business, you must realize that protecting electronic information and organizational data is vital not only to your company’s profitability, but for your job security.

Here is a crash course on how to promote information security within your company. The most effective way to build a Culture of Privacy is to break it down into 3 simple steps (most corporations skip the first step, dooming them to failure):

1.    Motivate the Individual. Train yourself, your employees and executives on how to protect identity and company information first. Learning the basic principles of privacy at an individual level is a pre-requisite for all subsequent forms of data security, and supplies the necessary motivation to apply the same habits at work. Each employee needs to overcome their own apathy, ignorance and inaction before they are equipped to protect corporate assets.  By making it personal, your executives and employees are acquiring the building blocks necessary to construct a corporate Culture of Privacy. Electronic information privacy training is good for their wellness, and is a means to a safer and more profitable end.

2.    Empower the Team.  One employee alone does not have the authority or resources to act. By empowering cross-departmental teams (who already understand privacy at a personal level) with the authority and resources to focus on low-hanging security fruit (e.g., laptop computers, document shredding, wireless surfing), you make immediate progress and win crucial organizational buy-in. In contrast, organizations with a Regime of Privacy tend to force data security into a silo (e.g., “It’s the I.T. Department’s responsibility” – see statistics in Part I), never taking into account the vital role played by legal counsel, compliance officers, the CFO, human resources and even facilities maintenance. In a Culture of Privacy, the team is integrated, and the results are more enduring.

3.    Lead by Example. There is nothing that undermines a Culture of Privacy faster than an employee or executive team that doesn’t practice what they preach. A CEO who surfs unprotected in the airport or refuses to invest in desk-side shredders will send a hypocritical message echoing throughout the corporation: “privacy doesn’t really matter, we’re just going through the motions.” In the same manner, a CEO who appoints some form of Chief Data Protection Officer but doesn’t supply the vision, budget or authority to make it happen, is the same CEO whose data breach catastrophe shows up on the front page of the Wall Street Journal.

For example, once you have learned to properly shred sensitive documents at home, it is much easier to apply a more sophisticated form of shredding at work. Individuals and business leaders who know how to protect themselves from identity theft on a personal level, will be more knowledgeable and prepared to protect their company’s electronic information from data breach on a business level.

Give a man a fish and you feed him for a day. Teach a man to fish and you feed him for a lifetime.” – Lao Tzu

John Sileo became America’s leading Information Privacy and Identity Theft Speaker after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To further bulletproof yourself and your business, contact John directly on 800.258.8076.

Electronic Information Privacy – Securing Your Job: Part I

Electronic information privacy will eventually be one of the criteria on your job performance review. In fact, it’s not just electronic data that you should be concerned about, but all data. If you are an employee or executive at a corporation, association, university or small business, you must realize that protecting organizational data is vital not only to your company’s profitability, but to your job security. If it isn’t right now, it will be soon.

As a company employee or business leader, it is essential that you clearly understand the relationship between identity theft, data breach and your bottom line.  One of the costliest data security mistakes I see executives make is that they initially approach data privacy from the perspective of the company. They don’t recognize the following reality: All privacy is personal. It’s not electronic information privacy. It’s not physical data privacy. It’s personal.

In other words, many people in your organization won’t care about data security, privacy policies, intellectual property protection or data breach until they understand what it has to do with them. If employees and executives don’t care about protecting their own identities (to prevent identity theft), how can you expect them to care about protecting corporate identity (to prevent data breach)? Like the emergency oxygen masks on a de-pressurized airplane, you’d better put your own on first or you’ll be worthless to those around you. Protecting yourself first isn’t self-centered; it’s effective and educational. Information Privacy Training begins at the human level and expands outwards to the group level. And it is not technical by nature.

This foundation of belief, despite and possibly contrary to the onslaught of information privacy acts, is clearly lacking among C-Level corporate executives. Look at the key findings of the Ponemon Institute/Ounce Labs study, Business Case for Data Protection, which surveyed C-Level executives about information privacy inside of their corporations (emphasis mine):

•    82% of the C-Level executives surveyed said that their organizations had experienced a data breach and many of them are positive they cannot prevent a repeat performance
•    53% of the CEOs surveyed said that the CIO is responsible for data protection, yet only 24% of the other C-Levels would point to the CIO as the one responsible for data protection overall
•    85% of those who are said to be in charge of data protection don’t believe that a failure to stop a data breach would impact their job

In other words, C-level executives know that a breach has already happened, are fairly certain it will happen again, know that they are unprepared to stop a recurrence, and yet they can’t clearly identify who will be held responsible, nor do they feel that they will be held accountable when the inevitable happens. At this stage, building a Culture of Privacy is mostly bluster, as is electronic information privacy.

According to Ponemon, the average organizational cost of one data breach to a company was almost $6.7 million in 2008. The negative effects on our bottom lines is what will give this topic traction, not any one privacy information act. The question is, how many data breaches can one company sustain, and how many does it take to get them to respond? Information privacy, electronic and otherwise, is vital to your company and in turn, your job security.

My next post will discuss some of the steps to take to make sure your company isn’t one of the victims in 2010.

John Sileo became America’s leading Information Privacy and Identity Theft Speaker after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. To further bulletproof yourself and your business, contact John directly on 800.258.8076.

Protect Yourself Against Mail Fraud

The reality is that unsecured, curbside mailboxes are prime targets for people who are intent on committing the crime of identity theft. Although I would suggest to stop using the mail to send and receive identity documents, this is not always possible. Therefore, here are alternative suggestions:

Lock Box. Install a locking mailbox that can be accessed only by you. These generally have a mail slot that allows the postal service to put mail into the box. Many newer neighborhoods already have some form of locking mailboxes.
P.O. Box. If a locking mailbox is not possible, get a P.O. box at your local post office and have sensitive documents sent there. It is a little bit more work, but gives you much more privacy.
In Person. When mailing sensitive documents, walk them into the post office and hand them to a postal worker. If it is after hours, drop the mail through an internal slot in the building. If there is no internal mailing slot, mail it the following day. This cuts out the most vulnerable stages of mailing.
UPS/FedEx. Have identity documents sent by UPS or FedEx and make sure that you require a signature for delivery. This makes the information harder to steal and you can track its location at anytime, which will alert you if the document isn’t delivered in a timely manner or is diverted somewhere else.
Send Checks to the Bank. Have sensitive documents (like new checks or credit cards) sent to your bank rather than to your home address. Pick them up there.
Watch for Cards. When new credit cards are coming through the mail, watch for them and call the credit card company if they don’t arrive in 7 to 10 days.
Quick Retrieval. If you are unable to install a locking mailbox and don’t have access to P.O. boxes, retrieve any mail within an hour or two of delivery. This lowers the exposure time of your mail.

According to the Identity Fraud Survey Report by Javelin Strategy & Research, 8% of all known identity theft is committed by mail fraud and the misuse can last for up to 175 days. But mail fraud is very difficult to catch, which means that the numbers are probably significantly higher. Just by protecting your mail against Identity Theft you can reduce your chances of becoming a victim by at least 8%.

John Sileo became America’s leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC.  To learn more about having him speak at your next meeting or conference, contact him by [intlink id=”15″ type=”page” anchor=”Contact John Sileo”]email[/intlink] or on 800.258.8076.

Uncovering Business Identity Theft

While the majority of identity theft schemes prey upon individuals, small-businesses and organizations are increasingly becoming targets. Business identity theft is a serious threat, but it mostly flies under the radar simply because companies are embarrassed to discuss.

Although most companies are protected by copyright, patent and trademark laws, smaller companies lack the higher IT security measures that large companies have. According to recent studies by Javelin Strategy & Research this makes them 25% more likely to be victims of business identity theft over larger businesses.  Not only do small businesses and business owners typically have larger lines of credit open than an individual, but they are unlikely to detect the fraud for six to eight months making them a prime target.

Business Identity has not been completely defined yet, but it definitely has been stolen. California has become the leader in offering identity rights to organizations and in 2006 they expanded the definition of ‘person’ in identity theft laws to include associations, organizations, partnerships, businesses, trusts, companies, and corporations. These types of amended laws have proved to deter business identity theft and provide greater assistance to those companies that have been hit.

Most commonly criminals assume the name of a business, rent out office space in the same building and order everything from corporate credit cards to hundreds of computers and equipment. In one instance the culprit billed a law firm for $70,000 in purchased equipment, hired a moving truck and disappeared from the building before the fraud was ever detected.  This has been not only costly, but timely. If businesses had the same protection as individuals this would have been quickly resolved and the victims would have moved on. Credit card companies have also followed suit and began to remove the distinction between business identity theft and individual identity theft.

The lack of publicity on this type of Identity theft is solely due to a lack of reporting by companies. Businesses are required by federal law to notify consumers who’s personal information has been hijacked, but not if their businesses identity has been stolen. In order to save face, most business owners would rather not own up to such a breach to avoid looking like the pawn in a criminals scheme. Without incentives and assistance to a company who has experienced this type of transgression there is little reason for them to come forward.

Until businesses and their owners come forward to help uncover business identity theft there will be less laws in place to deter criminals and small businesses will remain vulnerable.

For more information on this issue check out BusinessWeek.

John Sileo provides identity theft training to human resource departments and organizations around the country. His clients include the Department of Defense, Pfizer and the FDIC. To learn more about having him speak at your next meeting or conference, contact him by email or on 800.258.8076.



Biometric Identity Theft: Stolen Fingerprints

Identity Theft is a huge and growing problem. According to the recent 2009 Identity Theft Fraud report by Javelin Strategy & Research, victims increased 22% in 2008 to 9.9 million. When businesses are involved, the companies face billions of dollars in theft, millions of dollars in fines and, perhaps most important, the loss of customer trust.

The large impact that identity theft has on individuals lives and corporations’ bottom lines has made inexpensive biometrics look attractive for authenticating employees, customers, citizens, students and any other people we want to recognize. The most recent debate is on whether the pros outweigh the cons. (To see some of the materials that influenced this article, please visit George Tillmann’s excellent article in Computerworld).

Biometrics uses physical characteristics, such as fingerprints, DNA, or retinal patterns to positively verify individuals. These biological identifiers are electronically converted to a string of ones and zeros and stored on file in the authenticator database.

The downside or weakness of biometrics is that the risk of data breach remains relatively the same. Just as a credit card number can be stolen, the numbers that make up your biometrics and are stored in a database can be stolen.  It may take longer for thieves to understand how to use these new pieces of information, but they will eventually be used.

Ultimately, this could be more dangerous than having your ATM PIN, credit card number, or Social Security Number stolen, and it will take longer to clear up.  In a worst-case-scenario, someone inside of the biometric database company could attach their fingerprint to your record — and suddenly they are you. The reverse is also true, where they put your fingerprint in their profile so that if they are convicted of a crime, the proof of criminality is attached to your finger.

What will stop thieves from electronically sending your stolen fingerprints to your bank to confirm that you really do want to clean out your bank account through an ATM in Islamabad? Fingerprints, when stored in a database, are nothing more than long strings of numbers. What will you do when your digitized fingerprints wind up on a government No-Fly list? If you think it takes forever to board a plane now, wait until every law enforcement agency in the free world has your fingerprints on file as a suspected thief or, worse, a terrorist.

The reality is that biometrics could be a great alternative to securing one’s identity – and they are quickly becoming a part of every day identification.  But we can’t go forward into the new world of biometrics thinking that it solves all of our problems. Like the “security codes” on the back of our credit cards, like the two forms of authentication required for most banks, like wireless encryption standards – thieves eventually find work-arounds. And so too will they work around biometrics. If we implement biometrics without doing our due diligence on protecting the identity, we are doomed to repeat history — and our thumbprint will become just another Social Security Number.

John Sileo became America’s leading Identity Theft Speaker & Expert after he lost his business and more than $300,000 to identity theft and data breach. His clients include the Department of Defense, Pfizer and the FDIC. Contact John directly on 800.258.8076.

Follow John on: Twitter, YouTube, Facebook.