Posts

How to Protect Your College Student from Identity Theft on Campus

Five tips for better data and device  security habits at college

This fall, roughly 19.9 million college students will attend colleges and universities in the United States, and about 12.5 million of them will be under the age of 25. 

For many young adults, college isn’t just a transition to higher education, it’s a transition to living on their own and taking responsibility for their own finances, digital identity, credit score and banking information — all of which are critically important components of future success and security. 

As I wrote about back in 2010, College-Bound Students Are Vulnerable as Identity Theft Targets. So, parents, as you perform the ritual of shopping for dorm room supplies and stocking up on merch at the college bookstore, you should also be guiding your child through some key processes of establishing credit and safeguarding against identity theft on campus. I say guide because it’s tempting for parents to do the work themselves, but now is the time to step away from the snowplow and let your child learn to shovel their own road. In fact, it’s a good idea to start the process while your child is in high school.

Establish Credit

Educate your kids about starting to establish credit so they have it when they go to rent an apartment or buy a car. One of the simpler ways to do this is to have them apply for and use a student credit card with a small amount of credit. During this process (and any process like it), there are a series of security and privacy decisions that come into play. 

  • A great deal of personal information is collected, analyzed and sold by companies that prey upon naive college students. Make sure that, when applying, your child opts out of all information sharing possible. The minute or two spent changing the default settings (reading and unchecking the marketing and privacy boxes) will save the proliferation of their data down the road. 
  • Teach them to create a long and strong password (preferably with a password manager) that is unique on every website. 
  • Register for automatic account alerts when a sizeable amount of money is transferred, deposited or due so they have a daily view of their balances and activity. 
  • Have them turn on two-factor authentication to eliminate a majority of account takeover by cyber criminals. 
  • Teach them to monitor and reconcile their accounts monthly. 

Freeze Credit

Once your student has opened a credit card account, they should freeze their credit with the three primary credit bureaus: Equifax, Experian and TransUnion. This simple and free step is one of the greatest ways to protect their data and their future buying and credit power. 

Be Street Smart

Aside from protecting their cyber identity, students need to take precautions to protect their physical identity and important documents. 

  • Have sensitive physical documents (bank, legal, personal, FAFSA, applications, etc.) sent to a permanent address (e.g., parents’ home).
  • Leave your Social Security card, passport and other documents in a permanent, off-campus location (e.g., parents’ home in a fireproof and waterproof box or a bank safe deposit box).
  • Shred any important financial documents that come in the mail and never leave sensitive mail lying out.
  • Always lock your dorm room door and don’t leave devices unlocked or unattended in a gym locker, the library or a classroom.
  • Check for unusual devices added to ATMs that might be skimming card info.
  • Always cover the keypad with your hand when entering your PIN, whether at an ATM or a retail store.

Secure Devices

Make sure your student has long and strong passwords on their phones, tablets and laptops and that they don’t share them unless absolutely necessary. There are more than 100 privacy and security settings on the average phone; students need to take the time to customize them and lock down their data. 

Watch this video on How to Bulletproof Against a Stolen Smartphone

Here’s a detailed list of how to secure devices at college.

  • Don’t leave your laptop in an unattended car or in a public place (library, dining room, classroom).
  • Register your laptop with campus security if possible.
  • Install laptop tracking software (e.g., Find My iPhone, Lojak) and enable Find My iPhone on the device.
  • Spend time locking down the privacy and security settings on your smartphone — you won’t believe what you’re giving away for free and how damaging it can be.
  • Don’t store personal information (SSN, passwords, etc.) in unencrypted files or insecurely in the cloud.
  • Securely back up your files on a remote hard drive or a trusted cloud provider (iDrive, iCloud, Carbonite) in case your data is lost or frozen by ransomware.
  • Lock your phone screen with at least a 6-digit passcode — the longer, the safer.
  • Be mindful of malware and ransomware “updates” from untrusted sources.
  • Be suspicious of communal workstations in dorms, libraries, etc. Never log in to websites with usernames and passwords unless you’re certain the computer is secure and won’t save your information.
  • Turn on automatic computer operating systems, software and mobile app updates.
  • Encrypt your laptop (Apple: FileVault, Windows: BitLocker) and smartphone (by using a strong password).
  • Don’t take or store sensitive or embarrassing photos on your devices, as they are commonly exposed by hackers, friends or former girlfriends and boyfriends.
  • Invest in strong security software with anti-virus, spyware and ransomware protection, even if you own an Apple.
  • Don’t discard or sell old devices without professionally wiping them of all data and removing or erasing all SIM cards.
  • Don’t insert strange storage devices (i.e., USB drives) and only insert such devices from friends or administration after scanning them for viruses.

Be Social Media Smart

According to Pew Research, in 2018, 90% of adults between 18 and 24 used the YouTube app, 76% used Facebook and 75% used Instagram. Our kids are spending a lot of time on social media, and all those platforms are collecting data — and selling it to advertisers. Unfortunately, cyber criminals are also accessing that data and using it to commit crimes or simply selling it on the dark web.

The default setting on social media platforms is to share everything, so students should start by un-defaulting their privacy settings. This one action will put them in the top 1% of savvy social media users. This blog post from last year explains the 6 Ways Your Facebook Privacy Is Compromised. Beyond that, teach your child to be careful about who they friend and what they share on social media. 

You can find more tips on how you and your student can lock down social media accounts, as well as how to protect student data and devices on campus, in The Data Privacy & Security Checklist for College Students  (PDF).

As you send your child off to college this fall, arm them with the knowledge and power to keep their identity safe — in both the real world and online. Most importantly, let them know that it’s okay to ask for help from you, the university or a trusted advisor.


About Cybersecurity Keynote Speaker John Sileo

John Sileo is an award-winning author and keynote speaker on cybersecurity, identity theft and tech/life balance. He energizes conferences, corporate trainings and main-stage events by making security fun and engaging. His clients include the Pentagon, Schwab and organizations of all sizes. John got started in cybersecurity when he lost everything, including his $2 million business, to cybercrime. Since then, he has shared his experiences on 60 Minutes, Anderson Cooper, and even while cooking meatballs with Rachel Ray. Contact John directly to see how he can customize his presentations to your audience.

BREACHED! Customer Data from Quest Diagnostics & Lab Corp

Within just a few days of each other, both Quest Diagnostics and Lab Corp, two of the largest blood testing providers in the nation, warned that millions of their customers might have had information breached. In both cases, customers may have had personal, financial and medical information breached due to an issue with the American Medical Collection Agency (AMCA), a billing collections service provider used by both companies.

Between August 1, 2018, and March 30, 2019, someone had unauthorized access to the systems of AMCA. Quest reported that the affected system stored information on roughly 11.9 million of its patients. In addition, LabCorp numbers could be up to 7.7 million customers.

“(The) Information on AMCA’s affected system included financial information (e.g., credit card numbers and bank account information), medical information and other personal information (e.g., Social Security Numbers),” Quest said in a filing with securities regulators. AMCA did not have access to actual lab test results.

Change Your Behavior After the Breach

If you, like pretty much EVERYONE I know, have used either of these services, follow the steps below to protect yourself against future attacks.

  1. Assume that your identity has been compromised. If you have been a customer of either company, don’t take a chance that you are one of the very few customers that aren’t affected. It’s not time to panic; it’s time to act.
  2. Read the explanation of benefits statement from health insurers to confirm that your charges are correct.
  3. I recommend placing a verbal password on all of your bank accounts and credit cards so that criminals can’t use the information they have from the breach to socially engineer their way into your accounts. Call your banks and credit card companies and request to place a “call-in” password on your account.
  4. Begin monitoring your bank, credit card, and credit accounts regularly.
  5. Visit AnnualCreditReport.com to get your credit report from the three credit reporting bureaus to see if there are any newly established, fraudulent accounts set up. DON’T ONLY CHECK EQUIFAX, AS THE CRIMINALS HAVE ENOUGH OF YOUR DATA TO ABUSE YOUR CREDIT THROUGH ALL THREE BUREAUS.

Take Action on Your Accounts

  1. Change your passwords. We hear all the time about stupid things people do when it comes to creating passwords; the most commonly used passwords in the United States for the past several years include “123456”, “password” and some variation like “password1234”. The bottom line is it is nearly impossible to effectively create and remember all the passwords we need to function in our daily lives. It seems there are two ways people handle this. They continue to use the same (usually poor) passwords over and over, or they do what I highly recommend and use a password manager program.
  2. Enable two-step logins. Two-step logins are when two separate passcodes are required to log in to one of your online accounts. One of the most common and popular forms is called text verification, and I’m sure you’ve already experienced it. That’s where you log in to your online account with your regular username and password, and then a secondary passcode is sent to your phone by text or even better, through an App like Google Authenticator. Without that second passcode, no one gets into the account.
  3. Set up account alerts. To monitor accounts quickly and conveniently, sign up for automatic account alerts when any transaction occurs on your account. As a result, if you spend even a dollar at a store, you receive an email or text notifying you of the purchase. If you receive an email for an amount you didn’t spend – bingo – you’re probably a victim of fraud.
  4. MOST IMPORTANTLY, FREEZE YOUR CREDIT. Some websites and cybersecurity experts will tell you to place a fraud alert on your three credit profiles. I am telling you that this isn’t strong enough to protect your credit. Freezing your credit puts a password on your credit profile so that criminals can’t apply for credit in your name (unless they steal your password too). Here are the credit freeze websites and phone numbers for each bureau. Learn more about freezing your credit by watching the video here.

Contact Credit Companies

Equifax Credit Freeze
P.O. Box 105788 Atlanta, Georgia 30348
Toll-Free: 1.800.685.1111

TransUnion Credit Freeze
Fraud Victim Assistance Department P.O. Box 6790 Fullerton, CA 92834
Toll-Free: 1.888.909.8872

Experian Credit Freeze
P.O. Box 9554 Allen, TX 75013
Toll-Free: 1.888.397.3742


John Sileo loves his role as an “energizer” for cyber security at conferences, corporate trainings, and industry events. He specializes in making security fun so that it sticks. His clients include the Pentagon, Schwab and many organizations so small (and security conscious) that you won’t have even heard of them. John has been featured on 60 Minutes, recently cooked meatballs with Rachel Ray and got started in cyber security when he lost everything, including his $2 million software business, to cybercrime. Call if you would like to bring John to speak to your members – 303.777.3221.

Beware Disaster Scams in the Wake of Hurricane Harvey

Identity thieves prey on those who are most vulnerable. You may be in the process of cleaning up your lives, but predators running disaster scams may want to clean up on you by stealing your valuable private information.

As we learned from Hurricane Katrina and Superstorm Sandy, one of the most despicable side effects of a natural disaster is the massive increase in reported cases of identity theft in the affected areas. Thieves take advantage of those who are vulnerable, and those who have suffered flooding, wind damage and the effects of the storm are more vulnerable than ever. Imagine how devastating it would it be to apply for a line of credit to help your family recover from the storm only to find out that your entire net worth now belongs to a thief.

Here are some of the highest priority actions for victims of Hurricane Harvey to take once they have taken care of their immediate safety needs.

Secure your personal information immediately.  Clean-up crews will be heading to the area. MOST are good-hearted volunteers, but some are coming with the intent of looking for physical clues to help them steal identities.  In your distress, you may not even know what to think of.  Be sure you’ve accounted for:

  • Social Security cards, statements or related documents
  • Birth certificates, passports and drivers licenses
  • Wallets, purses, checkbooks and boxes of extra checks
  • All financial records, including bank, brokerage, mortgage, credit card, and insurance
  • All digital devices containing sensitive information, including laptops, computers, smartphones, iPads, etc.

Beware of people offering “help” falsely using recognized names like FEMA or Red Cross.  Organizations like this will never contact you; the only time they ask for money or any personal information is after you have contacted them.  The key here is to be skeptical if anyone is asking for your personal information, even as part of emergency relief. Ask enough questions that you can verify who they are, their intentions and their credibility. Do not just give away information in exchange for a promise (e.g., “This is how you will get a reimbursement from the government”). Make sure they are who they say they are.

As a side note, for those of you who are not disaster victims but want to help, the same rule applies: you should contact the agencies.  Don’t fall for phone solicitations or pleas via email that may lead you to fraudulent websites. One key to look for is “.org” that most non-profits use rather than “.com” in the address.

Beware of fly-by-night contractors offering cheap or quick repairs.  To protect yourself, check on the business.  Make sure they have a permanent business address, carry insurance, and have been in operation for more than a year.  Very importantly, get a written contract before you give out any money!

Place a Fraud Alert on Your Credit File. Immediately place a Fraud Alert with all three credit-reporting bureaus (listed below). This is only a temporary solution, but a necessary step. Once the water has receded, consider freezing your credit.

Order & Monitor Your Credit History. By law, you are entitled to one free report from each agency once a year. The easiest way to get a report is to visit AnnualCreditReport.com or call 1-877-322-8228. You can also request your first report when you are placing a Fraud Alert on your account in Step 1, above. Review your credit report for signs of theft or fraud. If you discover irregularities (accounts you never opened, loans that aren’t yours, credit cards you don’t recognize), contact the credit bureau immediately to report fraud, as well as the company listed in the credit report.

Monitor Your Statements Online. Half of the battle in minimizing identity theft is catching it quickly after it happens. Online bank, credit card and brokerage statements will allow those with Internet access to monitor and detect suspicious transactions on a daily basis. If you have access to the Internet, check your bank, credit card and investment statements to make sure that you recognize every transaction.

Resist the temptation to click on photos from questionable sites.  We are a society that thrives on sensationalized images.  However, some of those dramatic photos we want to know more about are infected with malware.  Stick to legitimate news sites and be especially wary of links on social media sites.

Remember to make safety a priority in every area of your life as you work your way through this trying time.  Our hearts are with you.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

5 Steps to Stop Lost Wallet Identity Theft

How to Protect Your Lost Wallet or Purse against Identity Theft

In a panic that your lost wallet or stolen purse might lead to identity theft?  Take a deep breath and then take the First 5 Steps to Stop ID theft. First, you need to understand that a lost wallet or purse is one of the most concentrated sources of identifying documents. For now, assume that your lost or stolen wallet or purse will be used to exploit your identity. Sometimes, even when your missing item shows up unexpectedly, the damage has already been done by a clever thief who is simply returning your valuables so that you don’t suspect further theft and shut down your accounts. Don’t take any changes. Instead, take these first five steps (adapted from my Identity Theft Recovery Guide):

1. Inventory Your Lost Wallet or Stolen Purse from Memory

Want us to walk you through the entire recovery process with quick videos, easy forms and expert advice as you go? Click on the Recovery Guide and get started before your wealth evaporates.

The first step is to identify exactly what was in your purse or wallet.  If you haven’t photocopied everything, start making a list and add to it over the next few days as you remember more.  Here are some of the highest risk items:

Checks/checkbook*, Cell phone or smartphone, Keys, garage openers, Credit cards, debit cards, ATM cards, Drivers license, Student ID cards, Military ID cards, Medical ID cards, Auto insurance, Social Security card*, Loyalty cards, Bills to pay, Passport*, Library cards, Birth Certificates, Receipts, Passwords, PINs*, Child/Parent InfoWork ID…

* You should NEVER carry these items with you unless absolutely necessary for a certain occasion.

2. Make Immediate Calls & Log Conversations

The next step is to make calls regarding missing items and keep a log of all correspondence. The sooner you properly shut down these accounts, the less you will lose. (See Video or Identity Theft Recovery Guide)

3. Protect the Sensitive Data on Your Mobile Devices 

If you have taken any preventive steps to protect your mobile device, such as remote tracking and wiping, don’t hesitate to remotely erase your mobile device. It is a digital treasure trove of personal identifying information. If you haven’t already implemented remote tracking and wiping on your cellphone, do so now. (Step 4)

4. Change Passwords on Affected Online Accounts

If you carried any information regarding your online accounts in your lost wallet or bag (especially on a smartphone or tablet that was stolen too), immediately change passwords on all relevant online accounts. A single mobile phone can have multiple logins for banks, investment brokers and numerous financial institutions. I highly recommend utilizing a password protection software to encrypt and protect your numerous passwords.(Step 5)

5. File a Police Report

In order to draw a line in the sand (any crimes committed in your name or money taken out of your accounts that happens after the police report are easier to defend, should it be required.) As discussed in the Guide, filing a police report can be difficult, so attempt to submit it online before trying in person. (Step 8)

In total, there are 31 unique steps for you to consider during the recovery process, including filing victim and police reports, locking criminals out of your credit, taxes and medical benefits, as well as defending your online accounts, children’s identity and safeguarding your financial investments.

John Sileo is the award-winning author of four books on identity theft, including The Identity Theft Recovery Guide. John delivers keynote speeches to conferences and companies that don’t want to end up as the next data breach headline. His clients included the Department of Defense, Pfizer, Visa and Homeland Security. Watch John keynotingon Rachael Rayor through the eyes of his clients.

 

Latest Tax Scams "Target" Data Breach Victims

It’s no surprise that identity theft once again tops the “Dirty Dozen” tax scams put forth by the IRS for 2014.  They warn that if an identity thief has access to your personal information, such as your name, Social Security number or other identifying information, he or she may use it to fraudulently file a tax return and claim a refund in your name.  Think of the implications for the 110 million victims of the recent Target data breach as well as victims of the hundreds of other breaches at other retailers, universities, healthcare providers, government agencies and so on.

KrebsOnSecurity reports that the information from the Target breach alone has reportedly flooded underground black markets and cards are being sold from around $20 to more than $100 each.  This data is being sold in hundreds of online “stores” advertised in cybercrime forums.  A fraud analyst at a major bank was able to buy a portion of the bank’s accounts from such a store.

The twist this year is that telephone scams are being linked to the breaches as well.  There are many variations, but most involve criminals contacting a victim saying they are from the IRS and that money is owed.  They know the victim’s personal information such as Social Security numbers (from the stolen breach data), so it is very convincing.  They may demand payment be sent immediately, threatening anything from arrest to driver’s license revocation if non-compliant.

Then here’s the kicker, there is often a follow up call supposedly from the local police department or the state motor vehicle department (with realistic numbers on the caller ID using a “spoofing” technique) to scare the victim into action even more.  So far victims in nearly every state have fallen prey to this scheme to the cost of more than $1 million.

To read more about the characteristics of these scams and how to avoid them or get help if you think you’ve been a victim of this hoax, visit the IRS website.  In the mean time, remember what IRS Acting Commissioner Danny Werfel said in a press release: “Rest assured, we do not and will not ask for credit card numbers over the phone, nor request a pre-paid debit card or wire transfer.”

Also remember to guard well your personal information.  This tax scheme is just one example of how obtaining your personal information from one source makes it easier to socially engineer you in another way.  Be wary to be on the safe side!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.