John Sileo Archives

Travel Safety Tips Part 3

Welcome to the third (and longest!) part of our four-part series on travel safety. We’ve covered “Planning Your Trip” and what to do “Before You Go” Today we’ll go through the many important things to consider while you’re “On the Road”. Be sure to check back tomorrow for our final installment of what to do “When You Return”.

Travel Light: If you don’t have to take it with you, increase your safety and leave it at home. This includes:

Checkbooks: Do not carry checks or take only one or two for an emergency, placing them with your cash in your money belt. Checking account takeover is one of the simplest crimes to commit and one of the most devastating types of financial fraud from which to recover. The easy alternative? Use a credit card or cash.

Debit cards: You can reduce your vulnerability to having your checking account plundered while on vacation by leaving all debit cards (check cards) at home. Don’t be fooled into thinking that Debit/ATM cards are safe just because they have a PIN or password. Be aware, too, that debit cards don’t have the same financial fraud protections as most credit cards.

The Solution? Actually, you have two! You can get a nameless, travel-only ATM/debit card with a 4 digit pin from your bank. Or you can ask your bank for an ATM-Only debit card (it won’t work in stores, only at an ATM) and make sure your password isn’t seen by roaming eyes when you are at the ATM.

Better yet, use a credit card or cash. The exception to this is when you are traveling in a foreign country and your debit card is the most efficient way of obtaining cash from an ATM.

Excess credit cards: Every piece of identity you take with you creates more avenues for potential fraud. I recommend that if you are traveling with another adult, you each take one credit card. (If possible, take cards from two different credit card companies. That way, you each carry only one card that can be lost or stolen, but you have a backup card if the other person’s card is lost, stolen or shut down because of fraud). Make sure that your credit card company knows the dates and places you are traveling so that they don’t shut it down when charges are made out of town. Also, make sure you have a large enough credit line to cover your purchases while traveling. You can ask for a phone number you can call from overseas if your card doesn’t list one. The 800 number on the back of your card might not work outside the U.S.

Social Security card: It is not necessary to have your Social Security card while traveling (or at any time other than your first day of work with a new employer), so leave it locked up at home.

Bills: Don’t try to take bills to pay while traveling.  Instead, schedule all payments before you go.

Identity Documents: Leave birth certificates, passports (unless travelling internationally), library cards, receipts, etc. at home while you travel. Anything you don’t absolutely need should be left at home locked in a fire safe. If you can travel with only a credit card, driver’s license and health insurance card (as long as it doesn’t have your SSN on it), you will be much safer. Also, don’t put all of your info on your luggage. A last name and phone number will suffice.

Boarding Passes: Tear up and throw away used boarding passes (or shred if you can). Those boarding passes so many of us leave behind in airplanes or hotels often contain full names and other personal information.

Excess digital gadgets: The more gadgets you bring, the more potential for theft. Keep it simple.

Guard your devices

Passcodes: Smartphones and tablets carry as much information as laptops. Turn on the auto-lock passcode to keep others out of your data. Also make sure that your laptop computer has long, strong, alpha-numeric password encryption(BitLocker for Windows, FileVault for Mac).

Public Access Internet Facilities: While using your laptop to access online banking or other password-protected services from Wi-Fi networks, be sure the Wi-Fi hotspots are secure. If you’re using a public computer in hotel business centers or cyber-cafes, never access any sensitive information. Key-loggers (software that can track your keystrokes) may be tracking you.  Better yet, install tethering between your mobile phone and tablet or laptop so that you are surfing securely.

Ask for Privacy: Instead of leaving oodles of data exposed in your hotel room (a major source of theft), hang your privacy sign on the door and let house cleaning know that you do not want to be disturbed. Lowering traffic lowers risk.

Have a plan for a stolen phone: Enable your phone’s GPS locator and “wipe” function (if available). Many phones have a setting you can switch on that helps you locate the phone via GPS if it’s stolen. Similarly, the “wipe” feature will let you wipe your data clean if it’s stolen.

Social Media: Turn off your location settings and try to refrain from gloating about your glorious trip by posting pictures until you’ve returned safely home.

Use the hotel safe

I can’t emphasize enough the importance of using the in-room safes that are now a part of almost every hotel room. They are easy to use and significantly increase traveling safety (decreasing theft by cleaning staff and other travelers). In addition to your traditional items such as jewelry or extra cash, use them for:

All important devices: your laptop, cell phone, tablet, iPod, thumb drive, etc.

Passports: Unless you are traveling in a country where you it is mandatory to keep your passport with you at all times, lock it up in the safe the whole time you are staying at the hotel.

Other Identity Documents: Store your plane tickets, receipts, and any other identity documents (birth certificates, extra credit cards, visa, etc.) in the safe when not in use.

Beware of scams

Hotel credit card scam: The way this typically works is that while you are sleeping, you receive a call “from the hotel’s front desk”. The pleasant “night clerk” informs you their system has crashed and they need your credit card number to complete a night audit. Do not give them your information over the phone. If they don’t relent, walk down to the desk!

Message about fraud: If you get a phone call or e-mail about suspicious activity on your card, call the customer service number on the back of your credit card instead of automatically calling back the number on the message. That’s a common ploy by ID thieves to capture personal information. If the call was legitimate, you will be connected to the appropriate department.

Other Time-tested Tips

Mind the Lions at the Watering Hole: Increase your awareness in airports, hotels, conferences and restaurants. Remember, where there is a crowd, there is a pickpocket, just waiting for you to be too busy with your camera or map to notice their activities. Be on the lookout also for untrustworthy passengers on the plane, especially shoulder surfers who watch you enter login credentials, PINs, credit card numbers and other personal data on your laptop, smartphone or tablet in the hopes of catching something they can use later to steal your identity.

Carry it Safely: I recommend carrying all of your identity documents (passport, credit card, driver’s license, tickets, etc.) in a travel pouch that fits around your neck or your waste (and inside of your clothing). It is a minor inconvenience, but it lowers instances of pick pocketing and unintentional misplacement. Thieves have unbelievably nimble fingers that can slip into your pocket or purse undetected so here’s an essential habit to cultivate: just before you leave your hotel room (especially in cities), verify that your money pouch is securely fastened around your waist or neck, under your clothes.

Use a Backpack: When possible, carry laptops and other large identity-storing items in a backpack that stays zipped and on your back at all times. It is easy to set down a purse, book bag or piece of luggage while at a ticket counter or retail store. Backpacks, on the other hand, are easy to keep on our person at all times, and are harder to break into without alerting the wearer.

Watch Your Cards: When paying with a credit card in a restaurant, try to keep your eye on the card. If the server removes it from sight, they may be able to create a “clone” by using a portable card skimmer that will copy the information from the card’s magnetic strip. Many restaurants are now able to process the card at your table or you can take it to the register and observe the transaction.

ATM Machines: Use your “ATM Only” card (one that requires a PIN and does not contain a Visa or MasterCard logo) at ATM machines found at banks or credit unions that are in well-lit areas. Be sure to examine the ATM machine carefully for signs of tampering. Be on the lookout for anything that looks suspicious. Save all transaction receipts in a specific envelope to make it easy to reconcile your bank statement when you arrive home.

Use a Dedicated Travel E-mail Address: I shake my head every time when I see messages arrive from overseas via work e-mail accounts. If someone gets access to your work e-mail account, the amount of damage they could do to your livelihood is inestimable. Certainly there are times when you need to log in to your work account, but you will want to use caution in the extreme at those times.

My suggestion is to use a personal e-mail address when possible while traveling, one at which you store no sensitive information and at which a fake log-in won’t be disastrous, and communicate from that e-mail address exclusively. On occasion you will see addresses like johndoetravelemail@gmail.com; this travel-exclusive e-mail method can work quite well.

If you’re not using Bluetooth, turn it off: Some thieves can “hack” into your phone through Bluetooth, so if you’re not actively using it, turn it off!

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Travel Safety Tips Part 2

This is part two of our four-part series on travel safety. Yesterday we covered “Planning Your Trip” and in the next few days we’ll discuss “On the Road” and “When You Return”. For today, we’ll look at steps to take after your trip is planned, but before you go.

Photocopy the contents of your wallet/documents: Or make a list of all the contents and all your travel documents to carry with you in a protected place as you travel. It’s also a good idea to leave a copy at home with a trustworthy person whom you can contact. It will save you hours of frustration if anything is lost or stolen.

Protect your accounts: Place a travel alert on your credit card accounts so the bank will know why charges from some lovely resort are suddenly showing up. You can also freeze your credit so no new accounts can be opened while you are away. Finally, turn on automatic account alerts on your credit card to easily monitor all transaction (via smartphone) without having to look at statements.

Hold the Mail: Your mailbox is an identity jackpot. Before you leave, place a “postal hold” on your mail so that your mailbox isn’t susceptible while you are gone. Arrange with your post office that you (or your spouse) are the only people allowed to pick up your mail. Don’t have it “mass-delivered” the day after you return, as this puts everything at risk all at once. Instead, pick it up at the post office once you return. (Hold your newspaper, too, so you’re not publicizing that no one is home.)

Social Networking Sites: Don’t post your “Going on Vacation” status on your social networking sites just as you wouldn’t tack a note about it to your front door. Broadcasting this news opens the door to criminals using that information while you are away. Think twice about anything you share on social networking sites.

Secure your home: Of course you will lock all your doors and secure your windows, but make sure you also check your office and other places where you might have identity-rich information sitting around. Store all important documents and items, maybe even your external hard drive with all of your files backed up on it, in a locked safe.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Travel Safety Tips Part 1

Today I begin a four-part series on travel safety to protect your identity before during and after your trip. I’ve tried to make this series comprehensive for all stages of travel. Today we’ll cover Planning Your Trip , to be followed in days to come by: Before You Go, On the Road and When You Return.

While you may be aware of the basics, the lists in these blogs show you how to think like the criminals think. Be proactive and outwit them at their own game!

Use a legitimate agency: Verify the business you are booking your trip through. If you are going to use a travel agency or online booking company, make sure they are authentic first. Go online and do your research – if people have been swindled before by the company, the Internet is the first place they will go to vent. You can even ask the company for references so you can check up on some satisfied customers. Also, investigate the travel companies with the Better Business Bureau (www.bbb.org) and the attorney general’s office in the state where the company does business. (www.naag.org).

Read everything carefully before you sign: Sometimes there are concealed fees or clauses where they can change the airport you are flying into or out of without telling you – even up to 100 miles away! Make sure you know the airline and hotel before signing. This way you can confirm their legitimacy. Feel free to contact them and make sure that this is a great deal.

Always pay with a credit card: Reputable credit card companies allow you to dispute fraudulent charges so that you are not held liable for the money. If the company requires you to pay with cash or check or money order, GO SOMEPLACE ELSE! Legitimate travel companies will let you use a credit card.

Make sure you get EVERYTHING in writing: If your unbelievable deal does turn out to be a rip-off, you will need something to show the credit card company in order to dispute the charges.

If it sounds too good to be true, then it probably is: If they are offering you a flight to Mexico that is regularly $500 for $100, then chances are, it’s a scam. While there are great ways to book your hotel + flight + food + drink together to save money, most don’t offer an 80% discount! Don’t be afraid to try a website like TripAdvisor.com to do some background investigation.

Buy directly from the companies themselves: This includes airline, hotel, transportation, tickets, etc. Many times the actual companies promise the cheapest possible fare on their own website (United does this, for example). Even if it does cost you a bit more, you will sleep better at night knowing that your trip is booked and confirmed.

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Top Tips to Stop Tax-time Identity Theft – Part 1

“Tax Time ID Theft – Part 1″ href=”https://sileo.com/top-tips-for-tax-time-security-peace-of-mind-part-1/”>Part 1 – Tax Preparers | Part 2 – Protecting Computers | Part 3 – IRS & Tax Scams

Tax season can be a stressful time of year for individuals and business owners alike, especially those who fail to plan in advance and then sacrifice focus and performance as they race to meet the filing deadline. But that stress is nothing compared to the potential destruction of your financial reputation brought on by tax-time identity theft. And tax-related identity theft is on a precipitous rise.

An audit published on July 19, 2012 by the U.S. Treasury Department, found that the IRS paid fraudulent tax returns to identity thieves worth a total of $5 Billion in 2011. The study also predicted that the IRS (and therefore, you as a taxpayer) will lose an estimated $21 Billion in fraudulent claims over the next five years. Tax-related information is the Holy Grail of identity theft because it contains virtually every piece of information, including a Social Security number (SSN), which a fraudster needs to defraud you.

Tax-related identity theft affects individuals in a couple of ways:

Refund fraud. In refund fraud, an identity thief illegally uses a taxpayer’s name and SSN to file for a tax refund, which the IRS discovers after the legitimate taxpayer files. The legitimate taxpayer is then forced to spend time and money proving her innocence, setting the record straight with the IRS and protesting fines and penalties assessed because a refund was given where taxes were potentially owed. According to an article in the Wall Street Journal, “The National Taxpayer Advocate, an IRS watchdog group, got 55,000 requests for help with tax-identity theft in 2012. The group has seen a 650% rise in the number of identity theft cases it handles since 2008. And the IRS since last year has doubled to 3,000 the number of staffers working on such cases.”
Employment fraud. In employment fraud, an ID thief uses a taxpayer’s name and SSN to obtain a job. When you as the employer report income for the employee to the IRS, the legitimate owner of the SSN appears to have unreported income on his or her return, leading to enforcement action.

There are steps that you can take that will minimize your chances of being affected by this growing crime. It is your responsibility to protect not only your own tax-related information, but also the sensitive data you handle on behalf of your business, employees and customers if you work in a job that requires you to handle such data.

This is the first of a three-part series in which we’ll provide you with practical checklists to help prevent tax identity theft and/or deal with it once it’s happened.

Today’s Tax-Time Identity Theft Tip: Choose a security-minded tax preparer.

Your greatest risk of identity theft during tax season comes from a surprising source: a dishonest or disorganized tax preparer. Ask yourself (and your preparer) these questions:

Does your tax advisor have an established track record and years of satisfied clients? Google them to find out.
When you visit your tax preparer’s office, are client files well protected? Do they leave tax-related folders in the open for the cleaning service to access, or are they locked in a filing cabinet or secure office? Do they meet with clients in a neutral, data-free, conference room?
Have you interviewed them on how they protect your private data, whether or not they have a privacy policy and if they provide employee data security training?
Have you expressed your desire that they take every precaution to protect your data? Asking professional tax preparers these questions sends them a message that you are watching!
Is your tax preparer working on a secured computer, network and Internet connection?
When filing W-2/W-3 and 1098/1099 tax forms, have you obtained them from a reputable source to make sure that they aren’t fraudulent?

Tax Time Identity Theft: Part 2 – Protecting Computers | Part 3 – IRS & Tax Scams

John Sileo is an author and highly engaging speaker on internet privacy, identity theft and technology security. He is CEO of The Sileo Group, which helps organizations to protect the privacy that drives their profitability. His recent engagements include presentations at The Pentagon, Visa, Homeland Security and Northrop Grumman as well as media appearances on 60 Minutes, Anderson Cooper and Fox Business. Contact him directly on 800.258.8076.

Beware Cyber Security Grinches & Holiday Scams

[youtube https://www.youtube.com/watch?v=gERBwp1o-yE&rel=0]

‘Tis the season to receive holiday scams in your email, on your Facebook page and via text. But you won’t be singing tra la la la la if you click on links that install malware on your computer! More and more of us seem to be conducting our holiday shopping online, and the cyber security Grinches are taking advantage of this new-found holiday convenience. There are several varieties of holiday scams that seem to come around each year.

The first red flag might be the Subject line of the email: “Order Confirmation”, “Acknowledgement of Order”, “Order Status”, “Thanks for Your Order”, “Problem With Your Order”, “Delivery Failure”, “Canceling Your Scheduled Delivery”, etc. It may tell you that an order is ready for you and you just need to click on the link to get the information about how to redeem it. Or, it may play on your fear of not getting a package out before Christmas and say you haven’t provided a correct address – this is a fear-based holiday scam.

Holiday scams usually appear to come from well-known companies, are VERY realistic looking and even use actual logos.

Once you click on the link, however, malware is installed on your computer that may gather email credentials, credit card data, logins and passwords in addition to making your computer a magnet for junk mail. It can also deploy a scanning technology that uses your computer to scan websites for vulnerabilities and then hack them!

Cyber Grinch or Real Deal? How to Tell the Difference…

If you do receive an email, scammy or otherwise, even if you did indeed order from that store, follow these steps:

DO NOT CLICK ON ANY LINKS IN THE EMAIL!
Instead, open your web browser and type in the merchant site and log in to your account (which you had to establish to order from them).
If it the email you received was about a legitimate order, they will provide you with an order or reference number which you can type into their website to verify activity.

In other words, verify that the email is legitimate by going directly to the site; don’t depend on the email. If for some reason you did click on a link that brought you to a website, make sure that you don’t click any more times on that site, and don’t fill out any information that they might be requesting.

(For more solutions to common scams related to the holidays, or really, all year long, check out our entire 12 Days to a Safe Christmas blog series.)

When not protecting readers around the holidays, John Sileo is an an award-winning author and keynote speaker on identity theft, cyber security, internet privacy & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.
[youtube https://www.youtube.com/watch?v=B1st4gzcdLs&rel=0]

Android Flashlight App Shines Light on Your Data

Android flashlight apps harvesting your data for marketing & cyber crime.

You LOVE that flashlight app you have on your smartphone, right? Whether you’re in that dark restaurant with a size 2.5 font or wanting to share your love at a concert or finding your keys in your purse…you wonder, how did you ever live without it?

Well, it turns out the creators of that wonderful app love it, too, because it has become a way for them to get ahold of your personal data to use or sell.

Android devices seem to be especially vulnerable. Snoopbit studied the top ten Android flashlight apps and discovered that every one of them collects unnecessary user data and accesses areas of the device completely unrelated to the purpose of the app. This includes having the ability to read phone status and identity, view Wi-Fi connections, modify system settings, obtain full network access, and determine your precise location via your phone’s GPS, among other permissions.

Snoopbit tested these flashlight apps: Super Bright LED flashlight, Brightest Flashlight Free, Tiny Flashlight + LED, Flashlight, Brightest LED Flashlight, Color Flashlight, High Powered Flashlight, Flashlight HD LED and Flashlight: LED Torchlight.

If you have any of these apps on your phone, uninstall them immediately. You can also investigate “permissions groups” to learn more about what an app will be able to access on your device (see below). With permissions groups, you can quickly see what capabilities or information an app may use before downloading it. Also, you can review individual permissions at any time using the Play Store app.

It’s a good idea to review permissions groups before downloading an app. Once you’ve allowed an app to access a permissions group, the app may use any of the individual permissions that are part of that group. You won’t need to manually approve individual permissions updates that belong to a permissions group you’ve already accepted.

To review individual permissions and groups used by the latest version of an app available on the Play Store:

Open the Play Store app.
Go to an app’s detail page.
Scroll down to “Additional Information.”
Select View details.

After you’ve installed an app, you can review the permissions it can use on your Settings menu.

Open your main Settings menu.
Select Apps or Application Manager.
Select an app.
Scroll down to “Permissions.”

The pre-installed iPhone flashlight app seems safe, and those apps using iOS and Windows Phone OS are not as dangerous, but third-party apps on Windows Phone and at the iTunes store are also accessing unnecessary sensitive user data and location information, and unnecessarily using the internet, collecting data and building user profiles. Apple Users can find more information on app privacy here: https://support.apple.com/en-us/HT6338

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

GameOver Zeus Virus Test

The original notice on GameOver Zeus appeared on the US-CERT site. If you’d like to go directly to the tests for the GameOver Zeus virus, scroll down.

Overview of GameOver Zeus

GameOver Zeus (GOZ), a peer-to-peer (P2P) variant of the Zeus family of bank credential-stealing malware identified in September 2011, [1] uses a decentralized network infrastructure of compromised personal computers and web servers to execute command-and-control. The United States Department of Homeland Security (DHS), in collaboration with the Federal Bureau of Investigation (FBI) and the Department of Justice (DOJ), is releasing this Technical Alert to provide further information about the GameOver Zeus botnet.

Systems Affected by GameOver Zeus Virus

Microsoft Windows 95, 98, Me, 2000, XP, Vista, 7, and 8
Microsoft Server 2003, Server 2008, Server 2008 R2, and Server 2012

Impact of GameOver Zeus

A system infected with GOZ may be employed to send spam, participate in DDoS attacks, and harvest users’ credentials for online services, including banking services.

Solutions to GameOver Zeus

Users are recommended to take the following actions to remediate GOZ infections:

Use and maintain anti-virus software – Anti-virus software recognizes and protects your computer against most known viruses. It is important to keep your anti-virus software up-to-date.
Change your passwords – Your original passwords may have been compromised during the infection, so you should change them
Keep your operating system and application software up-to-date – Install software patches so that attackers can’t take advantage of known problems or vulnerabilities. Many operating systems offer automatic updates. If this option is available, you should enable it
Use anti-malware tools – Using a legitimate program that identifies and removes malware can help eliminate an infection. Users can consider employing a remediation tool (examples below) that will help with the removal of GOZ from your system.

F-Secure

https://www.f-secure.com/en/web/home_global/online-scanner(link is external) (Windows Vista, 7 and 8)

https://www.f-secure.com/en/web/labs_global/removal-tools/-/carousel/view/142(link is external) (Windows XP)

Heimdal

https://goz.heimdalsecurity.com/(link is external) (Microsoft Windows XP, Vista, 7, 8 and 8.1)

McAfee

www.mcafee.com/stinger(link is external) (Windows XP SP2, 2003 SP2, Vista SP1, 2008, 7 and 8)

Trend Micro

https://www.trendmicro.com/threatdetector(link is external) (Windows XP, Windows Vista, Windows 7, Windows 8/8.1, Windows Server 2003, Windows Server 2008, and Windows Server 2008 R2)

FireEye and Fox-IT

www.decryptcryptolocker.com(link is external) FireEye and Fox-IT have created a web portal claiming to restore/decrypt files of CryptoLocker victims. US-CERT has performed no evaluation of this claim, but is providing a link to enable individuals to make their own determination of suitability for their needs. At present, US-CERT is not aware of any other product that claims similar functionality.

The above are examples only and do not constitute an exhaustive list. The U.S. Government does not endorse or support any particular product or vendor.

GOZ has been associated with the CryptoLocker malware. For more information on this malware, please visit the CryptoLocker Ransomware Infections page.

References

- [1] Highly Resilient Peer-to-Peer Botnets Are Here: An Analysis of Gameover Zeus(link is external)
- [2] Malware Targets Bank Accounts

[3] The Lifecycle of Peer-to-Peer (Gameover) ZeuS(link is external)

Revisions

Initial Publication – June 2, 2014
Added McAfee – June 6, 2014
Added FireEye and Fox-IT web portal to Solutions section – August 15, 2014

John Sileo is an an award-winning author and keynote speaker on cyber security and data breach. He specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Apple Pay Makes Mobile Payments Sexy; But Secure?

Apple has us ooing and ahhing about the iPhone 6, it’s big brother the 6+ and finally the Apple Watch. But the biggest announcement of all didn’t even have to do with gadgets. The most significant announcement was about a new service that will be built into those devices…

It is Apple Pay, Apple’s own version of a “mobile wallet” that will allow Apple users to pay for items with just a tap or wave of their device. That is if those items happen to be in stores that have agreed to install the technology necessary to allow near-field communication (NFC – no not the football conference, the radio-wave technology) to work. Of course, Apple has done the background work to ensure a lot of big names (MC, Visa, AMEX and retailers such as Target, Macy’s and McDonald’s to name a few) are already on board, which is a significant mark in their favor. And with the upcoming mandatory implementation of EMV technology, Apple may have just timed this perfectly.

I’ve always been a bit freaked about digital wallets because the Internet giants offering them (Google, Amazon) are the same companies that collect reams of personal data, from search behaviors to my product preferences, and I don’t want any one company having all of that.

Many companies have tried to get mobile payments off the ground in the past without much success. So why might Apple be different (security implications in red)?

Apple is a master at integrating hardware and software. This doesn’t just mean that their payment system will be more user friendly than previous offerings (which it will), it also means that Apple has more control over the security and the privacy of each transaction. For example…
No cardholder data will be stored on the iPhone itself, OR on Apple’s servers. This is a significant divergence from previous offerings (Google Wallet) and is an extremely smart play on Apple’s part. Why? Because…
Apple has basically chosen to stay out of the information collection business to focus on what they do best, which is produce innovative digital devices and the corresponding behind-the-scenes software that make their devices so practical and useful. Consequently, they will continue to be a more trusted brand than their direct competitors. Unlike Microsoft, Facebook, and Google, Apple doesn’t appear to want to become a data-mining company. Apple executives have stated that they have no desire to collect or share user data. This could change when Apple realizes the profit they are passing up for the sake of privacy, but in the meantime…
The same companies that have always collected your purchasing data (Visa, MC, Amex and the retailers you buy from) will be responsible for the same sensitive cardholder information they’ve always had access to, and Apple will simply be passing the transaction through, using a unique series of numbers that will reveal nothing of value should the phone be hacked.
Finally, like it or not, Apple will make mobile payments sexy (did I just say that – I think maybe I’ve drunk too much of the Apple CoolAid). That sounds shallow, but their similar effort (iTunes + iPods, iPhone + App Store) revolutionized the music and smartphone industries. Apple has had a knack for getting consumers to warm up to ideas that have been tried before but never really took off (think iTunes, music players, smart phones, and tablets) Also, they have done what others who have tried mobile wallet concepts in the past have not: they’ve made it sexy.
Instead of a credit card that reveals all of its secrets on a magnetic stripe (no security there), Apple Pay will require a thumbprint scan (which never leaves the device) in order to make a charge. In other words, it utilizes CHIP & PIN technology, which every retailer is required to implement before 2015 ends anyway. Apple’s timing is impeccable – let’s just hope the technology is up to the task.

I’m not in any way saying that Apple doesn’t face huge challenges in terms of security, privacy and adoption of Apple Pay. Of course they do. I’m simply saying that they have the best shot yet at bringing together the hardware, software, industry connections and marketing chops to finally make mobile secure payments, well… pay.

John Sileo is an an award-winning author and keynote speaker who specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes frequent media appearances on shows like 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

A Smarter Solution for Thief-Proof Passwords

Product Review on Password Manager Software

It often amazes me to find out how many people shy away from implementing ideas that they KNOW will make them safer. There are a multitude of reasons I know:

Ignorance: “I didn’t know there was a helmet law in this state.”
Fear: “But if I put my money in a bank, there could be a run on it. It’s safer under my mattress.”
Misunderstanding: “Well, I thought that sign meant I could park here for free on Sunday.”
Laziness: “It’ll be okay to leave my laptop on the table while I run to the bathroom real quick.”

I could reel off ideas for literally hours, and every one of these reasons relate directly to not safeguarding your passwords as well. But I want to assure you that it may be THE most important thing you do to secure your data. One of the easiest things anyone can do is utilize a password manager program. There are a lot to choose from but the one I personally recommend is the award-winning 1Password, which remembers and securely encrypts all of your passwords so you don’t have to. You merely come up with one secure master password and then train 1Password to log in to sites for you.

So what exactly are the features of 1password? There are a LOT! The best:

Strong password generator— a single click gives you a random, extremely strong new password using combinations of hyphens, digits, symbols and mixed cases letters. No more having to think of (and try to remember!) catchy, unhackable passwords for each account.
All these strong passwords are saved within 1Password in a highly protected way, and are ready to be automatically accessed when needed by simply typing one master password that only you know.
Ease of use– one click can open your browser, take you to a site, fill in your username and password, and log you in.
1Password can sync your data across all your devices automatically through iCloud and Dropbox, or locally over Wi-Fi where your data never leaves your network.
The vault will store your credit cards, reward programs, membership cards, bank accounts, passports, wills, investments, private notes and more. It has been compared to a 21st-century digital wallet. (But no one can pickpocket you.)
1Password is one of the few password manager options to allow file attachments, so you can safely store related receipts and images, and it will also keep track of your software licenses.
1Password can show all your items with weak, duplicate, and old passwords so you can decide which ones to fortify and update. No more using five variations of your childhood dog’s name. It will look at the strength of each password as well as find duplicate passwords and replace them with strong, unique ones.
1Password is fluent in multiple platforms and browsers, including Mac, Windows, iPhone, iPad, Android, and Windows Phone.
If your 1Password vault is in Dropbox or a USB thumb drive, you can decrypt and use it from any traditional computer in the world with a modern browser including Safari, Chrome, Firefox and Opera. This has security implications of its own, which I’ll address in a later post.

The prices vary based on the platform used and license purchased, but the prices are reasonable and worth it!

Fully 50% of the corporations that I work with and speak to have had data breaches due to poor password habits. Surprising, given how many of those would have been avoided had they simply used password manager software like 1Password.

[youtube https://www.youtube.com/watch?v=VgwQPhpRPd0&rel=0]

John Sileo is an an award-winning author and keynote speaker on identity theft, internet privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Facebook Privacy Settings Get Needed Update

Facebook Privacy Settings… Some may say it’s too little, too late. I’m relieved that Facebook is finally responding to concerns about their confusing and weak privacy settings. The social media giant (who has been losing customers of late) has recently made several changes to their settings.

Facebook Privacy Settings Update

Additional photo settings. Your current profile photo and cover photos have traditionally been public by default. Soon, Facebook will let you change the privacy setting of your old cover photos.

More visible mobile sharing settings. When you use your mobile phone to post, it is somewhat difficult to find who your audience is because the audience selector has been hidden behind an icon and this could lead to unintended sharing. In this Facebook privacy settings update, they will move the audience selector to the top of the update status box in a new “To:” field similar to what you see when you compose an email so you’ll be able to see more easily with whom you are sharing.

Default settings for new users. Instead of automatically defaulting to “public”, new users will now have their default set to “friends”. They will also be alerted to choose an audience when they post for the first time. This is a significant step in the right direction of a business best practice called Privacy by Default.

Privacy checkup tool. Users may encounter a “privacy dinosaur” (pictured above) that pops up to lead them through a privacy checkup. (At this time, it is not a consistent feature: Facebook is “experimenting” with it.) The privacy checkup tool will cover a number of settings, including who they’re posting to, which apps they use, and the privacy of their profile information.

Public posting reminder . The privacy dinosaur will also remind you when you’re about to post publicly to prevent you from sharing an update with more people than you intended.

Anonymous login. This feature allows you to log into apps so you don’t have to remember usernames and passwords, but it doesn’t share personal information from Facebook. Traditionally, people using Facebook Login would need to allow the website or app to access certain information in their profiles. I’m also happy to see Facebook moving in this direction, as universal logins are one of the easiest backdoors for cyber criminals to exploit.

Facebook has been criticized for having unreasonably complicated privacy settings, had to pay a $20 million settlement for giving away users’ personal information, and frankly never seemed to care very much about personal privacy.

I’m guessing that Facebook has learned a valuable lesson: that by giving their customers the privacy controls they desire, they are creating happier, more loyal users, which is a long-term strategy for success. The need for change hasn’t disappeared, but these Facebook privacy settings are a step forward.

John Sileo is an an award-winning author and keynote speaker on identity theft, social media privacy, fraud training & technology defense. John specializes in making security entertaining, so that it works. John is CEO of The Sileo Group, whose clients include the Pentagon, Visa, Homeland Security & Pfizer. John’s body of work includes appearances on 60 Minutes, Rachael Ray, Anderson Cooper & Fox Business. Contact him directly on 800.258.8076.

Tag Archive for: John Sileo

Travel Safety Tips Part 3