Thursday, 23 August 2012

Social Engineering? Not on my watch



Social engineering is a method used to get confidential information through manipulation. It is usually done in order to commit fraud, gain access to a computer and is generally fueled by the incentive for money. 

Social engineers will meticulously research their target so they know exactly what to say in order to deceive you. If the target is a large company, they will pretend to be an employee and try to deceive a “co-worker” into allowing them access to files or into a company computer. 

Social engineering occurs for a variety of reasons- it could be directed at a specific company or person, it could be a random attack or it could even be part of a game. Whatever it is, you do not want it to put you and your customer’s information at risk. 

The reason why social engineering is successful is because the engineer uses techniques that will make you trust them. They make up elaborate stories or personas that you would have no reason to not believe. Then, through what seems like polite conversation, they will have you relinquish sensitive information that can put you or your company at risk of identity theft or a data breach. 


The following is a transcription of a part of the conversation between me and who I believe to be a (beginner) social engineer:

Earlier this week, I got a call from a man claiming to be from “Social Alliance Vancouver” telling me my business has won the “Best New Business in Vancouver” award. He continued on saying that my business would be featured on Facebook, Twitter and Google which would bring me a lot of business.

I told him that we were quite capable of posting Tweets on our own, but thank you kindly.

Alas, he continued, “what type of services does your business provide mam?”

I respond, “well, seeing as how you awarded my organization the prestigious award of ‘Best New Business’, don’t you already know?”

“Yes, of course! You install security alarm systems.”

“Affirmative. We are the Canadian Identity Theft (and security alarm system) Support Centre. Sounds about right. Now tell me about yourself, sir… are you in need of a new alarm system?”

He then hung up on me.

This example clearly shows an inexperienced social engineer, who with a little bit of questioning was turned off track. Most of the time, these people will give up as soon as you present any resistance because it really is not worth their time to follow through. However, if it is a targeted attack on your business, the engineer will most likely be a lot more deceptive, charming and ready to tell you anything to get you to relinquish the information he or she wants.

What information do social engineers want?
Social engineers want as much information they can get about your business, and the more you give them, the more they will ask for.

They usually begin with friendly chatting, keeping up a light conversation to put you (or your employees) at ease. They will then ask questions such as, “can you verify your address, I see you are located on Broadway in Vancouver?” At which time, your trusting employee will correct the misinformation and ultimately divulge the correct address.

Eventually, they will steer the conversation towards getting information. They may direct you to a website and get you to download a (most likely malicious) file, or ask you directly what they want to know.

The information they may want could include: computer passwords, full names of employees, SIN numbers, salaries or anything related to wages, account numbers , among many of pieces of sensitive information.

Preventing Social Engineering from putting your business at risk

If you are concerned about social engineers defrauding your business, consider the following advice:
  • Train all staff members (especially those answering emails and phones) on what social engineering is, what people may ask and how to tell if a social engineer is on the other line.
  • Determine what information is okay to be released to the public, ie: will you be publishing your address, name of employees and salary information?
  • Create an action plan for dealing with data breaches. Sometimes these breaches are difficult to prevent, so it is better to be prepared just in case.
  • Inform employees on the distinction between being helpful and overly helpful. The main way social engineers are successful is to prey on someone’s trusting nature.
If you would like assistance training your employees on how to avoid data breaches through social engineering, contact CITSC to sign up for an informational seminar.

Friday, 10 August 2012

Criminal Identity Theft and its Newest Victim



Last July, Spanish tourist Hugo Alejandre was enjoying his lunch in a New York park when he was brutally attacked by a man with a hammer. When arrested, the man told police his name was John C. Yoos, and naturally the police believed him. 

Unfortunately for the real John C. Yoos, the man was lying. It was not until a friend jokingly pointed out that a man with the exact same name had been arrested in New York for this barbaric crime. Curious, Yoos looked into what had happened and discovered the perpetrator was a man he had briefly met 10 years prior. It was then that he discovered he is a victim of identity theft. 

This case of identity theft, referred to as criminal identity theft, is one of many across Canada. Criminal identity theft occurs when a fraudster obtains a victim’s personal information and uses it for the purpose of avoiding an arrest or fines. This can result in false arrest, arrest warrants and a criminal record that can go undiscovered for years. 

Chances are for Yoos that the identity theft did not start and end with that blow of a hammer last July. As Yoos recalls, the last time he saw the attacker was about 10 years ago, which is when the identity theft would have originated. Within that time, it is quite possible that the offender lead his entire life from that point on under the name of John C. Yoos- he could have gotten a mortgage, attended school, signed fraudulent cheques and collected government assistance. Incidences such as these largely go unnoticed until there is a reason to check your credit report, or if in the rare case something like this happens and is broadcasted across the media.

Had the real John C. Yoos not discovered that his identity had been stolen and used by someone else to evade arrest, the situation could have ended completely differently. As the offender was in the process of being sentenced under a false name, that record would be attached to Yoos' name. Had he not been notified about the incident from a friend, a warrant could have been put out for his arrest. He could have missed out on job opportunities after failing to pass criminal record checks, or been arrested when stopped for a minor traffic violation. 

Fortunately, Yoos had discovered this incident had taken place just in time, and with enough media attention that clearing his name should be relatively easy. 

As time goes on, it becomes increasingly difficult to prove innocence. Victims of identity theft experience frustration when it comes to proving to creditors, banks and police officers that they are actually the victim, not the perpetrator. When it comes to identity theft, there is an attitude of guilty until proven innocent. 

Criminal identity theft is devastating for its victims. Although it is less common than financial forms of identity theft, it is very much a reality in Canada. Often, criminal identity theft is linked to organized crime with links to other criminal activities such as drug trafficking and gang violence. These criminals use the identities of others in order to continue their crimes and avoid arrest, often with the aliases of numerous innocent people. 

For John C. Yoos, there is a long road ahead of him undoing the damages caused by the perpetrator. As a Case Manager who has worked with numerous victims of criminal identity theft, I can honestly say that that it will take a lot of phone calls, faxes, and possibly court visits to clear his name and ensure that no further damage is done. 


‘Criminal Identity Theft and its Newest Victim’ was written by Heather. Heather is a Case Manager at the Canadian Identity Theft Support Centre.

Wednesday, 1 August 2012

Olympic Fever amongst Fraudsters



With only a few days into the Olympics, scammers, thieves and fraudsters are already on the prowl for a chance at some silver.

While this is not the first time that thieves have used the games to make money, the increased social media focus of London 2012 presents new challenges for security by creating a platform for thieves to dive into. 

Highly televised sporting events including the World Cup and the Olympics are a constant target for the 419 scam, or some variant of the advance fee fraud wherein the scammer requests a sum of cash up front with the promise of a huge monetary gain. Usually, the scammer will claim that the victim has one a lottery held by the Olympic Committee. Chances are that that email recipient did not even enter a lottery 

London 2012 spam emails can come in many forms with some more convincing than others. While I normally pride myself in being able to detect a would-be ‘phisherman’ from a mile away, some of the scams I’ve analysed have caused me to take a second glance (maybe I really did win that date with the US men’s beach volleyball team…).  

The scammer at the other end of the email can be quite deceptive; his livelihood relies on tricking people after all. Often, the email will contain either a link to a fraudulent website or an executable file for you to download. Either of these options can put your computer at risk of getting a virus, and ultimately puts you at risk of identity theft. 

Unfortunately Olympic scams are not limited to the cyber world. There have been numerous reports of fake ticket sales, which leave fans out of money and disappointed about missing the game. So for those enviable people enjoying the Olympic Games, stay cautious and remember that if it looks too good to be true, it probably is. 

Whether you are one of the few lucky Canadians sitting in an Olympic stadium in London or are simply viewing the games from home, remember that there are always people out there willing to ruin a good time for the chance at making a profit. If you come across anything that you think may be a scam, look closely for anything suspicious, Google the company’s name and if you really want to be sure- call our hotline at 1-866-436-5461 and I’ll guide you through how to tell if it’s real or not.

Friday, 27 July 2012

Technical support scam warning



After receiving a call today from a man concerned that is mother had become victim of an online scam, I did a little investigative work to check out the source of his troubles- Live-Technician.

In general, I find that if people are suspicious enough about an email/website/phone call/travelling salesman (or an offer seems too good to be true) to call the Centre in the first place, it most likely is a scam. 

But, just to confirm I first called the hotline (1-866-216-8304) and very bluntly asked them if indeed they were a scam. The operator told me that she would be able to answer my question once I gave her remote access to my computer. Politely, I declined and asked her more about her services.

She then hung up on me. 

To find out more, I looked through the website, checking out what they offer along with any other information that would lead me to know for sure whether or not they are a real company.

From the blog that was clearly inserted into Google translate to the unsecured login page and the “free” yearly service that costs $239.99, I determined that it was a scam.

This is how the scam works:

The problem starts when a victim becomes concerned about a technical problem with his or her computer-It could be anything from a printer malfunction to a blocked email address or a threat of a virus. The victim then Googles whatever their problem may be in order to find a solution. Instead, what they find is a link for technical support that claims to fix whatever problem you may have through remotely accessing your computer. 

Remote access allows the ‘support person’ to make changes on your computer- including accessing your files and downloading viruses. This tool is extremely helpful if the person is professional and trustworthy, but potentially dangerous if they have other motives.

There are several ways scams like these make money: 

1)      This “service” in particular charges over $200 to remotely access your computer one time and offers a yearly subscription for unlimited access for products that normally cost less than $50 per year.
2)      Once your computer has been remotely accessed by a fraudster, they can steal any information you have on your computer including: private work related information, banking information, passwords, photos and other information you definitely do not want accessed by a stranger.
Come to think about it… perhaps Carly Rae fell victim to one of these scams…
3)      Once the fraudster has gathered your personal information, they can make more money by selling it online to a third party.

Here are a couple ways to discover whether a website you visited is fraudulent or not:
  
  •   Google the name of the company and the tech support number- If several links come up promoting the website that are from blogs, forums or any other site that is free or easily built than it could be fake.  Try typing ‘scam’ after the name and see if anyone else has reported problems with the company.
  •    Read through the website- does it seem as though the writing was translated through an online translation tool?
  •    If there is a section of the website that requests that you log in, look at the address bar. The address should begin with ‘https’ beside a symbol of a padlock. These features indicate that it is a secured website and is safe to access.
  •   Hover over any links provided on the website. If they lead towards a social media account with no content and a few inactive followers, it could be a sign of fraud.
The risk of identity theft increases significantly when others access the information stored on your computer. Allowing someone to have remote access to your files is like giving your car keys to a stranger. Avoid this at all costs and if you ever need technical support, go through an established and reputable business.

Tuesday, 17 July 2012

Facebook banking- why this may not be a good idea…


Just as I was beginning to think that Facebook had expanded into every online arena possible, the now-publicly traded internet mogul upped the ante with talk of a banking feature. 

While banks seem non-committal, yesterday American Citibank tweeted “If you could do your #banking on #Facebook - Would you? http://on.fb.me/NmwCiV”. The corresponding Facebook post elicited 100’s of ‘Likes’, suggesting the public may be all-for using Facebook as an online and mobile banking middleman. 

This new feature claims to be fun, safe and secure. Unfortunately, I have my doubts. 

While I yearn for the days that paying my landlord and increasing a line of credit will bring as much joy as looking at my friends’ baby pictures (heh), I feel as though I can adequately do both simply by pressing ‘CTRL Tab’ and typing in my bank’s address. 

My concerns are with privacy, and real (versus perceived) safety and security.  As Facebook is constantly lambasted and sued over privacy-related matters, I think we should treat it as a sneaky (albeit, attractive) neighbour and not tell it any more personal information than it needs to know. Particularly our banking information. 

Of the many reasons the two should not unite, user behaviour may be at the top of the list. And, I assume that the Facebook users’ leniency towards privacy matters won’t increase simply because they added a banking app. Instead, I fear that the safety measures that were once in place for online banking will wane. 

The behaviour of Facebook versus online banking site users varies drastically.  Facebook users tend to linger on the website for hours, leave their pages open while logged on, and often fail to adequately password-protect their account. They also accept invites from strangers and unknowingly download malware. So for these reasons alone, Facebook should not be home to banking information.  
 The behaviour of online banking website user’s, on the other hand, tends to be more secure. There are no interactions, games or links to click. Basically, online banking is so boring you do what you have to do and log out. And it should probably stay that way.

While thieves certainly can gain access to any online account (including your bank), the behaviour of users has a role in just how easy it is to do so.

Bottom line, don’t connect Facebook and online banking or my job as an advisor to those who have had their identities stolen will become a lot more demanding.

So, would you use Facebook banking?

Facebook banking- why this may not be a good idea was written by Heather. Heather is a Case Manager/ Identity Theft Advisor at CITSC and she prefers to do her banking the old fashioned way- in a bank.

Wednesday, 11 July 2012

What's in a Password?


With large scale data breaches occurring on almost a weekly basis, a strong password is necessary in order to avoid having your information leaked. The trouble is that it is often difficult to remember every password for every site we join, tempting  users to opt for convenience over security and hope that a data breach will never occur. 

 Just last month the websites LinkedIn and eHarmony - among many others- suffered data breaches that compromised the accounts of millions of users. These passwords were displayed across the internet and put in the hands of hackers and any would-be identity thieves.  While the passwords were not displayed with the corresponding email address or login handle, that does not mean that your account is safe from hackers. 

The types of criminals that are interested in gaining access to your webpage are experts in their field- they can easily figure out access points using electronic password dictionaries. That means that if you choose a weak password such as 12345, pword, abc123, or a pet's name, you are putting yourself at risk of identity theft.

Basically, the weaker the password, the easier it is to break in. 

The best way to protect your account in the (seemingly inevitable) event of a data breach occurring on your favourite website is to take measures into your own keyboard and use a secure and unique password.

When choosing a password there are two things to think about:
1)      Will I remember it?
And
2)      Is my password doing what it is intended to do (keep others out)?

Both are equally important and show just how much thought is needed to go into password creation.
When choosing your online passwords consider the following coding technique:
       
 1) Think of a phrase that that corresponds to a favourite hobby, vacation spot, or life event. For example: “ I Love the Vancouver Canucks!”
2)      Now take the first letter or letters from each word and turn it into a unique code using numbers, upper and lowercase letters. If the site will allow it, you should also use special characters such as: #@!$.
For example: I love the Vancouver Canucks to  'ILTVCAN!' and finally into '1LtVc4n!' where ‘A’ was turned into ‘4’ and so on.
3)      If you have a tendency to forget your passwords, you can often choose a security question that will give you a hint as to what your password is. In this example, if you set the security question as “What is my favourite sports team?” you would have a good reminder without compromising your security.

Finally, try to use a different coded password for each site you visit. Once your password is leaked from one site, it won’t take long for an identity thief to take advantage and gain access to your other accounts.
 

 "What's in a Password?" was written by Heather. Heather is a Case Manager/Advisor at the Canadian Identity Theft Association.  Follow her on twitter @CITSC1!

Thursday, 5 July 2012

Moms: When it comes to social media, exercise “Stranger Danger”!


Just last week a Facebook friend of mine gave birth to a beautiful baby boy. In no time at all, family members and friends all gathered on her wall to welcome the new addition and praise mommy’s ability to procreate such a “handsome and manly” offspring. 

While I am definitely just as guilty of participating in the internet baby ogling (I ‘liked’ and cooed at every newly-added photo), I quickly grew concerned for the security of the child. While having a first child is exciting, posting the announcement online can put the baby at risk of identity theft and jeopardize their ability to gain credit in the future.  

Not to mention how embarrassing it would be for them to grow up and realize they already have hundreds of naked photos of themselves already posted online!
 
Working at CITSC, I have come into contact with countless victims of childhood identity fraud. And unlike other forms of identity crimes, those that happen during childhood can continue for decades before discovery. Because there is usually no reason for a parent to check a child’s credit report, the crime would remain unknown until the young adult applies for a car or student loan.

With the Facebook friend I mentioned above, the subject of concern for me was simply an innocent photo taken shortly after the birth of the child. The photo was certainly not intended for anything but the announcement of the birth, yet the unintended consequences could potentially be dangerous. 

From this photo, a fraudster can extrapolate the full name of the child (both mother and father were tagged), the date of birth (Facebook conveniently time stamps pictures), the gender and the place of birth. 

With this information, the fraudster can find out the baby’s SIN and use it to apply for credit. This can allow the thief to potentially take over the child’s financial identity before they even learn how to walk. 

Unfortunately, the threat of child identity theft looms with every post and update you make about your child. The following is a list of what NOT to post on Facebook in order to protect your child from identity theft and other types of ‘stranger danger’: 

  • Try not to publish your child’s real name on your Facebook. If you would not tell it to a stranger in the grocery store, don’t post it online. Baby nicknames are cute anyway, right? 
  • Do not use the ‘check-in’ feature. Do you really want that weird guy from high school knowing where you do your laundry?
  •  Do not share any information about where the child goes to school, daycare, or even the dentist. It may seem obvious, but most parents do not do it on purpose, that information is shared in picture captions, wall posts and status updates.
-          
Because so much of our lives now revolve around our online presence, sharing images of birthdays, funny occurrences or landmark moments seems second nature. Unfortunately, these innocent actions may turn into a long-term headache. 

So moms, remember to practice what you preach: if you tell your child not to tell personal information to strangers on the playground, don’t post it for them online.

“Moms: When it comes to social media, exercise ‘Stranger Danger’” was written by Heather. Heather is a Case Manager/Advisor at the Canadian Identity Theft Support Centre. She likes Facebook, but does not like it when that weird guy from high school knows too much about her because of it.