FTC and EU Weigh in on Face Recognition Applications – Why Limiting the Use of This Technology Matters

August 1, 2012

Who should own and control data about your face? Should companies be able to collect and use your facial data at will?

Is it enough to let users can opt out of facial recognition, or should companies be required to collect your specific opt in before collecting your facial data? If a company has multiple services, is one opt in enough, or should they be required to seek your permission for every new type of use? Under what conditions should a company be able to sell and monetize their ability to recognize you?[i]

There are a lot of cool uses for facial recognition tools, but how informed are you about the risks? How do you weigh the pros and cons to make an informed choice about who can identify you?

Governments are paying greater attention to potential privacy threats

A preliminary report by the Federal Trade Commission (FTC) identifying the latest facial recognition technologies and how these are currently being used by companies has just been released. The report also outlines the FTC’s plan for creating best-practice guidelines for the industry that should come out later this year.

In Europe concerns over facial recognition technologies potential to breach personal privacy has resulted in a similar review.

This is great news for consumers as it signals a shift in the timing of privacy reviews from a reactive approach where guidelines have come after consumers have largely already had their privacy trampled, to a far more proactive approach to protecting consumers online privacy, safety, and security.

In response, companies like Facebook and Google are dramatically increasing their lobbying budgets and campaign funding

It is no coincidence that as government bodies increase their focus on consumer’s online privacy that the companies making the biggest bucks from selling information about you – and access to you – are pouring money and human resources into influencing the government’s decisions.

According to disclosure forms obtained by The Hill, “Facebook increased its lobbying spending during the second quarter of 2012, allocating $960,000, or three times as much as during the same three-month period in 2011”.

And a report in the New York Times noted that “With Congress and privacy watchdogs breathing down its neck, Google is stepping up its lobbying presence inside the Beltway — spending more than Apple, Facebook, Amazon and Microsoft combined in the first three months of the year.” Google spent $5.03 million on lobbying from January through March of this year, a record for the Internet giant, and a 240 percent increase from the $1.48 million it spent on lobbyists in the same quarter a year ago, according to disclosures filed Friday with the clerk of the House.

In addition to lobbying spend, these companies, their political action committees (PAC’s) – and the billionaire individuals behind the companies have exorbitant amounts of money for political contributions; chits to be called in when privacy decisions that could impact their bottom line hang in the balance.

Here’s what today’s facial recognition technologies can – and are – doing:

 

It only takes a quick look for you to identify someone you know; yet facial recognition technologies are both faster and more accurate than people will ever be – and they have the capability of identifying billions of individuals.

Although many companies are still using basic, and largely non-invasive, facial recognition tools to simply recognize if there is a face in a photo, an increasing number of companies are leveraging advanced facial recognition tools that can have far reaching ramifications for your privacy, safety, and even employability.

Advanced facial recognition solutions include Google+’s Tag My Face, Facebook’s Photo Tag Suggest, Android apps like FaceLock, and Visidon AppLock, and Apple Apps like Klik,  FaceLook, and  Age Meter, then there are apps like SceneTap, FACER Celebrity, FindYourFaceMate.com and DoggelGanger.com.  New services leveraging these features will become increasingly common – particularly if strict privacy regulations aren’t implemented.

Some companies use facial recognition services in their photo and video applications to help users recognize people in photos, or even automatically tag them for you. (You may not want to be tagged in a particular, photo, but if you allow photo tagging you can only try to minimize the damage, you can’t proactively prevent it).

Some services use facial recognition for security purposes; your face essentially becomes your unique password (but what do you do if it gets hacked? Change your face??).

What are the potential risks of facial recognition tools to individuals?

The Online Privacy Blog enumerates some of the risks in easily understood terms; here is an excerpt from their article The Top 6 FAQs about Facial Recognition:

Take the massive amount of information that Google, Facebook, ad networks, data miners, and people search websites are collecting on all of us; add the info that we voluntarily provide to dating sites, social networks, and blogs; combine that with facial recognition software; and you have a world with reduced security, privacy, anonymity, and freedom.  Carnegie Mellon researchers predict that this is “a world where every stranger in the street could predict quite accurately sensitive information about you (such as your SSN, but also your credit score, or sexual orientation” just by taking a picture.

Risk 1:  Identity theft and security

Think of your personal information—name, photos, birthdate, address, usernames, email addresses, family members, and more—as pieces of a puzzle.  The more pieces a cybercriminal has, the closer he is to solving the puzzle.  Maybe the puzzle is your credit card number.  Maybe it’s the password you use everywhere.  Maybe you’re your social security number.

Identity thieves often use social security numbers to commit fraud. Photo: listverse.com.

Facial recognition software is a tool that can put all these pieces together.  When you combine facial recognition software with the wealth of public data about us online, you have what’s called “augmented reality:”  “the merging of online and offline data that new technologies make possible.”   You also have a devastating blow to personal privacy and an increased risk of identity theft.

Once a cybercriminal figures out your private information, your money and your peace of mind are in danger.  Common identity theft techniques include opening new credit cards in your name and racking up charges, opening bank accounts under your name and writing bad checks, using your good credit history to take out a loan, and draining your bank account.  More personal attacks may include hijacking your social networks while pretending to be you, reading your private messages, and posting unwanted or embarrassing things “as” you.

The research:  how facial recognition can lead to identity theft

Carnegie Mellon researches performed a 2011 facial recognition study using off-the-shelf face recognition software called PittPatt, which was purchased by Google.  By cross-referencing two sets of photos—one taken of participating students walking around campus, and another taken from pseudonymous users of online dating sites—with public Facebook data (things you can see on a search engine without even logging into Facebook), they were able to identify a significant number of people in the photos.  Based on the information they learned through facial recognition, the researchers were then able to predict the social security numbers of some of the participants.

They concluded this merging of our online and offline identities can be a gateway to identity theft:

If an individual’s face in the street can be identified using a face recognizer and identified images from social network sites such as Facebook or LinkedIn, then it becomes possible not just to identify that individual, but also to infer additional, and more sensitive, information about her, once her name has been (probabilistically) inferred.

Some statistics on identity theft from the Identity Theft Assistance Center (ITAC):

  • 8.1 million adults in the U.S. suffered identity theft in 2011
  • Each victim of identity theft loses an average of $4,607
  • Out-of-pocket losses (the amount you actually pay, as opposed to your credit card company) average $631 per victim
  • New account fraud, where thieves open new credit card accounts on behalf of their victims, accounted for $17 billion in fraud
  • Existing account fraud accounted for $14 billion.

Risk 2:  Chilling effects on freedom of speech and action

Facial recognition software threatens to censor what we say and limit what we do, even offlineImagine that you’re known in your community for being an animal rights activist, but you secretly love a good hamburger.  You’re sneaking in a double cheeseburger at a local restaurant when, without your knowledge, someone snaps a picture of you.  It’s perfectly legal for someone to photograph you in a public place, and aside from special rights of publicity for big-time celebrities; you don’t have any rights to control this photo.  This person may not have any ill intentions; he may not even know who you are.  If he uploads it to Facebook, and Facebook automatically tags you in it, you’re in trouble.

Anywhere there’s a camera, there’s the potential that facial recognition is right behind it.

The same goes for the staunch industrialist caught at the grassroots protest; the pro-life female politician caught leaving an abortion clinic; the CEO who has too much to drink at the bar; the straight-laced lawyer who likes to dance at goth clubs.  If anyone with a cell phone can take a picture, and any picture can be tied back to us even when the photographer doesn’t know who we are, we may stop going to these places altogether.  We may avoid doing anything that could be perceived as controversial.  And that would be a pity, because we shouldn’t have to.

Risk 3:  Physical safety and due process

Perhaps most importantly, facial recognition threatens our safety.  It’s yet another tool in stalkers’ and abusers’ arsenals.  See that pretty girl at the bar?  Take her picture; find out everything about her; pay her a visit at home.  It’s dangerous in its simplicity.

There’s a separate set of risks from facial recognition that doesn’t do a good job of identifying targets:  false identifications.  An inaccurate system runs the risk of identifying, and thus detaining or arresting, the wrong people.  Let’s say that an airport scans incoming travelers’ faces to search for known terrorists.  Their systems incorrectly recognize you as a terrorist, and you’re detained, searched, interrogated, and held for hours, maybe even arrested.  This is precisely why Boston’s Logan Airport abandoned its facial recognition trials in 2002:  its systems could only identify volunteers 61.4 percent of the time.

Learn more about facial recognition technologies, how they work and what the risks are in these resources:

Three steps to protecting your facial data:

  1. There are many positive uses for facial recognition technologies, but the lack of consumer protections make them unnecessarily risky. Until the control and management of this data is firmly in the hands of consumers, proactively opt out of such features and avoid services where opt out is not an option.
  2. Voice your concerns to elected officials to offset the impact of corporate lobbying and campaign contributions intended to soften proposed consumer protections.
  3. Voice your frustration to the companies that are leveraging this technology without providing you full control over your facial data – including the ability to have it removed, block it from being sold, traded, shared, etc., explicitly identify when and how this data can be used either for standalone purposes or combined with other data about you, and so on. If a company does not respect your wishes, stop using them. If you allow yourself to be exploited, plenty of companies will be happy to do so.

Linda

[i] See The One-Way-Mirror Society – Privacy Implications of Surveillance Monitoring Networks to understand some implications of facial recognition tool’s use when companies sell this information.

Comments Off | Linda's Blog | Tagged: , , , , , , , , , | Permalink
Posted by Linda Criddle

Want Increased Control Over online Communications? Consider Wickr

July 9, 2012

If you’re tired of having your personal information, conversations, photos, texts, and video messages exploited by companies, used to embarrass you by frenemies, or pawed over by data collection services, Wickr’s an app worth considering.

The company’s founders have the credentials and the right motivation to build a tool that puts control of your communications squarely – and simply – in your own hands.  Kara Lynn Coppa, is a former defense contractor; Christopher Howell, is a former forensics investigator for the State of New Jersey; Robert Statica, is a director at the Center for Information Protection at the New Jersey Institute of Technology; and Nico Sell, is a security expert and longtime organizer for Defcon, an annual hacker convention.

Responding to questions during an interview, Ms. Sell said, “Right now, everyone is being tracked and traced in ways they don’t understand by numerous governments and corporations,” “Our private communications, by default, should be untraceable. Right now, society functions the other way around.”

Continuing, Ms. Sell said, “If my daughter wants to post a picture of our dog, Max, on Instagram, she shouldn’t have to know to turn the geo-location off,” “People have always asked me ‘How do I communicate securely and anonymously?’ There was never an easy answer, until now.”

Mr. Statica added to this point saying “There is no reason your pictures, videos and communications should be available on some server, where it can easily be accessed by who-knows-who, or what service, without any control over what people do with it.”

Amen to these views.

So what does Wickr offer?

Encrypted messaging – all messages – text, photos, video and audio – sent through the service are secured “by military-grade encryption… They can only be read by you and the recipients on the devices you authorize,” Wickr only stores the encoded result – and only for as long as needed for system continuity.

Self-destruct option – allows you to determine how long the people you communicate with can view the content – text, video, photos – before it is erased. (Recipients can however still capture a screenshot of the content, but the team behind Wickr is looking for ways to notify the sender if a screenshot is taken).

Total phone wipe – one of the risks of recycling cellphones is that you can’t easily erase the phone’s hard drive which enables criminals (and forensic investigators) to recreate your content. Wickr addresses this issue with an anti-forensics mechanism that erases deleted content by overwriting the metadata and rendering indecipherable.

Anonymity on Wickr – the service takes your privacy so seriously they don’t even know your username, you aren’t forced to share your email address or any other personal information that could identify you to the service or to others. Instead, your information is “irreversibly encoded with multiple rounds of salted cryptographic hashing prior to being sent to our servers. Even we cannot determine the actual values based on the hashed values we store.”

Free to use – you might think a service like this could put a hefty price on your privacy, instead the company has chosen to use the “freemium” business model that charges only for premium service features like sending files to large groups or sending large files.

NOTE: I am not associated in any way with this app, nor do I know any of the individuals behind it. While it’s rare I endorse a product, the philosophy behind the service is fabulous, and the tools are something every consumer needs to protect themselves and their privacy.

The next step is for every consumer to demand this same level of respect and security of EVERY online service with whom they interact. 

Want to learn more? Read Wickr’s FAQ

 

Linda

Comments Off | Linda's Blog | Tagged: , , , , , , , , , , , | Permalink
Posted by Linda Criddle

Nearly 1-in-5 of Computers in U.S. Have No Security Protection

May 31, 2012

The good news is that just over 80% of the U.S. population has at least some security protection in place on their computers; the bad news is that 19.32% of computers in the U.S. still have no protection at all according to a new study by McAfee[i].

Among the countries tested, the US placed among the bottom 5  – with worse security protection rates than countries like China and India.

That’s grim news, but even worse was the study’s finding that 96% of tablets and smartphones lack security software in spite of these devices being fully capable computers storing sensitive personal and financial information. The lack of smartphone device security is exacerbated by the number of Android users who have installed “antivirus protection” yet the services they downloaded actually fail to provide any protection – learn more in my blog Most Users with Free Android Antivirus Scanners aren’t Protected.

With cybercrime rates skyrocketing what’s driving the security gap?

The lack of security protection on PC’s is not a cost issue. For less than a penny a day, consumers can be protected by strong security software

If consumers in countries with low average incomes like India and China can afford security software, so can Americans.

A few quick searches show steep discounts on 1-year subscriptions to for-pay security products with excellent reputations and broad security coverage:

  • A 50% discount offer on McAfee’s Internet Security Center 2012, making the cost just $39.99
  • A 55% discount offer on Norton’s Internet Security 2012, dropping the cost to $35.99
  • A 50% discount on TrendMicro’s Titanium security 2012, dropping the cost to $39.95
  • A 40% discount on AVG’s Internet Security 2012, dropping the cost to $32.99
  • A 50% discount on Kapersky’s Internet Security 2012, dropping the cost to $39.97
  • And so on.

 

If a penny a day is still too steep a price, there are good free alternatives. To find these products, search on the term “best free security software” or read PCMagazine’s February 2012 article The Best Free Antivirus for 2012.

 

If the lack of security protect isn’t due to cost, then it’s due to the lack of effective education

For those in the internet industry or internet safety education worlds, it feels like the message that every single computer and computing device must be protected has been talked and promoted to death. Apparently, it hasn’t been.

The data shows that we haven’t explained the personal and broader security risks to the 1-in-5 unprotected computer owners in a way they find compelling and motivates them to take action.

What are we missing? How is it that countries where far less has been spent educating consumers have more users leveraging protection software?

Have we not shown well enough the cause-and- effect between unsecured computers and identity theft, malware, spam, unusable computers, and so on?

Have we not helped consumers understand how easy it is to download and install security software?

Have we not explained how low cost (or free) the insurance premiums are for protecting computers?

As an industry, these are questions that must be answered if we are to succeed in creating a safer and more secure online environment – not just for the ~20% who aren’t leveraging these tools today, but for the entire internet ecosystem.

Ranking of Countries by Percentage of Consumers Unprotected

Ranking

Country Ranking by Percentage of

Consumers Unprotected

Percentage

1

           Singapore

21.75

2

           Mexico

21.57

3

           Spain

21.37

4

           Japan

19.35

5

           US

19.32

6

           China

18.02

7

           Canada

17.92

8

           Ireland

17.57

9

           Korea

17.55

10

           India

17.32

11

           Philippines

17.12

12

           Sweden

16.92

13

           Malaysia

16.77

14

           UK

16.5

15

           Norway

15.72
          Australia

15.72

16

           Netherlands

15.7
          Brazil

15.7

17

           France

15.17

18

           Denmark

14.9

19

           New Zealand

14.77

20

           Germany

14.47

21

           Italy

13.8

22

           Finland

9.67

 

 

 

 

 

 

 

 

 

 

 

 

 

(No Anti-Virus istalled or the software was installed, but disabled) Source: McAfee

Linda

[i] The McAfee study was conducted in 24 countries, and analyzed data from 27-28 million PCs each month, to determine a global estimate of the number of consumers who have basic security software.

Comments Off | Linda's Blog | Tagged: , , , , , , , , , , , , , , , | Permalink
Posted by Linda Criddle

Flashback Trojan has Infected Over 600,000 Macs

April 19, 2012

This week Apple patched a flaw in their Java code to prevent Macs from becoming infected with the Flashback Trojan – a malicious program that steals infected users’ user names and passwords, and has continued to evolve to exploit other elements.

Unfortunately, the malware has run rampant the last two months – when the malware was first detected. The Russian antivirus company, Dr. Web, reports that over 600,000 Mac’s are infected – and that 56% of the infected Macs are in the hands of U.S. consumers.

A ZDNet article includes these links for Mac users to get “the new version of Java that patches the security hole in question from Apple here: Java for Mac OS X 10.6 Update 7 and Java for OS X Lion 2012-001. Additionally, F-Secure has instructions on how to remove this malware if you think your Mac may already be infected.”

If you are among the Mac users who have clung to the belief that Macs don’t need strong malware protection, let this be a wakeup call.

Linda

Comments Off | Linda's Blog | Tagged: , , , , , | Permalink
Posted by Linda Criddle

Microsoft Conducts More Raids to Stop Criminals Behind Botnets

April 6, 2012

An article in the New York Times outlines the latest counterattack by Microsoft and law enforcement agencies as they work to shut down what the article calls “one of the most pernicious forms of online crime today — botnets, or groups of computers that help harvest bank account passwords and other personal information from millions of other computers.”

Congratulations to Microsoft for their dedication to helping all internet users have a safer, more trusted experience.

As this raid highlights, the often heard desire to blame some rogue country for facilitating online crime, or at least to blame an underdeveloped country for failing to maintain proper oversight of their internet traffic, is unwarranted. This week’s sweep targeted command and control servers in Scranton, Pennsylvania and Lombard, Illinois. How banal is that?

Heading up the initiative from Microsoft was Richard Domingues Boscovich, senior attorney in Microsoft’s Digital Crimes Unit on the official Microsoft. Here are excerpts from the company’s official blog:

“As you may have read, after a months-long investigation, successful pleading before the US District Court for the Eastern District of New York and a coordinated seizure of command and control servers in Scranton, Pennsylvania and Lombard, Illinois, some of the worst known Zeus botnets were disrupted by Microsoft and our partners worldwide.

Valuable evidence and intelligence gained in the operation will be used both to help rescue peoples’ computers from the control of Zeus, as well as in an ongoing effort to undermine the cybercriminal organization and help identify those responsible.

Cybercriminals have built hundreds of botnets using variants of Zeus malware. For this action – codenamed Operation b71 – we focused on botnets using Zeus, SpyEye and Ice-IX variants of the Zeus family of malware, known to cause the most public harm and which experts believe are responsible for nearly half a billion dollars in damages. Due to the unique complexity of these particular targets, unlike our prior botnet takedown operations, the goal here was not the permanent shutdown of all impacted targets. Rather, our goal was a strategic disruption of operations to mitigate the threat in order to cause long-term damage to the cybercriminal organization that relies on these botnets for illicit gain.”

This is the fourth high-profile takedown operation in Microsoft’s Project MARS (Microsoft Active Response for Security) initiative – a joint effort between DCU, Microsoft Malware Protection Center (MMPC), Microsoft Support and the Trustworthy Computing team to disrupt botnets and begin to undo the damage they cause by helping victims regain control of their infected computers. As with our prior takedowns, Microsoft will use intelligence gained from this operation to partner with Internet service providers (ISPs) and Community Emergency Response Teams (CERTs) around the world to work to rescue peoples’ computers from Zeus’ control. This intelligence will help quickly reduce the size of the threat that each of these botnets pose, and make the Internet safer for consumers and businesses worldwide.”

You play a role in online security

Are you contributing to the botnet problem? If any of the following statements sound familiar, you are a botnet risk.

  • Your anti-virus and anti-malware tools haven’t been updated since you bought your computer.
  • You’ve ignored those pesky popups telling you that your computer, browser, or programs need updating to get the latest security fixes installed.
  • You love chain emails, and answering survey’s and quizzes.
  • You respond to spammers asking them to stop spamming you.
  • You trust links you come across in emails, Twitter & Facebook and in online ads.
  • You don’t know a phish from a fish, a worm from a grub, or what a botnet is.

4 simple steps can make all the difference in your level of security protection – and in the protection of the whole internet

  1. Start by ensuring your computers are up-to-date with all available patches, fixes, and upgrades.
  2. Then confirm your browsers are up-to-date with all available patches, fixes, and upgrades.
  3. Next, check to see that your security software is up-to-date with all available patches, fixes, and upgrades.
  4. Now, strengthen your spam filters, and smarten up about spam so you don’t click on malicious links.

Learn more about how to protect yourself and your devices in these blogs:

Are You Sure Your PC is Malware Free??

Are You a Malware Magnet? 4 simple steps can make all the difference

Every 3 Seconds an Identity is Stolen – Don’t Be Next

Need help understanding botnets?

See my blogs What are Bots, Zombies, and Botnets? And  McAfee Infographic Makes Botnets Understandable.

Here’s a quick illustration to get you started…

Note: I was a Microsoft Employee for 13 years, until the fall of 2006. I have written both positive and less favorable articles on Microsoft, but hold an abiding respect for the company’s ongoing commitment to security and to providing a responsible, trustworthy environment for consumers.

Linda

Comments Off | Linda's Blog | Tagged: , , , , , | Permalink
Posted by Linda Criddle

I Get Asked the Darnedest Things – Including How to Protect Ill-Gotten Gains

March 5, 2012

I recently spent a week teaching several hundred students, teachers and parents in several schools and school districts across North Carolina. The sessions are always great, but since there is never enough time to answer everyone’s safety, security and privacy questions, I encourage listeners to leverage the “Ask Linda” section on my website.

The questions I typically get asked range from “is_____ a strong password”, to questions about situations that need immediate intervention. However, among the many follow up questions from this trip came my first request for assistance in protecting stolen funds. The audacity and irony in the email are just too good not to share, so with identities hidden, here’s the original email – and my response. Enjoy.

On 12/16/2011 “Michael”:

Today, you spoke my school (xxxxx).  The talk was the best I have ever heard at a school event because during 2009-2010 I recovered other people’s old RuneScape accounts.  I learned many ways to look up people, many of which you mentioned today.  I have since stopped recovering because many people have found out this easy way to make money and so there are far fewer unused accounts to steal. I also did a fair bit of phishing on the system pelican (fish.in.rs) which is a mass mailer of runescape phishers, so all I needed was an email address owned by a scaper.

Since then, I have been sitting on a few thousand dollars worth of RuneScape currency. With college coming up, I am hoping to sell this on the RuneScape black market sythe.org .  The preferred method of communication of most members is MSN which I saw on your website that you used to work for.  One of the questions I had for you is: can another person that is chatting with you on MSN get your ip address?  I have heard many hackers claim they can get ips through skype, MSN, and email communications.

On another note, I plan on majoring in mathematics and becoming an investor.  However, I am wondering what classes are recommended to become an internet security consultant such as yourself.

Enjoy your stay in North Carolina,

Thanks,

Michael

“Michael”,

The answer to your question is yes, MSN or windows live uses the Microsoft notification protocol that carries the client IP address in some of its headers. While I’m pleased that you found my internet safety, security and privacy presentation to be useful, I’d say that given your phishing and account theft activities the field of security is not the right one for you, and recommend you stick to investing.

Linda

Comments Off | Linda's Blog | Tagged: , , , , , | Permalink
Posted by Linda Criddle

New Weekly Headlines-Inspired Internet Safety Content Available for Schools and Parents

December 20, 2011

In collaboration with the internet safety group iKeepSafe, I’m pleased to announce a new initiative for introducing digital literacy, safety, security and privacy topics to students and your children.

Each week on behalf of iKeepSafe’s iKeepCurrent project, I pick a current news story and use it as the genesis of a short safety, security, privacy, citizenship, or other internet related lesson. By pulling from news of what’s happening today the lessons are extremely relevant and provide a natural way to pull events into perspective as teachable moments, and as drivers for learning new and positive online skills.

Every lesson includes a list of key concepts, vocabulary words, equipment needed, the full news articles, the lesson plan, optional activities, additional resources, plus learning development resources for teachers, and specific material just for parents.

To check out the lessons and see how you can leverage this material, click on one of the thumbnails (below) or go to http://ikeepcurrent.org/ and register to a weekly email.

I will begin posting these lessons every week as they appear.

Linda

Comments Off | Linda's Blog | Tagged: , , , , , , , | Permalink
Posted by Linda Criddle

Cyber Monday Sales Skyrocket – Now Watch Those Credit Card Statements

December 3, 2011

It has been a profitable week for retailers. According to comScore, online sales rose 22% to reach a new all-time single day high of $1.25 billion. A separate report by IBM’s Benchmark research firm, reported a 33% Cyber Monday increase, but didn’t provide an actual dollar value.

The volume of internet sales highlights the comfort consumers have with online shopping, whether that is via computer, or increasingly, through mobile transactions. Last year 2.3% of Cyber Monday shopping occurred via mobile phone, this year that has increased to 6.6%[i].

Yet in spite of the convenience online shopping offers, too few consumers have adequately protected their devices or their information, too few carefully research the stores and store policies on sites they use, and during this busy season many will fail to closely monitor their credit card statements for signs of fraud. And the crooks are counting on these gaps.

To be safer when shopping see the blog I posted last week titled 6 Steps to Avoiding Black Friday Scams, but after you’ve shopped, stay alert. Watch your credit card statements. Check your credit scores. And act swiftly if something seems amiss.

Take 8 immediate steps if you discover that you have been the victim of identity theft:

  1. Contact the fraud departments of any one of the three consumer reporting companies:
    1. TransUnion: 1-800-680-7289; www.transunion.com; Fraud Victim Assistance Division, P.O. Box 6790, Fullerton, CA 92834-6790
    2. Equifax: 1-800-525-6285; www.equifax.com; P.O. Box 740241, Atlanta, GA 30374-0241
    3. Experian: 1-888-EXPERIAN (397-3742); www.experian.com; P.O. Box 9554, Allen, TX 75013
  2. Close any account that you know or believe has been taken over, or been opened by, ID thieves.  Your credit card companies have 24 hour call service where you can report the theft or abuse of your card. Check the statements of any other credit cards you have to see if the thieves have also compromised those cards.  Ask your credit card company to send you any dispute forms you may need to fill out.
  3. Check your credit report to look for credit cards or loans you did not open. By law you have the right to three free credit reports per year; from Experian, Transunion, and Equifax. If you have already used these free reports, pay the few bucks to get your credit scores checked again.All three credit bureaus work together through a website called AnnualCreditReport.com so you can quest one, or all three reports at once in one of the following ways:
    1. Go to the Web site. Through this highly secure site, you can instantly see and print your credit report.
    2. Call toll-free: (877) 322-8228. You’ll go through a simple verification process over the phone after which they’ll mail the reports to you.
    3. Request by mail. If you live in certain states, fill out the request form and mail it to the Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. (Get more details.)
  4. File a complaint with the FTC. A typical police report doesn’t contain the details about fraudulently opened accounts or accounts used by ID thieves. By reporting the ID theft to the FTC and filling out an ID Theft Complaint, you can add the supporting detail to a police report that is necessary to making it an Identity Theft Report.
    1. What should I know before filling out the FTC’s ID Theft Complaint Form?
    2. Instructions for completing the ID Theft Complaint Form
    3. What should I know once I’ve filled out and printed the FTC’s ID Theft Complaint Form?
  5. File a report with your local police. Filing a police report helps document that the crime occurred. Call your local law enforcement office and ask if you can come in and file the report in person or if this needs to be done online or by phone. Some jurisdictions are reluctant to let you file a report, so you may have to contact your state Attorney General’s office to learn whether the law requires the police to take your ID theft report. To find the contact information for the Attorney General in your state you can check www.naag.org.
  6. Notify your health insurance carrier. Identity theft can also be used to commit medical fraud where someone poses as you to have medicines, checkups, even surgeries performed in your name. By contacting your insurance provider, you alert them to take extra precautions and can help prevent receiving a bill for someone else’s medical expenses.
  7. Set up a fraud alert. There are two kinds of fraud alerts, an ‘initial fraud alert’ that stays on your credit report for 90 days, and an ‘extended fraud alert’ that stays on your credit report for 7 years.You can set up an initial fraud alert the moment you suspect trouble – you can’t find your wallet, or you think you have been or will be a victim of ID theft (for example, you receive a notice from a company or bank you use notifying you that their data center has been breached and your information may be compromised).  With this initial alert in place, potential creditors have to take additional precautions to be sure that new credit isn’t given to the ID thieves by verifying your identity.

    To set up an extended fraud alert you have to have been a victim of ID theft and be able to prove this by showing one of the credit scoring companies your Identity Theft Report (see step #4). When an extended fraud alert is in place, creditors are required to contact you or meet you in person to verify your identity before they can extend credit.

  8. Stay alert. Watch for additional signs of identity theft like:
    1. False information on your credit reports, including your Social Security number, address(es), name or employer’s name.
    2. Missing bills or other mail. If your bills don’t arrive, or come late, contact your creditors. A missing bill may indicate that an ID thief has hijacked your account and changed your billing address to help hide the crime.
    3. Getting new credit cards sent to you that you didn’t apply for.
    4. Having a credit approval denied or being subjected to high interest rates for no apparent reason.
    5. Receiving calls or notices about past due bills for products or services you didn’t buy.

Once your identity has been stolen, you should also consider subscribing to a service that will constantly monitor your credit and alert you if something changes. Even though you change your credit card number, you aren’t likely to have changed companies, or changed your name, your social security number, your address, etc., and it is a stupid criminal who throws away such valuable information. In all likelihood, you will remain more vulnerable to future attacks and should monitor and protect accordingly.

Linda

 

Comments Off | Linda's Blog | Tagged: , , , , , , , , , | Permalink
Posted by Linda Criddle

Most Users with Free Android Antivirus Scanners aren’t Protected

November 30, 2011

Many free AV apps exist for the Android market but new comparisons by AV-TEST, a globally recognized security institute out of Germany, uncovered sobering security failures when they took the AV products through their paces.

The products to come out best were for-pay services from “Kaspersky and F-Secure, which detected at least 50% of all malware samples already in inactive state.”

Among the free options “Zoner AntiVirus Free was best with 32% detected malicious apps. All other scanners detected at best 10% of the apps; some didn’t detect anything at all.” Commenting on the results AV-Test said, ‘the circulation of obviously near to useless security apps endangers those, who trust them.’

AV-TEST’s test results are shocking, particularly as the advice given by security experts is that all smartphone users need anti-malware software in place. Yet those who diligently installed one of these free programs, has an entirely false sense of security.

The program with the lion’s share of installations is Antivirus Free by Creative Apps who, along with GuardX Antivirus and LabMSF Antivirus beta, failed to identify any malware in either the manual or real-time on installation scan.

Not only should these ineffectual products be purged from the Android market, there should be a howl of protest from consumers insisting that apps claiming to protect consumers actually do so – and be required to show how well they protect in their descriptions.

Below are two tables from the research, click here to read the entire report.

Linda

Comments Off | Linda's Blog | Tagged: , , , , , , , , | Permalink
Posted by Linda Criddle

Estonians Charged For $14 Million in Click Fraud – Is Your Computer Infected?

November 22, 2011

In a particularly advanced two prong click fraud scheme, 7 men are charged with infecting 4 million computers worldwide – 500,000 in the U.S. alone. Once infected, the criminals would redirect users search results to websites that would pay the criminals a referral fee, so the more searches they redirected, the more money they made. The second method used was to replace legitimate ads on websites with ads from companies that paid for referring clicks.

In a statement by Janice Fedarcyk, assistant director in charge of the FBI New York office, “They victimized legitimate Website operators and advertisers who missed out on income through click hijacking and ad replacement fraud.”

Hijacked sites included The Wall Street Journal and ESPN. An article in the New York Times included the following illustration of how ESPN ads were swapped; the page shown on the left has a legitimate Dr. Pepper ad, while the ad on the right is for a timeshare company that paid for clicks.

Called the biggest cybercriminal takedown in history, the FBI worked with international law enforcement agencies, security companies, and security experts for over two years to crack the case.

This malware that infected both the Windows and Mac operating systems did not target consumer information; it was designed to defraud advertisers and website companies, but in order to avoid detection by antivirus software the malware blocked antivirus updates. This means that infected users were (and are) vulnerable to other malware.

What this means to you:

Although the FBI has replaced the malicious servers involved, infected users remain infected with the DNSChanger malware, and any other malware that was able to crawl into computers while security software updates were blocked. If you’ve seen unlikely ads or suspect your machine may be infected, the FBI has created a website that will help you detect the malware and get rid of it.

Linda

Comments Off | Linda's Blog | Tagged: , , , , | Permalink
Posted by Linda Criddle

« Previous Entries
Follow

Get every new post delivered to your Inbox.

Join 1,753 other followers