Category: identity theft

Identity theft is a growing concern in our digital age, with scammers constantly evolving their tactics to deceive unsuspecting victims. Protecting yourself from these deceitful identity theft trends requires vigilance and proactive measures. Here’s how you can safeguard your personal information and reduce your risk of falling victim to identity theft.

1. Stay Informed About Common Tactics

Understanding the latest trends in identity theft is your first line of defense. Scammers often use methods such as phishing emails, social engineering, and data breaches to obtain personal information. Familiarize yourself with these tactics and be cautious about unsolicited communications that ask for sensitive data.

2. Use Strong, Unique Passwords

Creating strong passwords is essential for protecting your online accounts. Use a combination of upper and lowercase letters, numbers, and symbols. Avoid using easily guessable information like birthdays or common words. Additionally, use a unique password for each account to prevent a single breach from compromising multiple accounts.

3. Enable Two-Factor Authentication (2FA)

Two-factor authentication adds an extra layer of security to your accounts. Even if a hacker manages to obtain your password, they will need a second form of verification—such as a code sent to your phone—to access your account. Always enable 2FA where available.

4. Monitor Your Financial Statements

Regularly review your bank and credit card statements for any suspicious transactions. Set up alerts for transactions over a certain amount to catch potential fraud quickly. Additionally, consider using a credit monitoring service to keep an eye on your credit report for any unauthorized accounts.

5. Be Cautious with Personal Information

Limit the personal information you share online, particularly on social media. Scammers often use details like your birthdate, hometown, or pet’s name to guess your passwords or security questions. Adjust privacy settings on social platforms to restrict who can view your information.

6. Shred Personal Documents

Before disposing of documents containing personal information, such as bank statements or tax returns, be sure to shred them. This prevents identity thieves from retrieving sensitive information from your trash.

7. Secure Your Devices

Keep your devices secure by regularly updating your operating system and software. Use reputable antivirus and anti-malware programs to protect against malicious software. Additionally, avoid using public Wi-Fi for sensitive transactions, as these networks can be insecure.

8. Be Wary of Scams and Offers That Seem Too Good to Be True

If you receive unsolicited offers or requests for personal information, be skeptical. Scammers often use enticing offers to lure victims into providing their information. Research the source and confirm its legitimacy before responding.

9. Report Suspicious Activity Immediately

If you suspect that your identity has been compromised, act quickly. Report the incident to your bank, credit card company, and local authorities. You may also want to place a fraud alert on your credit report or freeze your credit to prevent further misuse.

10. Educate Yourself and Others

Knowledge is power. Stay informed about the latest identity theft trends and educate friends and family on how to protect themselves. Sharing information can create a more informed community that is less susceptible to deceitful tactics.

Conclusion

As identity theft continues to evolve, so must our defenses. By staying informed, taking proactive steps, and being cautious with personal information, you can significantly reduce your risk of falling victim to deceitful identity theft trends. Remember, protecting your identity is an ongoing process that requires vigilance and awareness.

The post How to Protect Yourself from Deceitful Identity Theft Trends appeared first on Cybersecurity Insiders.

The UK Government takes aim at IoT devices shipping with weak or default passwords, an identity thief spends two years in jail after being mistaken for the person who stole his name, and are you au fait with the latest scams? All this and much more is discussed in the latest edition of the “Smashing Security” podcast by cybersecurity veterans Graham Cluley and Carole Theriault, joined this week by Paul Ducklin.

[By: Krishna Vishnubhotla, Vice President Product Strategy, Zimperium]

Tax Day is just around the corner and it is vital for individuals and businesses to be hypervigilant of the tax apps we choose as there has been a significant rise in fake tax apps pushing malware. To keep your personal and financial information safe, these apps should be avoided at all costs.

Designed to harvest users’ data and make identity theft and payment redirection successful, bad actors are increasing their use of fake apps masquerading as legitimate ones. Typically, fake apps are mostly found on third-party app stores, but they can make their way onto first party app stores like the App Store on iOS and the Google Play Store on Android. Many ask, what are some additional security measures to take to minimize risk of downloading a fake tax app and the answer is, it all starts right at the beginning. Sticking to reputed brands is crucial, even if they cost a little more – it is worth the expense. Most fake apps draw users via social engineering with free, super-low costs and other promotions. Don’t fall for it. If this is a new service you are trying because friends or family recommended it, it is advisable to do your own research and, more importantly, be conscious of any and all red flags. This piece will dive into the various ways bad actors are leveraging fake apps to exploit innocent victims.

A common question we have been frequently asked is can fake apps use official tax filing APIs?

The answer unfortunately is yes, they can if the APIs are not appropriately secured. Most APIs validate the requester’s identity and the message’s basic structure. But on a mobile, you can spoof both. Reversing the app allows attackers to identify all the APIs used in the app and then build fake apps that can mimic a legitimate request. 

 

So, how do bad actors design fake tax apps to steal or redirect tax payments intended for legitimate authorities? Fake apps look real because real apps are very easy to reverse-engineer. Users download apps from the official stores and reverse them with readily available tools. It is not reasonable to expect the app stores to identify a malicious actor and stop the download. Zimperium research shows that most apps today lack sufficient protection from reverse engineering and tampering.

 

Here is what Zimperium’s research of the popular tax apps shows:

  • 30% of iOS apps were identified as having a high-security risk 

  • 15% of iOS apps were identified as having a medium privacy risk

  • 80% of Android apps were identified as having a high-security risk

  • 26% of Android apps were identified as having a high privacy risk

 

In addition, here are five common mistakes we see tax apps making:

  1.  The app lets web scripts access its internal functions, which can be misused.

  2. The app can run powerful commands that, if misused, especially on rooted devices, could give attackers control over the device.

  3. The app allows running web scripts that could be harmful if tampered with.

  4. The app uses hidden permissions, allowing malicious apps to exploit its features.

  5. The app can download new code from the internet, risking unwanted changes or malicious updates.

 Since teams are more motivated to release  apps quickly rather than ensuring apps are secured first, they tend to do the bare minimum regarding security.  As such, with the rise of malware, it is essential for CISOs, business leaders and security professionals to keep educating the community on the plethora of potential threats that exist and arise front of mind.  

 

As with anything, staying vigilant and keeping a close eye on any unusual behavior after installing an app, will protect you and your precious data. For example, the app sending unwanted / suspicious messages or an app that is randomly causing a device malfunction. By paying attention to any unusual activity, you could save yourself from falling victim to bad actors looking for their pay day this tax season.

The post Stay Safe This Tax Season: Fake Tax Apps Pushing Malware on the Rise appeared first on Cybersecurity Insiders.

In recent times, we’ve been inundated with countless stories about ransomware attacks and the extortion demands posed by cyber-criminals. However, a new facet of cyber-crime has emerged, taking the form of a twist in the aftermath of a ransomware assault on a government network.

A resident of Oakland, Dedrick Warmack, has come forward, alleging that the ransomware attack not only compromised a government network but also resulted in his identity being stolen. This, in turn, paved the way for the creation of fraudulent bank accounts, the acquisition of high-value properties, and an onslaught of millions of dollars’ worth of credit card payments flooding his email inbox.

While this may initially sound sensationalized, investigations into the matter have substantiated Mr. Warmack’s claims. According to him, multiple newly opened bank accounts now bear his name, boasting credit balances ranging from $17,000 to $30,000. The Oakland native believes that cybercriminals likely accessed his sensitive information during a city computer network hack several months ago, leading to identity theft and fraudulent activities, including deceptive phone calls concerning overdue credits, water and sewage bills totaling $2,000, and home loans.

Further probing revealed that an unidentified individual had, without Warmack’s knowledge, purchased a property in New England using his credentials, such as his Social Security Number, through a smart finance scheme. As a result of loan and bill payment defaults, Warmack’s credit score plummeted by a staggering 180 points.

Traditionally, we’ve witnessed companies grappling with the aftermath of file-encrypting malware attacks. Now, a new chapter unfolds as individuals find themselves ensnared in the nightmare of ransomware breaches, enduring consequences that extend beyond the digital realm.

The question of culpability arises: Should the blame be placed on the administrators of the City of Oakland, tasked with safeguarding sensitive data, or does responsibility lie with the individual who failed to monitor his credit score promptly, now grappling with remorse?

 

The post Ransomware attack leads to identity theft of an Oakland Man appeared first on Cybersecurity Insiders.

In the summer of 2022, KrebsOnSecurity documented the plight of several readers who had their accounts at big-three consumer credit reporting bureau Experian hijacked after identity thieves simply re-registered the accounts using a different email address. Sixteen months later, Experian clearly has not addressed this gaping lack of security. I know that because my account at Experian was recently hacked, and the only way I could recover access was by recreating the account.

Entering my SSN and birthday at Experian showed my identity was tied to an email address I did not authorize.

I recently ordered a copy of my credit file from Experian via annualcreditreport.com, but as usual Experian declined to provide it, saying they couldn’t verify my identity. Attempts to log in to my account directly at Experian.com also failed; the site said it didn’t recognize my username and/or password.

A request for my Experian account username required my full Social Security number and date of birth, after which the website displayed portions of an email address I never authorized and did not recognize (the full address was redacted by Experian).

I immediately suspected that Experian was still allowing anyone to recreate their credit file account using the same personal information but a different email address, a major authentication failure that was explored in last year’s story, Experian, You Have Some Explaining to Do. So once again I sought to re-register as myself at Experian.

The homepage said I needed to provide a Social Security number and mobile phone number, and that I’d soon receive a link that I should click to verify myself. The site claims that the phone number you provide will be used to help validate your identity. But it appears you could supply any phone number in the United States at this stage in the process, and Experian’s website would not balk. Regardless, users can simply skip this step by selecting the option to “Continue another way.”

Experian then asks for your full name, address, date of birth, Social Security number, email address and chosen password. After that, they require you to successfully answer between three to five multiple-choice security questions whose answers are very often based on public records. When I recreated my account this week, only two of the five questions pertained to my real information, and both of those questions concerned street addresses we’ve previously lived at — information that is just a Google search away.

Assuming you sail through the multiple-choice questions, you’re prompted to create a 4-digit PIN and provide an answer to one of several pre-selected challenge questions. After that, your new account is created and you’re directed to the Experian dashboard, which allows you to view your full credit file, and freeze or unfreeze it.

At this point, Experian will send a message to the old email address tied to the account, saying certain aspects of the user profile have changed. But this message isn’t a request seeking verification: It’s just a notification from Experian that the account’s user data has changed, and the original user is offered zero recourse here other than to a click a link to log in at Experian.com.

If you don’t have an Experian account, it’s a good idea to create one. Because at least then you will receive one of these  emails when someone hijacks your credit file at Experian.

And of course, a user who receives one of these notices will find that the credentials to their Experian account no longer work. Nor do their PIN or account recovery question, because those have been changed also. Your only option at this point is recreate your account at Experian and steal it back from the ID thieves!

In contrast, if you try to modify an existing account at either of the other two major consumer credit reporting bureaus — Equifax or TransUnion — they will ask you to enter a code sent to the email address or phone number on file before any changes can be made.

Reached for comment, Experian declined to share the full email address that was added without authorization to my credit file.

“To ensure the protection of consumers’ identities and information, we have implemented a multi-layered security approach, which includes passive and active measures, and are constantly evolving,” Experian spokesperson Scott Anderson said in an emailed statement. “This includes knowledge-based questions and answers, and device possession and ownership verification processes.”

Anderson said all consumers have the option to activate a multi-factor authentication method that’s requested each time they log in to their account. But what good is multi-factor authentication if someone can simply recreate your account with a new phone number and email address?

Several readers who spotted my rant about Experian on Mastodon earlier this week responded to a request to validate my findings. The Mastodon user @Jackerbee is a reader from Michican who works in the biotechnology industry. @Jackerbee said when prompted by Experian to provide his phone number and the last four digits of his SSN, he chose the option to “manually enter my information.”

“I put my second phone number and the new email address,” he explained. “I received a single email in my original account inbox that said they’ve updated my information after I ‘signed up.’ No verification required from the original email address at any point. I also did not receive any text alerts at the original phone number. The especially interesting and egregious part is that when I sign in, it does 2FA with the new phone number.”

The Mastodon user PeteMayo said they recreated their Experian account twice this week, the second time by supplying a random landline number.

“The only difference: it asked me FIVE questions about my personal history (last time it only asked three) before proclaiming, ‘Welcome back, Pete!,’ and granting full access,” @PeteMayo wrote. “I feel silly saving my password for Experian; may as well just make a new account every time.”

I was fortunate in that whoever hijacked my account did not also thaw my credit freeze.  Or if they did, they politely froze it again when they were done. But I fully expect my Experian account will be hijacked yet again unless Experian makes some important changes to its authentication process.

It boggles the mind that these fundamental authentication weaknesses have been allowed to persist for so long at Experian, which already has a horrible track record in this regard.

In December 2022, KrebsOnSecurity alerted Experian that identity thieves had worked out a remarkably simple way to bypass its security and access any consumer’s full credit report — armed with nothing more than a person’s name, address, date of birth, and Social Security number. Experian fixed the glitch, and acknowledged that it persisted for nearly seven weeks, between Nov. 9, 2022 and Dec. 26, 2022.

In April 2021, KrebsOnSecurity revealed how identity thieves were exploiting lax authentication on Experian’s PIN retrieval page to unfreeze consumer credit files. In those cases, Experian failed to send any notice via email when a freeze PIN was retrieved, nor did it require the PIN to be sent to an email address already associated with the consumer’s account.

A few days after that April 2021 story, KrebsOnSecurity broke the news that an Experian API was exposing the credit scores of most Americans.

More greatest hits from Experian:

2022: Class Action Targets Experian Over Account Security
2017: Experian Site Can Give Anyone Your Credit Freeze PIN
2015: Experian Breach Affects 15 Million Customers
2015: Experian Breach Tied to NY-NJ ID Theft Ring
2015: At Experian, Security Attrition Amid Acquisitions
2015: Experian Hit With Class Action Over ID Theft Service
2014: Experian Lapse Allowed ID Theft Service Access to 200 Million Consumer Records
2013: Experian Sold Consumer Data to ID Theft Service

Interesting story:

Napoleon Gonzalez, of Etna, assumed the identity of his brother in 1965, a quarter century after his sibling’s death as an infant, and used the stolen identity to obtain Social Security benefits under both identities, multiple passports and state identification cards, law enforcement officials said.

[…]

A new investigation was launched in 2020 after facial identification software indicated Gonzalez’s face was on two state identification cards.

The facial recognition technology is used by the Maine Bureau of Motor Vehicles to ensure no one obtains multiple credentials or credentials under someone else’s name, said Emily Cook, spokesperson for the secretary of state’s office.

Personal information is going for a song, and the banks want social media sites to pay when their users get scammed. All this and much more is discussed in the latest edition of the "Smashing Security" podcast by computer security veterans Graham Cluley and Carole Theriault.

Brian Krebs is reporting on a vulnerability in Experian’s website:

Identity thieves have been exploiting a glaring security weakness in the website of Experian, one of the big three consumer credit reporting bureaus. Normally, Experian requires that those seeking a copy of their credit report successfully answer several multiple choice questions about their financial history. But until the end of 2022, Experian’s website allowed anyone to bypass these questions and go straight to the consumer’s report. All that was needed was the person’s name, address, birthday and Social Security number.

While the entire world is speaking about gender equality in every work-field, we observe things to be going contrarily in the world of cyber security. According to a research, Men are twice as likely to be targeted by Identity Theft attacks as Women, as the latter seem to be more cautious while making their personal information online.

Study made by Nationwide found that females where more cautious while posting their data online, as 63% admitted that they opted for multiple ways to protect their online accounts, especially, their social media accounts.

However, men did not seem to be amused at protecting their info, as only a few of them showed interest in securing their accounts against identity frauds and other prevailing threats in the cyber field.

Interestingly, more men aged above 35 showed extreme interest in protecting their accounts, while those below the above said age bracket where either unaware of the what could their personal info spill lead to or disinterested on what hackers could do if they had the hands on the information.

Women aged above 23 were found to be posting responsibly on their social media accounts, while men in the said age bracket weren’t worried about the repercussions they would face as soon as they posted personal details such as email addresses, contact numbers, DoBs and full names, over the web.

Ed Fisher, the head of fraud policy, Nationwide said that most of the male groups aged between 18-23 and 24-38 fell prey to identity theft campaigns like order of goods such as cars, mobiles and laptops. While a few suffered bank accounts drain or money scams via loans and credit cards frauds.

NOTE 1- The study was limited to the populace of UK and doesn’t include any facts or stats related to public in other parts of the western world.

NOTE 2- Identity theft or frauds exist in four different ways- medical, criminal, child identity theft and financial fraud.

NOTE 3- Any fraud stated above qualifies to be notified to the law enforcement as it leads to monetary losses.

 

The post Men are more hit by Identity Thefts than Women appeared first on Cybersecurity Insiders.

There’s a high chance that you or someone you know has been impacted by email fraud or identity theft. At the very least, you’ve likely received a variety of spam emails and text messages asking to provide a payment or confirm your identity. The good news is that cybersecurity protection is constantly evolving and improving, […]… Read More

The post Your Guide to the Latest Email Fraud and Identity Deception Trends appeared first on The State of Security.