Uncategorized

No matter the size of the company, it’s just a matter of time before it’ll experience a data breach.

Recently, Citi Group was hit for the second time in 4 months. This round it happened to Citi Cards Japan. 92,000 customers were affected and the data lost included account numbers, names, address, phone numbers, date of birth and gender.

This comes on the heels of the May data breach of 360,000 U.S. Citi Card customers.

If a company like Citi with all their resources is repeatedly being breached, it’s inevitable that it’ll happen to your company as well.

Are you in compliance with the Privacy & Security laws? Do you have cyber and other insurance in place? It’s something to ponder.

Tweet This Post 

Last month, the Ponemon Institute and Juniper Networks released a survey showing 99% of organizations had at least one data breach last year. And worse than that, of the 583 U.S. companies surveyed, the majority experienced multiple successful attacks against their networks.

When they were able to determine a source, respondents found that attacks most often came from external agents. In addition, the survey found insider abuse  is also rampant.

Fifty-two percent of breaches were caused by insiders, while 48 percent were the result of a malicious software download, 43 percent came from malware on a website and 29 percent from malware on social media. System glitches were responsible for 19 percent of breaches, while malware from text messages caused three percent.

Is your company in compliance with the Data Breach/ID Theft Prevention laws? Have you added cyber crime coverage to your insurance portfolio? The numbers above look like you may want to address both.

Tweet This Post 

In a recent study by managed file transfer firm Ipswitch, manufacturing company employees said they are increasingly using personal email accounts to mask transfer activity from management.

40% of those surveyed admitted sending confidential information via personal email accounts to eliminate the detection trail. In addition, 69% of respondents said they send classified information (payroll, customer data and financial information) over unsecure email at least once a month and 34% said they do so daily.

Frank Kenney, VP of Global Strategy for Ipswitch said the most common reasons are speed, convenience and the ability to easily send large files. He went on to say “Employees will almost always take the path of least resistance even if that means violating company policies and breaking security protocols”.

This is an example of why it is so important for all companies to train their employees on identity theft awareness and to get into compliance with the Federal and State data loss laws. Uneducated employees make a company more vulnerable to monetary and reputational damages and are responsible for 50% of data loss.

Tweet This Post 

Cyber thieves are targeting business bank accounts with such zeal, it’s getting the attention of the FBI, the FDIC, and Homeland Security. Many experts believe this could be the leading criminal trend of 2010.

Reports of victimized companies and their substantial losses have prompted Senators Joe Lieberman (ID-CT) and Susan Collins (R-ME) to introduce cybersecurity legislation intended to lessen the risk for U.S. businesses.

Since Regulation E of the Federal Electronic Funds Transfer Act doesn’t protect corporate accounts (only individual consumer accounts), American companies need to reevaluate their policies and systems to protect themselves.

Cyber criminals are going after small to medium sized companies because they usually lack sophisticated computer protection. The thieves know that by processing multiple withdrawals under $10K, they will usually avoid triggering traditional fraud alerts at the banks.  When the crime is detected, oftentimes the bank refuses to reimburse the company because it claims the company didn’t adequately protect its online passwords and bank access information.

Recently, Lubbock based PlainsCapital Bank sued its client Hillary Machinery Inc. of Plano, TX claiming  unauthorized wire transfers (of $801,495 by Romanian and Italian cyber criminals) were done by someone using valid internet banking credentials belonging to Hillary Machinery.  The bank said it accepted the wire transfers in good faith and had therefore not breached any of its agreements with its client Hillary Machinery.

CSO online suggests companies:

1) Choose a bank with proactive fraud prevention technologies especially for ACH transactions.

2) Educate their staff on the risks and threats.

3) Dedicate specific machines for banking activities.  Avoid using computers involved in web browsing.

4) Understand their bank’s fraud loss policies and procedures.

5) Monitor for missing funds and irregularities.

6) Re-examine anti-malware software and firewalls.

Tweet This Post 

Last week the U.S. Federal Trade Commission (FTC) announced it had notified nearly 100 organizations ranging in size from businesses with less than 10 employees to publicly held corporations with tens of thousands of employees, that sensitive data about their customers and employees has been exposed on peer-to-peer (P2P) file-sharing networks. The entities notified included private and public companies, schools, and local governments.  In addition, the FTC has opened non-public investigations of other companies whose confidential employee and customer information has been exposed on P2P networks.

FTC Chairman Jon Leibowitz said, “Unfortunately, companies and institutions of all sizes are vulnerable to serious P2P-related breaches, placing the consumers’ sensitive information at risk.  For example, we found health-related information, financial records, and drivers’ license and social security numbers – the kind of information which could lead to identity theft.”   Leibowitz went on to say, “Companies should take a hard look at their systems to ensure that there are no unauthorized P2P file-sharing programs and that authorized programs are properly configured and secure.”

“Peer-to-peer technology can be used in many ways, such as to play games, make online telephone calls, and, through P2P file-sharing software, share music, video, and documents,” said the FTC. “But when P2P file-sharing software is not configured properly, files not intended for sharing may be accessible to anyone on the P2P network.”

In the press release dated 2/22/10, the FTC recommended entities receiving letters needed to identify affected employees and customers and consider whether or not to notify them that their information is available on the P2P networks.  Most states and several federal agencies have laws relating to data loss.  The Agency went on to say  “As the nation’s consumer protection agency, the FTC enforces laws that require companies in various industries to take reasonable and appropriate security measures to protect sensitive information, including the Gramm-Leach-Bliley Act and Section 5 of the FTC Act.  Failure to prevent such information from being shared to a P2P network may violate such laws.”

Tweet This Post 

Most small business owners and executives don’t believe their companies are vulnerable to identity theft.  Nothing could be further from the truth.

In a recent study published by The Javelin Group, small businesses are suffering ID Theft fraud at 1.5 times the rate of all other adults.

To criminals, these businesses are cash machines. Often, a small business owner has good credit rating with a large credit limit available to them, which makes them valuable.

Oftentimes, thieves take the business information and have fraudulent checks made using the company name, address, phone number and a fictitious account number. When the bogus checks are returned, the victimized company realizes they have been blacklisted by check verification companies, like Telecheck.  To make matters worse, the check verification companies don’t care that it wasn’t the business’s account number on the check. It was the company’s name and address, that made them responsible.

In addition, criminals understand that local law enforcement agencies don’t have the man power or desire to deal with identity theft.  When the crime crosses state lines, it’s up to the Feds.  The FBI receives more than 300,000 reports of suspicious ID Theft activity each month and investigates only about two percent (or 6,000) of those cases.  I’ve been told by an FBI agent that cases under $10,000 get no attention at all.

And keep in mind, businesses do not enjoy the same legal protections as consumers when banking online. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Uniform Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

This means banks are concerned about protecting consumer accounts because they’ll have to pay if the consumer has money stolen out of their account.  The same banks however don’t usually have to refund corporate losses so they don’t implement the same safeguards for business accounts.

Small businesses would be wise to get their privacy policies and id theft prevention programs in place.  The laws are there to help companies minimize risk and mitigate damages.

Tweet This Post 

The majority of us use the same password (or a similar variation) at most of the websites we visit.  Otherwise it’s hard to remember what password goes with what login at which site.

Unfortunately, cyber crooks know all about human nature and our desire to make things easy.  In fact, they count on us using the same logins and passwords.  Commonly available cracking programs can be found online and the cyber thieves are using them to quickly gain access to our supposedly confidential information and bank/credit card accounts.

NASA’s publicized guidelines for password use explain the significance of a secure password:

“A six-letter password using all upper case letters or all lower case letters has 308 million possible letter combinations. This is easily broken within a couple minutes by automated password cracking programs that hackers can download from the Internet.”

“With some combination of both upper and lower case letters, a six-letter password has 19 billion possible combinations. If you increase the password to eight letters and use both upper and lower case letters, there are 53 trillion possible combinations. Substitute a number for one of the letters, and there are 218 trillion possible combinations.”

“Substitute one of the special characters for another one of the letters, and you have the recommended type of password — at least eight characters, including at least one upper case letter, lower case letter, number and special character or punctuation. This has 6,095 trillion possible combinations, still crackable, but requiring a more sophisticated program, a far more powerful computer, and far more time.”

I for one, will be using the NASA suggestions for my passwords … how about you?

Tweet This Post 

Criminals are advertising online … for independent contractors … who can write malicious code and link it to something people will click on.  And they pay the criminals using PayPal, Western Union, MoneyGram and other similar systems.

The New York Times reported earlier this month that when unsuspecting computer users click on the picture, story, link, whatever, malware is downloaded that steals credit card numbers from personal computers and uses debit card information to empty bank accounts.

The advertised positions can be quite lucrative.  The Times article said “One site for example, pays $180 for each 1,000 times malware is downloaded onto a U.S. computer but less for computers elsewhere. It refuses to pay for any downloads to Russian computers”

Kevin Stevens, a threat intelligence analyst for SecureWorks, says it’s impossible to know how many computers are infected via these companies but suspects the number is in the millions.

Tweet This Post 

According to a study done by Trustwave’s Spider Labs, the hotel industry was the #1 target for identity thieves. And the hotels didn’t discover the data breach for an average of 156 days … that’s 5 months!

It seems the hackers are targeting credit card and debit card information because it’s quick, easy and gives them instant access to cash. And, since no one seems to be minding the store, the criminals are in the system and shopping with someone else’s money long before the hotel chain realizes they’ve been hacked.

Bottom line, if you’re staying in a hotel, best to use a credit card. Remember, you have 60 days to let a creditor know of fraudulent activity on your account. You only have 10 to 30 days to notify the bank of fraudulent charges when using a debit card. In either case, be sure to check your accounts and credit card statements every few days.

Tweet This Post 

As Americans progress through job losses, tough financial times and living large, some are using their children’s identity … even deceased children … to obtain everything from credit to employment.

Lindsay Whitehurst recently wrote in The Salt Lake Tribune about a man who used his dead son’s identity to get a $140,000 mortgage, buy cars, get hunting and fishing licenses and yes, even jobs.

It seems this fellow and his son were in a car accident back in 1987.  The 19 year old son didn’t survive.

When the father’s driver’s license was suspended, he used the son’s name, birthdate and social to get a new one.

Police caught up with this guy by using facial recognition software while he was using a fake passport with all of his son’s information on it.

Although we rarely think of parents stooping to such low levels as defrauding their own children, the media reminds us that unfortunately, it’s a reality.

Be sure to have your child’s credit monitored.  Kids aren’t supposed to have a credit report until they’re 18.  If your child has one, you’ve got problems.  Work with your attorney and a licensed investigator to clear up as much of the fraudulent information as you can before your child becomes an adult.

Tweet This Post