Wednesday, October 30, 2013

Identity Theft Hits Close to Home

While certainly not the likes of having SWAT show up at my house like Krebs or even Honan's fiasco, we've had some ID theft attempts occurring for the past few months...actually my wife has.

It all started innocently enough at a child's birthday party. 

We were invited to a now ex-friend's house for a kid's birthday party this past April.  We were told it would be a small gathering of a few close friends.  Usually, when we attend things like this, my wife will leave her purse covered, locked in the car.  In this instance, thinking it was a small group, she took her purse in.  To our surprise, this was not some small get-together, as we were told, but a big party with numerous parents, kids and jump bouncers in back.  Many people we had never met.  That's cool, meet some new families with kids around the same age.  Almost immediately, the 'host' told my wife that she would put her purse in the home office where it would be 'safe.'  At the time, we didn't think anything of it since we had been to this house numerous times and had trusted the family.

The following week, my wife mentioned that she couldn't find a couple credit cards but thought she had misplaced them.  'They gotta be around somewhere.'  You know the phrase.  After another week of not being able to locate them, she called the card companies and requested replacements.  At that point, nothing, as far we knew was amiss. 

A couple weeks later, we get a letter from the credit card company (the one we replaced) saying they were not able to change the mailing address of our cards since certain security verification was not provided.  This was for the old, just replaced card.  Clearly not knowing that we had already cancelled and replaced the card, the thief attempted to change the mailing address for our account.  What?!?  But couldn't provide a photo ID with the new address or the secret squirrel settings so it was denied.  Nice.  We asked the card company for details and they could only provide the basics: it happened, verification failed, it stopped.  But don't you have caller ID?...Can't you go back and look?....What question failed?  Nothing.  See, while potential fraud was potentially attempted, it never actually occurred since it was not successful...thus no investigation.  I can understand.

We locked and froze and alerted the credit community.

Another couple weeks go by and due to the alerting in place, my wife gets a call asking if she's currently attempting making a purchase of some high end sunglasses online.  She wasn't.  Add to that, whoever apparently entered the wrong billing address.  Denied.  This was a different credit card than the address change attempt.  We got the CC transaction ID and hoped, maybe, that the online vendor could correlate.  What address did they enter?...Can you get any meta information from the transaction logs?...Can I talk to your IT department?  As you probably know, CC transaction numbers do not always match the merchant's transaction ID and neither was able to correlate the other's.  They did their best providing what they could but nothing to connect the two incidents...even though we had our suspicions.

Change of address request could come from anywhere and purchasing online...well it is the world wide web.  There was no way to tentatively finger someone but we did file a police report. 

And then last week, my wife gets a call from our local pharmacy informing her that the doctor had denied her cough medicine refill and that she needed to make an appointment with the doctor if she needed the medicine.  The only problem was that she hadn't requested a refill.  This was for some codeine laced cough syrup that was scripted over a year ago.  The caller had her name, doctor and knew exactly what medication to request and which store to request it from.  Big mistake.  The geographic region of the perpetrator just shrunk from world wide to our area.  There was/is only one person who would have all that info - the host of the birthday party.  It was her doctor (recommended to my wife) and she went with my wife when the cough medicine was prescribed.  I told the pharmacy to just fill something with grape juice and hold whoever tries to pick it up.  Yeah, ahh, they don't do that.  I guess a sting operation is outside the realms of a pharmacy but sounded good to me.  Now we've added an 'attempted' medical ID theft with a controlled substance sidebar.  Another police report filed.

While we do not have a video of the individual attempting the crimes, all indications point to one person.  Some of you might know that my wife is a retired Federal Investigator.  She spent some time hunting fugitives as a US Marshall and protected past #2s while in the Secret Service.  So she went down every other possible investigative path. The only one who had access to her purse, who also likes to purchase expensive sunglasses and would know specifically my wife's birthday, our pharmacy, and that particular medication along with who prescribed it?  It finally sunk in.

According to ITAC, more than 1.5 million consumers were victims of familiar fraud, which is fraud when victims know the fraudster.  Back in 2006, the FTC Identity Theft report noted that 2% of thieves were co-workers of the victim, 6% were relatives or family members and 8% were friends, neighbors or in-home employees.  For medical ID theft, Ponemon's 2013 Survey on Medical Identity Theft said a family member took the personal identification or medical credentials without consent 28% of the time.  Unfortunately, many of these crimes go unreported due to the perpetrators being friends and family.

Identity theft is on the rise and if I remember correctly, medical ID theft is the fastest growing segment.  I'm certainly not suggesting to keep your personal secrets locked from your trusted, long time best friend or a family member.  But for us, this experience will make us think twice about divulging certain information to fly by friends.



Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, October 22, 2013

Privacy for a Price

A few weeks ago, I went to my usual haircut place and after the trim at the register I presented my loyalty card.  You know the heavy paper ones that either get stamped or hole-punched for each purchase.  After a certain number of paid visits, you receive a free haircut.  I presented the card, still in the early stages of completion, for validation and the manager said I could convert the partially filled card to their new system.  I just had to enter my email address (and some other info) in the little kiosk thingy.  I declined saying, 'Ah, no thanks, enough people have my email already and don't need yet another daily digest.'  He continued, 'well, we are doing away with the cards and moving all electronic so...'  'That's ok,' I replied, 'I'll pay for that extra/free haircut to keep my name off a mailing list.' 

This event, of course, got me thinking about human nature and how we will often give up some privacy for either convenience or something free.  Imagine a stranger walking up to you and asking for your name, address, email, birthday, income level, favorite color and shopping habits.  Most of us would tell them to 'fill in the blank'-off.  Yet, when a Brand asks for the same info but includes something in return - free birthday dinner, discounted tickets, coupons, personalized service - we typically spill the beans.

Infosys recently conducted a survey which showed that consumers worldwide will certainly share personal information to get better service from their doctors, bank and retailers; yet, they are very sensitive about how they share. Today’s digital consumers are complicated and sometimes suspicious about how institutions use their data, according to the global study of 5,000 digitally savvy consumers.  They also created an infographic based on their findings.

Overall they found:

  • 82 percent want data mining for fraud protection, will even switch banks for more security;
  • 78 percent more likely to buy from retailers with targeted ads, while only 16 percent will share social profile;
  • 56 percent will share personal and family medical history with doctors

...and specific to retail:

  • To know me is to sell to me: Three quarters of consumers worldwide believe retailers currently miss the mark in targeting them with ads on mobile apps, and 72 percent do not feel that online promotions or emails they receive resonate with their personal interests and needs
  • To really know me is to sell me even more: A wide majority of consumers (78 percent) agree that they would be more likely to purchase from a retailer again if they provided offers targeted to their interests, wants or needs, and 71 percent feel similarly if offered incentives based on location
  • Catch-22 for retailers? While in principle shoppers say they want to receive ads or promotions targeted to their interests, just 16 percent will share social media profile information. Lacking these details could make it difficult for retailers to deliver tailored digital offers

Your data is valuable and comes with a price.  While many data miners are looking to capitalize on our unique info, you can always decline.  Yes, it is still probably already gathered up somewhere else; Yes, you will probably miss out on some free or discounted something; Yes, you will probably see annoying pop-up ads on that free mobile app/game and; Yes, you might feel out of the loop. 

But, it was still fun to be in some control over my own info leaks.




Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, October 15, 2013

The One Millionth Mobile Malware

Milestone has been breached according to Trend Micro.  Just a few months ago, they reported in their 2Q Security Roundup that there were 718,000 malicious or risky Andriod mobile apps available (up from 509,000 in Q1) and crystal-ball'd that the million mobile malware milestone would be reached by the end of 2013.  Well, it came a couple months early. 

Contained in that million are straight pieces of malware, those that abuse premium services like sending unauthorized text messages to certain numbers and registering people to costly services along with high-risk apps, those that aggressively serve ads that lead to dubious sites.  They found that 75% perform outright malicious routines, while another 25% exhibit dubious routines, which include adware. 

The most infamous malware families included FAKEINST at 34% and OPFAKE at 30%.  FAKEINST is typically disguised as a legitimate app and was responsible for the fake Bad Piggies versions, which were found right after the game’s release.  They can also register users for costly services by sending unauthorized text messages to those services for enrollment.    in its ability to wolf legitimate apps clothing but it was also able to launch a web page that asks the person to download a potentially malicious file.  Those are the primary risks but there are many others with this type of malware.  Such fun.

For the high risk apps, ARPUSH came in at 33% and LEADBLT garnered 27% of the total.  These are known to steal data like GPS location and OS information along with delivering malware.   

The threats don't stop with these gems.  Crooks are also looking to hijack mobile banking transactions with FAKEBANK and FAKETOKEN malware variants.  They like to spoof legitimate financial apps along with the ever popular phishing notices enticing people to enter personal info.

And I thought mobile devices were supposed to make our lives easier.  Hmm.  The dedicated circuit of a couple cans with high speed twine (HST) sounds a lot more secure these days. 




Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, October 8, 2013

The Hacker Will See You Now

More than 1.8 million medical ID theft victims in 2013

That's a 19% increase over last year according to the 2013 Survey on Medical Identity Theft.  More than 300,000 new medical identity theft cases were reported during the one-year period, the study found.  The 4th annual survey, conducted by the Ponemon Institute, defined medical identity theft as a person using an individual's name or personal identity “to fraudulently receive medical service, prescription drugs and goods, including attempts to commit fraudulent billing.”

One of the biggest contributors to the increase was fake or spoofed medical websites and spam emails.  Medical identity theft victims who reported that a cyber schemes caused their troubles doubled from 4% in 2012 to 8% in 2013.  It is clear that the amount and frequency of spear phishing specifically targeting medical ID theft has gone up.  This is not the simple 'Buy this personal enhancement drug here' emails but authentic looking emails from a provider.  You click the malicious link and either malware is installed to your computer or you are directed to a website that looks exactly like your medical provider's and you enter (give away) your credentials there.  You might even be able to log into something that will request you update your personal information.  Perfect, I get your credentials along with some additional Rx information or mailing address or SSN or date of birth anything that I can use to impersonate you.

As far as data breaches as a cause, only 7% (up 1 tick from last year) felt a data breach by their insurer, health care provider or related was linked to the fraud.

A separate but related survey, a new Deloitte report says healthcare organizations are in various stages of mitigating the security risks of medical devices.  These include patient monitors, infusion pumps, ventilators, pacemakers and imaging devices.  Deloitte interviewed the medical device security leaders at nine large hospital systems and they indicated that their organizations have a long way to go and that they need more cooperation from device manufacturers. 

The Food and Drug Administration (FDA) recently released a guidance on the "content of premarket submissions for management of cyber security in medical devices."  The guidance suggested that device makers incorporate security features into their products to limit access to only trusted users, trusted content, and use fail-safe and recovery devices. They want manufacturers to consider threats like hacking, malware and other vulnerabilities of the device's software and to work with providers on addressable scenarios.  This is certainly an area of importance for both providers and the device manufactures.  Remember all the wrangling with PCI and those payment devices?  Granted, the FDA guidance is a recommendation and not a regulation like PCI so there is reluctance to include security measures in purchasing contracts.

The other issue healthcare organizations face is trying to secure older proprietary devices.  These closed systems make it almost impossible to scan for vulnerabilities but they are still in widespread use.  For other devices that run on well know commercial operating systems, they are vulnerable to the same threats that any device with that software has.

Deloitte also asked the medical device security heads where their organizations stood in several areas of cyber security.  These included: organizational leadership, risk framework, identification and evaluation, data flow, vulnerability management, vendor agreements and manufacturer engagement.   Ken Terry over at Information Week goes into detail of each.

So far there have been no documented instances of "intentional threats" to medical devices, according to the report but healthcare providers are not required to report security incidents to the FDA or the device manufacturer unless a death or serious injury has occurred.






Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]

Tuesday, October 1, 2013

Bring Your Own A-Z

The #BYO craze has taken the world by storm and now infiltrates every sector of out lives.  Here is a partial list, in alpha-order, of various bring your owns.

BYO Apple: For the teacher in your life, the princess you'd like to put to sleep or to keep the doctor away for a day.

BYO Beer: The original classic, college style.  And BYO Booze for when you're out of college and got a little cash.

BYO Candy: With Halloween approaching this could see a surge over the next 30 days.

BYO Device: Or danger, destruction, demolition, detonator or any other dastardly 'D' word to represent risk.

BYO Everything: When Internet of Things takes over our lives.  Chocolate Chips have a whole new meaning.

BYO Food: The newest Potluck Parties.

BYO Game: Actually sitting at a table playing the physical versions of Monopoly, Life, Candy Land, Scrabble, or any other favorite.

BYO Hacker: Bodyguards in the 21st Century.

BYO Intelligence: Actually using your brain to figure out something...or when AI robots take over the world.

BYO Jump Drive: A whistleblower's favorite.

BYO Kittens: For making that irresistible, can't-stop-watching, almost viral video.

BYO Litigation: The new term for Small Claims Court.

BYO Money: What Cash with be called 10 years from now.

BYO N: BYO's maximum amount.  As far as BYOingly possible.

BYO OMG: The Surprise Party.

BYO Presents: What you take to the BYO OMG.

BYO Quarrel: The updated version of an older brother's favorite 'Stop Hitting Yourself.'

BYO Raven: Quoth he.

BYO Sushi: The new 'Gone Fishing' Bumper sticker.

BYO Time: It's all relative anyway.

BYO Utopia: Happiness comes from within.

BYO Vacation: The latest Griswold adventure this time with a Hybrid LTD Country Squire.

BYO Warnings: Wouldn't be cool if everyone had to announce the hazards of interacting with them? 

BYO X: Half of a Tic-Tac-Toe game or how Hawaiians greet each other.

BYO Yawn: What you did right now when you read this entry.

BYO Zombie: Pretty much anyone walking around fully engaged with their BYOD.

Well that was fun.  C'mon play along - it's easy and works with almost any word!




Connect with Peter: Connect with F5:
o_linkedin[1] o_rss[1] o_twitter[1]   o_facebook[1] o_twitter[1] o_slideshare[1] o_youtube[1]