Search The Web's Nooks And Crannies To Find Connected Devices

Most people believe that when they use one of the popular search engines (e.g., Bing, Google, Yahoo, DuckDuckGo), that they have effectively searched the entire Internet. That belief is erroneous for a couple reasons.

CNN Money has a good report about the Shodan search engine, which was developed specifically to search what I call the nooks and crannies of the Internet. Shodan users can find devices connected to the Internet that other search engines don't necessarily focus upon:

"... servers, webcams, printers, routers and all the other stuff that is connected to and makes up the Internet... traffic lights, security cameras, home automation devices and heating systems... control systems for a water park, a gas station, a hotel wine cooler and a crematorium... command and control systems for nuclear power plants and a particle-accelerating cyclotron..."

If it isn't obvious to you, these search results have huge privacy and identity theft implications for a variety of reasons. Many users connect devices to the Internet which they shouldn't connect. Or don't properly secure their Internet-connected devices with firewall software. You can bet that since the good guys already know about and use Shodan, then the bad guys will, too, and hack into unprotected devices, steal identity information, and/or cause havoc.

The second reason: many consumers are trapped in the search Filter Bubble, and don't know it.

Chicago Theft Ring Received Sentences For Card Skimming Crimes

In a Chicago court, several defendants were sentenced for card skimming thefts and fraud. The sentences ranged from six years of prison time for the ringleader to two years of probation for other members of the theft ring.

The thieves, working with employees at several fast-food restaurants in Chicago, had allegedly swiped consumers' debit/credit cards through small portable readers to obtain their card numbers. The theft ring then allegedly created fake cards with the stolen card numbers and purchased about $200,000 in merchandise.

Affected consumers had accounts at several banks: Chase, Citibank, Fifth Third Bank Harris Bank, U.S. Bank, Bank of America, and American Express. Reportedly, the banks assisted local law enforcement with the investigations. The seven defendants included:

• Joseph Woods, 33 (the ringleader)
• William Washington, 31
• Alex Houston, 23
• Britain Woods, 34
• Jenette Farrar, 35
• Essence Houston, 29
• Kenyetta Davis, 33,

Congratulations to both local law enforcement and the judicial system.

ACLU Files FTC Complaint Against Mobile Carriers About Smartphone Security Failures

The American Civil Liberties Union (ACLU) has filed a complaint via the U.S. Federal Trade Commission (FTC) against several mobile carriers for:

"... failing to warn their customers about unpatched security flaws in the software running on their phones... running versions of Google’s Android operating system. Unfortunately, the vast majority of these phones never receive critical software security updates, exposing consumers and their private data to significant cybersecurity-related risks."

The mobile carriers named in the complaint include AT&T Inc., Verizon Wireless, Sprint Nextel Corp., and T-Mobile USA. In its announcement, the ACLU also said:

"Google’s Android operating system now has more than 75% of the smartphone market, yet the majority of these devices are running software that is out of date, often with known, exploitable security vulnerabilities that have not been patched. For consumers running these devices, there is no legitimate software upgrade path... Although Google’s engineers regularly fix software flaws in the Android operating system, these fixes aren’t packaged up and pushed to consumers by the wireless carriers and their handset manufacturer partners."

Download the ACLU complaint (Adobe PDF, 438k bytes).

April 20 Is 'Secure Your ID Day'

April 20, 2013 is "Secure Your ID Day." To learn more about how you can protect yourself and your sensitive personal information, visit the Better Business Bureau website. The site lists participating BBB groups in various states.

If you can't attend a local event, then browse these tips and suggestions from the BBB to keep your sensitive personal information secure. Other resources that consumers may find helpful:

• Identity Theft Resource Center
• Consumer Financial Protection Bureau (CFPB)
• Onguard Online (FTC)
• The Resources page in this blog

Data Breach At Schnucks Supermarkets Affects Customers And Their Banks

St. Louis-based KSDK television reported a data breach at Schuncks supermarkets. The supermarket chain isn't yet sure exactly where (e.g., which stores) and how the breach occurred (e.g., in the store or with a debit/credit card processor). The breach occurred about a week ago.

Schnucks operates stores in Missouri, Illinos, Iowa, and Indiana. Customers have already seen unauthorized charges on their debit/credit cards. A representative from Montgomery Bank reported that about 600 of their accountholders have already filed fraud claims. Some customers wonder why the store has not posted alerts in its stores, so shoppers can use cash instead:

“They’re just letting people use their cards and not saying anything.”

Reportedly, the retailer has hired a forensics technology firm to assist it with a breach investigation. It sounds to me like the company' was caught unprepared and its post-breach response needs improvement. Customers need to be notified prompty to take appropriate action to avoid or minimize identity theft and fraud.

Asurion Expands Service Offering With Malware Protection For Smart Phones

Asurion, a provider of mobile device insurance services, announced yesterday that it will provide Walmart MobileCarePlus customers with free Asurion Mobile Security software. The Asurion security software is available in the respective app stores for Android and Blackberry smart phone users. According to the announcement:

"The Asurion Mobile Security solution regularly scans messages, pictures, installed applications and files on a customer's phone to identify and eliminate the latest viruses and malware, many of which can access private information and harm the mobile device itself. Safe browsing alerts users before visiting web sites which may compromise their phone's security and in the event a protected phone is misplaced, locate features can trigger an audible alarm, making recovery much easier... During the last two years, 48 percent of high school and college age students required a replacement device due to loss or damage."

For lost or stolen smart phones, the security service also includes a remote wipe feature to prevent thieves from accessing sensitive data and contacts on your smart phone.

This blog has warned mobile device users to add anti-malware software to their devices. Security software is available from a variety of vendors. If you are considering insurance for your mobile device, then read this first to help decide what's best for you.

For Consumers Who Believe Their Apple Products Are Immune From Malware

Finally, somebody has said it loud and clear. As part of its 2013 predictions about identity theft and fraud, the ProtectMyID blog stated:

"As Apple products have become a growing part of the electronic market, cybercriminals have taken aim at the brand. They have developed malware specific to Apple Products and have taken advantage of the fact that everyone believes their Apple product is immune. In 2013, we suspect these attacks will continue to grow and soon the Apple App Store will be as seedy as that of its competitors."

Want to learn about more threats to your privacy? Read:

• Trouble In Smart Phone Land
• Lawsuit Claims Instagram Performed Data Collection, Retention, And Tracking Via Its Mobile App Without Notice Or Users Consent
• Publishers Consider Ways To Further Use Data Collected By E-Readers

Most Trusted Companies For Privacy Study

Recently, the Ponemon Institute released the results of its annual study of the companies consumers trust the most to maintain their privacy. The study asked consumers to name and rate the companies they trust the most to protect their personal information. Key findings from the study:

"New entrants to this year’s top 20 most trusted list includes: Microsoft (ranked 17), United Healthcare (ranked 18) and Mozilla (ranked 20). Healthcare, consumer products, and banking are the industry segments considered by consumers to be the most trusted for privacy (among 25 industry categories). In contrast, Internet and social media, non-profits (charities) and toys are viewed as the least trusted for privacy."

The only government organization in the top 20 is the U.S. Postal Service (#5). Some noteworthy findings about consumers' habits:

"78% of respondents continue to perceive privacy and the protection of their personal information as very important or important to the overall trust equation... 63% of respondents admit to sharing their sensitive personal information with an organization they did not know or trust... 59% percent of respondents believe their privacy rights are diminished or undermined by disruptive technologies such as social media, smart mobile devices and geo-tracking tools. 55% say their privacy has been diminished by virtue of perceived government intrusions."

These findings should be a wake-up call to companies operating within the Internet industries, namely app developers and social networking website operators. About data breaches:

"49% of respondents recall receiving one or more data breach notifications in the past 24 months. 70% of these individuals said this notification caused a loss of trust in the privacy practices of the organization reporting the incident."

About consumers' expectations of data security (bold emphasis added):

"73% of respondents believe the substantial security protections over their personal information is the most important privacy feature to advancing a trusted relationship with business or government organizations. Other important privacy features include: no data sharing without consent (59%), the ability to be forgotten (56%) and the option to revoke consent (55%)."

Companies and their lobbyists would be wise to comply with these findings about important privacy features. Some troubling findings from the Ponemon study:

"Only 35% of respondents believe they have control over their personal information and this result has steadily trended downward over seven years. Less than one-third (32%) of respondents admit they do not rely on privacy policies or trust seal programs when judging the privacy practices of organizations they deal with. When asked why, 60 percent believe these policies are too long or contain too much legalese."

Study respondents said that the most significant threats to their privacy were:

• 61% - Identity theft
• 56% - government surveillance
• 42% - notice of data breaches
• 40% - violations of civil liberties
• 36% - annoying background chatter
• 32% - spam
• 30% - employer intrusions
• 28% - stalking
• 23% - annoying advertising
• 19% - children abuses

Ponemon has conducted this study for the past seven years, and noted that the importance of privacy by respondents has increased during this time. The study, conducted during October through December 2012, included responses from 6,704 adults in the United States. About 217 companies were named by respondents from 25 industries. 47% of respondents were male. The average age of all respondents was 34.6 years, with an average income of $55,900. The study defined "personal information" as:

"Information about yourself and your family. This information includes name, address, telephone numbers, e-mail address, Social Security number, other personal identification numbers, access codes, age, gender, income and tax information, purchases, website preferences, health information, account activity and many other pieces of data about you and your household."

Maybe the next study will include photographs, video, and other items posted on social networking websites.

The top 20 most trusted companies from the 2012 study:

1. American Express
2. Hewlett Packard
3. Amazon
4. IBM
5. US Postal Service
6. Procter & Gamble
7. USAA
8. Nationwide
9. eBay
10. Intuit
11. Verizon
12. (Tie) Johnson & Johnson and FedEx
13. 13. WebMD
14. Weight Watchers
15. U.S. Bank
16. Disney
17. Microsoft
18. (Tie) United Healthcare and VISA
19. AT&T
20. Mozilla

I was surprised that respondents ranked the banking industry so favorably. Companies I noticed that did not make the top 20 list: Apple and Google. I suspect that the perception of "children abuses" as a privacy threat will increase in the future.

Download the Ponemon report, "2012 Most Trusted Companies For Privacy" (Adobe PDF).

5 Online Privacy Tips To Keep You And Your Family Safe

Monday will be Data Privacy Day (DPD), with celebrations in North America and Europe to raise awareness and provide consumers with education about privacy. DPD was started in 2008. This year's theme is, "Respecting Privacy, Safeguarding Data and Enabling Trust." This year's events will be started with a privacy forum at the George Washington University Law School in Washington, DC. Federal Trade Commissioner Maureen Ohlhausen is the keynote speaker. More events are scheduled nationwide throughout February.

To support this event, Anchorfree and the National Cyber Security Alliance have developed together a list of tips for consumers to maintain their privacy when connected to the Internet via your smart phone, tablet, or laptop/desktop computer:

"1. Risky business - Make sure all family members understand the public nature of the Internet and its risks. Any digital information they share -- emails, photos or videos -- can easily be copied and pasted elsewhere, and is almost impossible to take back. Anything that could damage their reputation, friendships, wallet or future prospects should not be shared electronically."

A recent study found that 30 percent of teenage girls meet in person strangers they met online. So, it is critical for parents and families to practice safe habits while connected to the Internet and in the physical world. If you are a parent, grandparent, or guarding who plans to buy a smart phone for a child, then you definitely should read this contract one smart parent created to help her manage her teen's online usage.

2. Keep it hidden, keep it safe - Make sure all family members are careful about sharing sensitive information such as birth date, addresses, phone numbers, location, financial information, social security numbers, passwords and vacation plans. Most reputable online services have privacy settings. Teach your kids how to use them, too."

3. Browse intelligently - Avoid using sketchy, unfamiliar websites, and delete suspicious emails, particularly those that ask for unnecessary personal information or request that you download something. These may be malware or phishing sites out to steal your personal data.

There are several products available to automatically delete browser HTTP cookies and other files (e.g., Flash Cookies, and other LSO's = Locally Shared Objects) websites use to track you while connected to the Internet. This blog has reviewed some of them, including the MAXA Cookie Manager. I use the BetterPrivacy plugin with the Firefox browser.

The next item is critical because smart phones and tablets save a ton of metadata with each photograph or video you take. The metadata with your photos include a lot of descriptive information, including but not limited to a photo description (e.g., title, subject, tags, comments), author, date and time created, copyright information, image description (e.g., dimensions, resolution, color details, compression), camera description (e.g., make, model, F-stop, exposure, flash mode, zoom setting, lens maker, lens model, serial number, EXIF version), and file information (e.g., date created, date modified, file type, file name, size, attributes, owner, computer name). From photo metadata combined with your GPS location, a company can tell a lot about you, your purchases, your lifestyle, plus what you did/spent when and where.

That metadata gets uploaded to your favorite social networking website whenever you upload photos. Some social networking sites collect, save, and share all of that metadata. Others use some of it. So, consumers should:

4. Turn off geolocation - Many apps' permissions include backdoor location trackers that are constantly streaming your location. If you're not actively using your phone to navigate, turn them off. The FTC recently noted that many apps aimed at children are disclosing location; make sure your kids are following this rule of thumb as well."

The last tip cannot be over emphasized. Public WiFi hotspots are everywhere. If you expect to perform sensitive tasks (e.g., online banking, access/use sensitive documents from your employer) while connected to a public WiFi hotspot, you should:

5. Get behind a shield - Use a VPN such as Hotspot Shield, which will help identify malware sites and provide a secure, encrypted connection to the Internet for desktop or mobile devices, protecting your browsing from hackers and snoops. This is particularly important when using public Wi-Fi or other unknown networks."

AnchorFree produces Hotspot Shield. There are other brands available. Take a look at Get Cocoon and PrivateWiFi.

The National Cyber Security Alliance is a nonprofit organization formed to educate and empower consumers about Internet privacy. It collaborates with government, corporate, other non-profit and academic entities. NCSA board members include: ADP, AT&T, Bank of America, EMC Corporation, ESET, Facebook, Google, Intel, McAfee, Microsoft, PayPal, Science Applications International Corporation (SAIC), Symantec, Trend Micro, Verizon and Visa.

Some of those board members have a ways to go regarding privacy in their products or services. As a business consultant, I regularly use VPN software to remotely and securely access my clients' networks and servers. This blog post is not an endorsement of Hotspot Shield, since I have not used it.

What's your opinion of this list of tips? What VPN software do you use?

Video: 5 Easy Steps You Can Do To Avoid Identity Theft

Below is a brief message from the U.S. Federal Trade Commission (FTC) with 5 easy steps you can do to avoid identity theft. Of course there is more you can do, but these 5 steps are a good start:

FTC Amends Rules Regarding Data Collection Of Personal Information Of Minors

Last month, the U.S. Federal Trade Commission (FTC) clarified and strengthened its rules regarding the collection of personal data of minors under the age of 13. In its announcement, the FTC stated:

"1. Modify the list of “personal information” that cannot be collected without parental notice and consent, clarifying that this category includes geolocation information, photographs, and videos;
2. Offer companies a streamlined, voluntary and transparent approval process for new ways of getting parental consent;
3. close a loophole that allowed kid-directed apps and websites to permit third parties to collect personal information from children through plug-ins without parental notice and consent;
4. Extend coverage in some of those cases so that the third parties doing the additional collection also have to comply with COPPA;
5. Extend the COPPA Rule to cover persistent identifiers that can recognize users over time and across different websites or online services, such as IP addresses and mobile device IDs;
6. Strengthen data security protections by requiring that covered website operators and online service providers take reasonable steps to release children’s personal information only to companies that are capable of keeping it secure and confidential
7. Require that covered website operators adopt reasonable procedures for data retention and deletion; and
8. Strengthen the FTC’s oversight of self-regulatory safe harbor programs.

The new rules become effective July 1, 2013. The rules are part of the Children's Online Privacy Protection Act (COPPA) enacted in 1998. The COPPA rules include personal information elements such as the child's full name, home address, email address, telephone number, or any other information that would allow someone to identify or contact the child. As they should, the new rules add more data elements. The FTC stated in its blog:

"The definition of personal information now includes geolocation information, as well as photos, videos, and audio files that contain a child’s image or voice. Also covered: persistent identifiers that can be used to recognize a user over time and across different websites or online services. But there’s a notable exception: COPPA’s parental notice and consent requirements don’t kick in if the identifier is used solely to support the internal operations of the site or service."

It strikes me that the above exception, or loophole, could be used to avoid and abuse consumer information. Those "persistent identifiers" are key since they are used by the online advertising networks, and enable both online tracking and behavioral advertising. Plus, there is a long history of repeated abuse of consumers' sensitive personal information by companies using zombie cookies, Flash cookies, zombie e-tags, search hijacking, and leaky apps on mobile devices. In September 2012, the FTC issued guidelines for mobile app developers.

Companies are advised to watch the FTC Children's Privacy page for additional updates.

In an ideal world, COPPA rules would not stop at age 13, but extend to age 18, the usual age of majority. It would have been better if the amended COPPA rules explicitly mentioned facial recognition.

FTC Report On Mobile Apps For Children: Insufficient Privacy Disclosures

In February 2012, the U.S. Federal Trade Commission (FTC) published its first report on mobile apps for children, after surveying apps in both the Google Android and Apple app stores. That report found that apps provided little or no information for parents about privacy disclosures of the apps. It also called upon all companies in the children's app ecosystem -- app developers, app stores, and third parties -- to provide better disclosures regarding data collection and privacy practices.

In December 2012, the FTC published its second report, which went further than the first report by testing some apps against their state privacy policies. The FTC found:

"... many apps included interactive features or shared kids’ information with third parties without disclosing these practices to parents... Since the first kids’ app report was issued, the market for mobile apps has continued to grow at an explosive rate, providing many benefits and conveniences to consumers. As of September 2012, there were over 700,000 apps available in Apple’s App Store, a 40% increase since December 2011, and over 700,000 apps available in Google Play, an 80% increase since the beginning of 2012."

The survey found that apps still aren't providing sufficient privacy disclosures:

"... parents still are not given basic information about the privacy practices and interactive features of mobile apps aimed at kids. Indeed, most apps failed to provide any information about the data collected through the app, let alone the type of data collected, the purpose of the collection, and who would obtain access to the data. Even more troubling, the results showed that many of the apps shared certain information – such as device ID, geolocation, or phone number – with third parties without disclosing that fact to parents. Further, a number of apps contained interactive features – such as advertising, the ability to make in-app purchases, and links to social media – without disclosing these features to parents prior to download."

The survey methodology included a search in each app store for children's apps, a review of the first 480 pages of search results, and the random selection of 200 apps from each app store for a close evaluation. That evaluation included a review for privacy disclosures on each app's promotion page, within the app itself, and the app developer's website. The evaluation included a test of each selected app to determine:

"... whether they contained certain interactive features and whether they collected or transmitted any information from the mobile devices they were tested on... nearly 60% (235) of the apps reviewed transmitted device ID to the developer or, more commonly, an advertising network, analytics company, or other third party... only 20% (81) of the apps reviewed disclosed any information about the app’s privacy practices... 58% (230) of the apps reviewed contained advertising within the app, while only 15% (59) indicated the presence of advertising prior to download. Further, 22% (88) of the apps reviewed contained links to social networking services, while only 9% (36) disclosed such linkage prior to download. In addition, 17% (66) of the apps reviewed contained the ability to make purchases for virtual goods within the app, with prices for each purchase ranging from $0.99 in apps from both app stores, to $9.99 for Google Play apps and $29.99 for Apple store apps..."

An encouraging sign is that consumers and parents are getting the message and flexing their muscle in the marketplace:

"... a recent Pew study found that 54% of app users decided not to install an app once they discovered how much personal information the app would collect. The study also showed that 30% of app users have uninstalled an app that was already on their cell phone because they learned that the app was collecting personal information the users did not wish to share. Consistent with these findings, a recent study by the Berkeley Center for Law and Technology showed that most consumers consider the information on their mobile devices to be private..."

Actions that the FTC to address the lacka of privacy disclosures:

1. Urge app developers to include privacy disclosures by design in mobild apps and provide guidelines,
2. Provide consumers and parents with educational information to help them navigate the mobile app market,
3. Starting investigations to determine if specific apps have violated the Childrens Online Privacy Protection Act (COPPA), and
4. Conduct a third survey of the childrens mobile app market

Download the FTC report: Apps For Kids; Still Not Making The Grade (Adobe PDF, 1.1 Mbytes).

California AG Issues Safety Tips For Consumers For Shopping During The Holidays

The California Attorney General (AG) issued these safety tips for consumers to securely shop online:

"1. Shop on secure websites. One clue about which websites are safe and which are not is to look for a yellow padlock in the browser bar or ‘https’ in the web address (the ‘s’ stands for ‘secure’).

2. Don’t make purchases over a free Wi-Fi hotspot like at a coffee shop, which can be scanned by those looking to capture your passwords and other information.

3. Never send personal or financial information through e-mail. Legitimate companies will not ask you to do so because it is not a secure way to transfer sensitive information.

4. If you are receiving text messages on your cell phone saying you have won a prize or gift card, do not click on the link in the message – it is most likely a scam and may install a virus on your phone.

5. To get the full value of a gift card, use it right away. Gift cards that are lost or stolen are not always replaceable. Retailer or restaurant gift cards do not have expiration dates, but bank cards, like Visa or MasterCard gift cards, or cards issued by a mall that can be used at different stores, may sometimes have expiration dates.

6. Know the return policies of the retailers you shop with before you leave the store or conclude an online transaction. Many retailers will give you a refund if you have a receipt and your return is prompt, but some may only give store credit. Ask a clerk if the policy is not posted at the register."

This list is good advice year-round, not just during the holidays. To this list, I would add:

• Treat your smart phone like the handheld computer that it is and install the appropriate anti-virus app
• Know the differences between the three types of plastic in your wallet or purse
• If you are a consumer without a bank account, get all of the facts before moving your money to a prepaid card (or payroll card). Even better: consider a new bank account at a credit union
• Read both the privacy and terms and conditions policies before installing any new apps on your smart phone or tablet. Don't install apps that lack these policies
• If you are a parent giving a smart phone or tablet as a Christmas gift, learn about and teach your children safe mobile device usage and shopping habits

Boston Police Department Safety Alert About Door-To-Door Sales People

The following alert appeared on November 20, 2012 in the Boston Police Department (BPD) community blog:

"The Boston Police is receiving reports about a door-to-door sales person claiming to work for and represent a company called: Just Energy. At present, the group is allegedly soliciting business in the area of Newcastle Road in Brighton. The Boston Police Department is investigating the authenticity of the group..."

Readers of this blog are familiar with Just Energy. It is a valid company and you can browse its website or Better Business Bureau rating. In the above BPD alert, it seems that a criminal may be posing as a Just Energy representative. The BPD advises consumers to follow these safety tips should you encounter any door-to-door salesperson:

"1. Never open your door automatically to anyone without inquiring as to who it is and what they want.

2. If possible, use a ‘peep hole’ or window to see or identify any person knocking on your door or ringing your door bell.

3. When dealing with a person who shows up at your door unannounced or without prior notification (be it a cable provider, maintenance worker, plumber, salesperson) exercise healthy levels of caution and care before agreeing to anything. If a person shows up at your door without proper notification, promptly ask to see an ID, business card or supervisor’s phone number before conducting any further business. If an individual is unable to provide any of the aforementioned forms of identification, discontinue the interaction."

Legit Email Or Scam? Legit Text Message Or Scam? What To Do Next

Recently, I received the following email message from a relative:

Sent: Thursday, November 01, 2012 11:30 AM
To: undisclosed recipients:
Subject: Manila, Philippines : (Sad News) : Shirley XXXXXXXXXX

Hello,
Just hoping this message reaches you... Well, I'm sorry for this emergency and for not informing you about my urgent trip to Manila, Philippines but I just have to let you know my present predicament... Everything was fine until I was attacked on my way back to the hotel, i wasn't hurt but I lost my money, bank cards, mobile phone and my bag in the course of this attack.. I immediately contacted my bank in order to block my cards and also made a report at the nearest police station. I've been to the embassy and they are helping me with my documentation so i can fly out but I'm urgently in need of some help from you to pay up my hotel bills and my flight ticket back home... My return flight back home is scheduled to leave in few hours from now... Please i need your help..."

The bottom of the email had the person's standard, valid signature with her office contact information. Legit email or scam?

To me, it read like a scam. My relative uses much better punctuation and grammar. Plus, I didn't think she was traveling abroad. So, the simple next step was to call her via a land-line phone or other separate method to confirm things.

I called her, left a voice mail message, and she replied via email a day later. She confirmed that she was not traveling abroad, and that heer email account had been hacked.

Identity thieves and scam artists are creative and persistent. There are a variety of "phishing" (e.g., email) scams and "smishing" (text message) scams. Learn to recognize them. Remember, you can always call the company directly and confirm whether or not they sent the suspect text message (or email).

So, a word to the wise. When you receive a suspect communication, confirm it with the person (or company) first via an alternate method. If you receive a suspect text message, call or email the person. If you receive a suspect email, call the person. Even better, talk with them in person.

While waiting for the person to reply, you can always check one of the hoax websites, like Snopes. Your telephone company's website probably lists the types of phone and text scams that have been reported. Your Internet service provider's website probably lists the types of email scams that have been reported.

If you use Facebook, then the Facecrooks site is a good source to verify suspect messages and apps that abuse your privacy.

National Protect Your Identity Week 2012

Not sure what you can do to protect your sensitive personal information? October 20 - 27, 2012 is "National Protect Your Identity Week" (NPYIW).

The ProtectYourIDNow site contains a wealth of information for consumers, plus local events by state. I visited the website to see what's available this year. There are some interesting statistics about how consumers don't protect themselves nor their sensitive personal information:

"68 percent of people with public social media profiles shared their birthday information (with 45 percent sharing month, date and year); 63 percent shared their high school name; 18 percent shared their phone number; and 12 percent shared their pet's name-all are prime examples of personal information a company would use to verify your identity."

While it may feel nice to receive birthday congratulations from your "friends" on social networking websites, the fact is that your birth date is a sensitive and critical piece of personal information that data brokers (and identity thieves) use to distinguish between multiple people with the same name. Experts warn consumers to stop doing these seven things on Facebook and other social networking websites. Some other interesting statistics:

"Seven percent of Smartphone owners were victims of identity fraud... 32 percent of Smartphone owners do not update to a new operating system when it becomes available; 62 percent do not use a password on their home screen... 32 percent save login information on their mobile device... Young adults, aged 18-24, took the longest to detect identity theft - 132 days on average... the average cost ($1,156) was roughly five times more than the amount lost by other age groups... Children may be 51 times more likely than adults to have their identity stolen..."

The NPYIW website includes tips to protect yourself, informative videos, advice about what to do if you are a victim of identity theft and fraud, and an online quiz to test your knowledge about identity theft and fraud. Sponsors of NPYIW include the National Foundation for Credit Counseling, the National Sheriffs Association, the National Association of Triads, the Consumer Federation of America, the Council Of Better Business Bureaus, the U.S. Federal Trade Commission (FTC), the Identity Theft Resource Center, the National Crime Prevention Council, the Credit Union National Association, and many others.

Did you attend a NPYIW event? If so, share your experience below.

PlaceRaider: Part Of The New Class Of 'Visual Malware'

You may remember news stories during past years where thieves used the Google Earth service to find buildings with valuables on the outside -- roofs made with precious metals, so they could return at night to steal the metal and resell the stolen goods for a profit. Now, imagine a scenario where thieves take over the camera in your smart phone (or tablet) to find valuable items inside homes, to return later when you are away or at work to steal the items they remotely recorded on video.

This sounds like science fiction, eh? Or maybe a fictional episode of NCIS?

Well, it's not science fiction. It's science fact, and the software is available today.

A reader alerted me to an article in Technology Review about PlaceRaider, an Android app already created to secretly record via the victims' mobile devices their personal spaces. With the secretly recorded video, the user can create a three-dimension virtual model of the recorded space:

"... Robert Templeman at the Naval Surface Warfare Center in Crane, Indiana, and a few pals at Indiana University reveal an entirely new class of 'visual malware' capable of recording and reconstructing a user's environment in 3D. This then allows the theft of virtual objects such as financial information, data on computer screens and identity-related information... the malware would be embedded in a camera app that the [victim] would download and run..."

The military applications of this are obvious. It's a stealth method to gather intelligence by recording the battlefield (or urban landscape) before the battle by using malware installed in the enemy's mobile devices. An accurate 3-D virtual model, complete with tools and papers lying about, would enable military officials to plan a more effective and efficient attack -- and know ahead of time what documents to look for and to capture.

An app like this in the hands of identity criminals would be equally devastating. It could secretly record a victim's home office, small business office, doctor's medical records storage area, or similar sensitive interior space. Did you leave credit- or debit cards lying about on your desk or bedroom dresser? PlaceRaider could record the account numbers lying exposed. Did you leave your online banking screen open on your desktop computer monitor? PlaceRaider could record that, too.

Meanwhile, what's a consumer to do? All of the usualy steps:

• Be carefult about the apps you download. Look for trustworthy apps with privacy policies that they comply with
• Install and maintain anti-virus apps on your mobile device(s)
• Password protect your mobile device(s)
• Be careful about which WiFi hotspots you use your mobile device at, just as you would with any other computing device
• Use a mobile VPN connection when appropriate
• Use strong passwords, and change them every 90 or 120 days
• Don't use the same password for all of your online accounts and devices
• Place masking tape over your mobile device's camera lense when not using it for long periods.

Maybe some time soon, mobile device manufacturers will get smart and build lens covers into their mobile devices.

New Data Breach Law In Connecticut Begins October 1

A new data breach law goes into effect in Connecticut on October 1. The Connecticut Attorney General office announced:

"Connecticut law generally requires anyone who conducts business in Connecticut and who – in the ordinary course of business – owns, licenses or maintains computerized data that includes personal information to disclose a security breach without unreasonable delay to state residents whose personal information is believed to have been compromised. Failure to provide such notice could be considered a violation of the Connecticut Unfair Trade Practices Act (CUTPA)."

The new law includes an email address for companies to report breaches directly to the Connecticut AG office. Previously, companies were required to notify only consumers affected by data breaches. Now, companies must notify both breach victims and the state.

Study: Small And Medium Sized Businesses Face Growing Data Security Threats

According to a new report by Osterman Research, and sponsored by Trend Micro, while cloud and mobile device usage have increased within small and medium sized businesses, so too has malware and data security threats. The survey found that about 52.1% of devices (e.g., desktop computers, laptops, tablets, smartphones) used by employees were infected annually with malware. In any given month, about 4.3% of devices were infected.

The report found that the malware has become more serious, with more versions, a short life, had target specific mobile devices (e.g., devices running the Android operating system) ,and had targeted businesses in specific countries that perform online banking.

The researchers found the costs to businesses were substantial. Information technology (I.T.) departments spent on average 72 minutes per device to remove the malware and fix the infected computer. The direct I.T. staff cost was about $2,400 per device per year. And, those costs don't include the lost employee productivity.

The data breaches from this malware can lead to theft of money, trade secrets, or the sensitive personal information of employees, former employees, and contractors. Criminals try to infect employees' devices with keystroke-logging malware to steal online bank account passwords. The report listed some of the company data breaches where businesses were robbed in this manner:

• Western Beaver County School District: $700,000
• The Catholic Diocese of Des Moines: $600,000
• Hillary Machinery: $800,000 (its bank was able to recover only $600,000)
• Patco: $588,000
• Experi-Metal, Inc.: $560,000
• Village View Escrow: $465,000
• An unidentified construction company in California: $447,000
• Choice Escrow: $440,000
• An unidentified solid waste management company in New York: $150,000
• An unidentified law firm in South Carolina: $78,421

So, if you work in a small or medium sized business that performs online banking, you can assume that identity thieves and criminals have targeted your employer and, most likely, your mobile device.

The Consequences When Your Data Stored In The Cloud Gets Hacked

It seems that in most places you read, companies and technologists advise consumers to use the "cloud" for data storage: your data is stored remotely in Internet-connected computers hosted by third-party companies. That data can be a variety of files (e.g., music, spreadsheets, text), calendar appointments, and contact information (e.g., work email, home email, address, mobile phone, work phone). Your data can then be synced across, and easily accessed by multiple devices: laptops, tablets, and smart phones.

What happens when there is a security breach, and your data stored in the cloud gets hacked?

This happened to Matt Honan a former technology writer at Gizmodo, and his story can serve as a cautionary tale for all of us.

Matt uses Apple branded products and services (e.g., MacBook Air notebook, iPad, iPhone, iCloud) and Google Mail. When his smart phone stopped working, he first thought it was a software glich. When he tried to connect his laptop to restore from a backup, he found he couldn't log in. Then he knew it was bad:

"At 5:00 PM, they remote wiped my iPhone. At 5:01 PM, they remote wiped my iPad. At 5:05, they remote wiped my MacBook Air. A few minutes after that, they took over my Twitter... When I opened my laptop, an iCal message popped up telling me that my Gmail account information was wrong. Then the screen went gray, and asked for a four digit pin. I didn’t have a four digit pin."

The hacker had accessed his accounts and then reset his passwords. The hacker was able to access his iCloud account, remotely wiped clean all data from his mobile devices, deleted his Gmail account, and deleted his archived data. How did this happen? IT World concluded:

"... as Honan would learn during his investigation, how was the hacker able to obtain Honan's iCloud account by calling Apple support and social engineering that information from Apple? If true, this is a huge hole in Apple's security procedures, and one that puts Apple iCloud users at serious risk... Laying this all on Apple's feet would be easy to do, and there's no getting around the fact that Apple has a problem that needs to be solved. But beyond Apple, this incident also points out potential problems with the growing dependency consumers have with cloud data storage..."

Some technologists argue that what happened to Honan was a best-case scenario. A best-case scenario because the hacker dsabled Honan's devices, making it easy to determine that his deviceds had been hacked. More likely, hackers or spammers would not disable your devices making it more difficult to determine if your devices had been hacked. Instead, they would likely install malware on your computer and then use it to send spam, or use keylogging software to capture your sign-in credentials for your bank and financial accounts.

If you use the cloud for data storage, experts advise consumers:

• Don't use the same password across accounts
• Use strong passwords, and don't use weak passwords
• Protect your passwords. Store them in a secure place. If you decide to use password management software, shop around and compare first
• Password-protect your mobile devices
• Use websites that employ at least two-factor authentication