Caveat Emptor: The Internet of Things (IoT)

smart-home1It’s the hottest thing going today. All your devices connected to the internet — and to you. And, to everyone else!

Yes, your new devices that are connected to the internet are a great convenience. Turning on your lights from your smartphone. Getting messages from your refrigerator when you need resupply. Home security systems with cameras and internet reporting. That Wifi connected baby monitor. That activity monitor that you upload data to every day about your fitness activities (some companies terms of use allow them to not only retain that data, but provide it to others!).

Walt Manning, a security expert and investigator, provides some insights into the IoT via his presentation at the Government Identity Fraud Conference in March. He notes that we already have more than 25 million devices connected to the internet. And by 2020 (only a few years away) this will double to 50 million! Ultimately, it is expected that the average house will have 100 devices connected to the internet.

Moreover, almost none of these devices are secure. On average, Manning reports, each device has 25 security flaws, and none of them are truly secure. This explosion of connected devices will have 5-10 times the impact that the internet currently has on the security of data.

Because, for all of the convenience of connected devices, we pay a price. That price is data; information about ourselves and our activities is recorded in logs somewhere. Everything. And to compound this problem, so far, every connected device has security flaws. So, someone, somewhere is storing all that data about you. And, that information is also readily available to anyone who wants to hack your systems.

So you want that information available to just anyone? Where is it stored? With what security? Is it encrypted? Do you even know? And, what are “they” allowed to do with that information?

There are some things you can and should do to protect yourself. For it’s a clear conclusion that the convenience of these devices is winning over security. So, some suggestions:

  1. Most devices will connect via your home Wifi router. Make sure it is passphrase protected.
  2. Check the terms of use with your internet provider. What do they say about providing data to others? Remember, they record everything that happens over your connection!
  3. Research each device and company before you buy. Do they have secure systems? Where is the data stored? Are they allowed to give that data to others? Under what circumstances? Read the Terms of Use for everything (I know, you won’t, but I have to tell you anyway.)

If your research demonstrates the device has little or no security, and/or data will be provided to others without your permission, look elsewhere. We ARE going to buy this stuff — it’s just too cool and too convienient not to. But, we neeed to protect ourselves with some simple research into the products we buy, and buy smart (pun intended!).

a891b87d092047e4a85da861a68c0d58Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to Walt Manning for his great presentation on the Internet of Things ans security — some of their information is included in this article.


Are you smarter than your phone?

040616D-2590-D966-E2CAEDE376B61B8FOK, you are running anti-malware on your computer. You have upgraded protection on your wi-fi router and even started using a password application on your computer to manage your passphrases (yes, passphrases, not passwords!). Good job. Now they are attacking your cell phone! And half the world’s population uses a smartphone today.

Have you protected that mobile device with the same enthusiasm as your computer? Are you still vulnerable? You bet you are!

Almost 50 percent of us use a smart device as our primary internet connection. Yet, about 28% (Pew Research) don’t use a screen password/PIN to access the phone! About 1 in 10 have never updated their operating system (and so are well behind in code updates, many of which involve protecting against unauthorized access).

In this era where many of use live on our smartphones, don’t have landline telephones (how primitive!) and even do all our banking and shopping on our phones, these devices have now become the attack-point of choice for crooks looking to steal your identity. So, what to do? Walt Manning shared some key actions we can all take to protect our information and identities at the recent Government Identity Fraud Conference.

First, just how vulnerable are you? Wikileaks has demonstrated that the CIA (and that means others as well!) can hack your phone at will. Operating systems that are open and much more vulnerable than those that are closed (not available to just anyone to modify).

So, what to do?

  1. Use a password or PIN – always. Beware of touch technology. It has been defeated.
  2. Use a password application to manage your passwords just like you would on your computer (Hey, your smartphone IS a computer)
  3. Load and use an anti-malware application on your phone.
  4. Only get applications from an approved application store. While this is not 100% safe, it’s much safer than some website you came across!
  5. Always remember that if you have voice control and a personal assistant — it’s always listening. And recording. And available to others with access.
  6. Finally, DON’T connect to public wi-fi! You have no idea who you are dealing with, who has access or will gain access, where your data is going…etc. If you have to use public Wi-fi, use a VPN.
  7. Be very judicious about what apps you have and use. Almost all of them have terms of use that allow them to upload all of your contact information. Some can access everything on your phone!
  8. Finally, use two-factor authentication.

With the world moving to these devices, protecting our identities and information is paramount. Make no assumptions about your information security on your mobiles devices — protect yourself.

a891b87d092047e4a85da861a68c0d58Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to  Walt Manning for his great presentation information — some of which is included in this article.

Identity Theft: Following the Profits and Victims

web browsingWe know identity theft is a billion dollar business conducted by criminal enterprises. These are NOT mom-and-pop operations! So we must take it seriously. What happens with the money stolen/scammed? And who are the victims and what do we know about their plight? Continue reading

Protecting Yourself from Identity Theft

I wrote last week about the epidemic of identity theft. This week, again based at least in part on information provided by speakers at the 2nd Annual Government Identity Fraud Conference earlier this month, I’ll share some ways everyone can use to protect themselves from ID Theft.

First, a recap: Remember, experts tell us that with all the breaches that have occurred in the past few years, everyone’s identity has already been stolen. That means even though you have not been a victim, it doesn’t mean you won’t be. One Bulgarian ID thief/fraudster who got caught noted that they have so much data it will be years before they use up all the stolen identities already available.

And after all, the FBI reports it only costs $.35 on the dark web to purchase a real, identity!

So what can we do? Here are some ideas from the experts.

  1. Passcode protect everything. Don’t use obvious passwords like your dog’s name or your street address number. Instead use a passphrase that is a combination of words, numbers, and symbols at least 11 digits long.
  2. You say you can’t remember anything that long? Here’s a link to Morgan Wright’s free online course on setting a passphrase you can remember: Morgan graciously provided this link to us at the conference.
  3. Change your passwords regularly. No, not every year, every month or so. Remember, even if one of your sites is breached and gives up usernames and passwords, they are only good until you change them. So change them regularly.
  4. Use a unique passphrase for each website or application. Don’t just clone that one password you can remember and use it for all your sites. Make them all unique, not just variations on a theme.
  5. OK, you say you can’t possibly remember all those passphrases? Neither can I. So use a password/passphrase management application. I use Dashlane, but there are many out there and they are all pretty good. Most will synch between devices. Pick your favorite.
  6. Make sure you are running malware protection software on all your devices. Start with your computer and then ensure you have protection on all your mobile devices. 
  7. Make sure the operating systems on your devices are up to date. Set them to auto update. Much of every update includes software patches for known security holes in the operating systems.
  8. Never, ever, use a public WiFi without using a VPN connection. Public WiFi is one of the easiest pathways to your data. Few of them are secure.
  9. Don’t fall for spear phishing emails! Spear phishing is a targeted email sent to you that appears to be from someone you know asking a reasonable question. But they almost always want you to send them private information about yourself or others. There’s a pair of rules to live by here. First, if it doesn’t sound right — it probably isn’t. Second, if someone, even someone you know, asks you to send personal information of any kind over the open internet, before responding, contact them directly to confirm it is legitimate (calling them is best). An ounce of protection… Keep in mind that spear phishing is the number one tool for espionage and information theft.
  10. Finally, although there is more, take the next step in privacy protection and use 2-factor authentication. This method requires not only a password/phrase but a secondary process of answering a question or using a unique PIN. It’s not foolproof, but it is a major step forward in security. Many applications and sites now offer this option.

Remember, the Identity Theft Resource Center reports an identity is used to the detriment of the real owner every 9 seconds in the United States. Here are ten ways you can protect yourself.

Again, thanks to the good folks at the ITRC and LexisNexis Risk Solutions for the conference and to Morgan Wright and Walt Manning for their great presentations — some of their information is included in this article.


And stay tuned — there’s more!

Combating Identity Theft

I recently had an opportunity to attend the second annual Government Identity Fraud Conference. This event gathered more than 150 government managers dedicated to protecting citizens from identity fraud and theft. Great dialogue and information sharing opportunity.

So what did we learn? Let’s start with ID theft and tax fraud. The IRS reported that through November 2015 it stopped more than 1.4 million fraudulent tax returns valued at $8 billion. Yes, billion! Many states are on the defensive as well, including Indiana, Georgia, Ohio, California, and others. During the past three years they, too, have stopped millions of dollars in fraudulent tax returns. For example, in 2014 Indiana stopped more than $88 in tax fraud attributable to identity fraud. These organizations demonstrate the significance of the problem, and I have not even addressed Medicare fraud, Medicaid fraud, unemployment fraud…etc. Experts tell us identity fraud is a multi-billion dollar business of organized crime. We’re not talking about your run-of-the-mill tax cheat here, but organized efforts to steal identities and use them to submit fraudulent claims for tax refunds, healthcare reimbursements, etc.

Those experts also tell us that — are you ready for this? — everyone’s identity has been stolen. Everyone is already compromised. And they are all available for sale on the “dark web” or the “deep web.” I’ll write more about those in future blogs.  Your identity has been stolen, it may not have been used just yet. The point to remember here is: be vigilant!

Why? Don’t believe this is a problem of epidemic proportions? The Identity Theft Resource Center, a non-profit organization dedicated to aiding victims of identity theft, reports that every 9 seconds someone becomes a victim of identity theft. Every 9 seconds!

Another point to keep in mind is that government entities are working to protect and defend citizens as best they can from identity fraud. Hence the conference and information sharing at all levels of government, city, county, state and federal. Know that there is a concerted effort to defend against these acts as well as to attack this problem aggressively at all levels of government. And this effort must continue to gain in sophistication and subtlety. Crooks are getting more sophisticated — and so must we. That’s part of what this conference does annually, share information and techniques to defeat these efforts.

In coming weeks I’ll attempt to outline, without giving away any secrets to the bad guys, where and how criminals are perpetrating this identity fraud and where the stolen money goes (you’re going to hate the answers), what governments are doing about it, and what citizens can do to combat the problem.

The conference was an outstanding opportunity for information sharing and collaboration. It’s part of the solution to this problem, so thanks to the Identity Theft Resource Center (ITRC), the National Center for Missing & Exploited Children and LexisNexis Risk Solutions for presenting the annual conference that allows government organizations to learn, discuss, collaborate and defeat the crooks. These organizations’ websites also provide good information about this topic.