Government

So you received a data breach notification in the mail… no big deal, right? Not according to Javelin Strategy & Research’s latest report. In fact, Javelin’s latest research reveals you are four times more likely to suffer identity fraud if you’ve received a data breach notification within the past year.

The average fraud victim will spend 30 hours and $496 out-of-pocket costs to restore their affairs, merchants and financial providers will spend billions to protect systems and brands, and law enforcement will work hard to chase the bad guys.

Many states around the country are enacting laws requiring entities that have experienced data security breaches to notify affected individuals whose personal information may be at risk. However, there seems to be a disconnect between breach notifications and consumer awareness of the risk they bring.

Why You Should Take Notice

• During each of the past three years, an average of 11% of consumers received a breach notification.
• Of these consumer breach victims, more than 33% experienced exposure of their Social Security numbers and 15% had their ATM PINs compromised.
• Despite 19.5% of breach victims suffering some kind of fraud in the past year, only 2% attribute their fraud to the breach.

Come On, Do I Really Need To Worry About This?

It might be a good idea considering the Identity Theft Resource Center has already tracked 356 data breaches so far this year. Forty-six of those breaches have involved financial institutions, and when they or their third-party service providers are breached, it’s nasty.

Take for example the Heartland Payment Systems breach earlier this year. The result of this breach was a staggering compromise of 130 million credit and debit cards. Now that’s a lot of Visa cards…yikes!

What You Can Do?

There is very little we can do to avoid data breaches, however there are steps that we can take to better prepare ourselves for the next time that breach notification shows up in the mailbox:

• If you get a data breach notification, don’t dismiss it. "Data breach notifications are intended to help consumers take protective action," said Mary Monahan, Javelin Managing Partner & Research Director.
• Obtain credit monitoring services. Most companies will provide this free of charge in the event of a security breach, so take them up on it. You may also consider employing a more complete credit monitoring service or even initiating a credit freeze.
• Limit the amount of sensitive data you give out online or over the telephone. If the requested information has nothing to do with the transaction you’re making, don’t provide it. For more on this, read our article about becoming a "privacy grouch."
• Avoid or be cautious using wireless devices, “convenience cards”, credit cards or unfamiliar online transaction sites.

Lastly, remember the words of the orator, Robert Green Ingersoll when he said:

“It is a thousand times better to have common sense without education than to have education without common sense.”

From a recent UC Berkeley report:

More than half of the internet’s top web sites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies.

Under the direction of Chris Hoofnagle of the Information Privacy Programs at the Berkeley Center for Law and Technology, the researchers discovered that most web users aren’t familiar with Flash cookies and that Flash web cookies can’t be controlled through the cookie privacy controls in a browser. Even more interesting was the use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies that had been deleted on customer computers. In the study even several federal government web sites were found to contain Flash cookie ID information. The federal government has a policy of banning the use of traditional browser cookies.

What’s all the fuss about? Internet web sites often attach browser ‘cookies’—small strings of identifying text and numbers—to your computer to help them keep track of you and your preferences when you visit their sites. In theory this is a useful connection between you and the web sites you visit. For instance, an online book vendor could store your customer preferences information to better help you find what you want and make it easier to make your purchases.

However, like many useful, good things on the web, browser cookies have turned out to be an avenue for identity thieves to find us and our personal information. A cookie that no one knows about and that is not controllable through our web browsers, and can be used to re-spawn traditional browser cookies—could be a useful avenue for identity thieves indeed.

Changing Flash Preferences

Removing Current Site Cookies

Turns out, Adobe has a Settings Manager on its site where you can control how Flash cookies are stored along with other things. If you right-click on a piece of Flash code in your browser you can select "Settings" and get to this special place. Or you can just click our handy link: Adobe Website Storage Settings Panel.

What you should be seeing is something like this:

Here you can see which cookies have been written to your computer along with the ability to DELETE all of them. That's something I would strongly consider. Remember, however, that there are some benefits with these cookies. If you frequent sites that use this technology (and many do) you will be deleting some of your settings with those sites and you may have to re-enter text each time you visit.

There is risk/reward with every choice you make in life...

Even if you decide to push the Delete all Sites button, you still have some work left.

Stopping New Sites from Writing Cookies

Even if you deleted the cookies that have already been written to your computer, you'll need to keep new cookies from being written as well. Luckily, Adobe has created a way to do that:

Adobe Global Storage Settings Panel

If everything goes according to plan, you should be seeing something that looks like this:

Here you can tell Flash not to store any cookies in the future. Just drag the slider over to "None" and select "Never Ask Again." That's it!

Flash Cookie Removal Tools

Here are some other tools if you want 3rd party help with managing or controlling Flash cookies:

Windows:

• Better Privacy extension for Firefox -
  https://addons.mozilla.org/en-US/firefox/addon/6623
• Ccleaner - http://www.ccleaner.com

Mac OS X:

• FlushApp - http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/

Flash Cookie Storage Locations

You can always go to the directory where the cookies are stored and remove them manually. It's not a permanent solution - new cookies will get created in the future - but it works.

Windows:

LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.

Mac OS X:

For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys

GNU-Linux:

LSO files are stored in ~/.macromedia.

Wrap Up

Now you know about the mysterious and curiously difficult to remove Flash cookies. They are pervasive - even on government web sites - and won't be going away anytime soon.

Please post any follow-up questions or concerns below...

Did that get your attention? Scammers are hoping it will.

Breaking News Malware Emails

An ongoing strategy of scammers is to send out spam emails with shocking or titillating subject lines. They've decided the recent nomination of Barack Obama is a perfect topic and Symantec has reported that emails are showing up that read something like this:

Sample Emails

Subject: Breaking news

Barack Obama refused to be the president of the United States of America

Yours Sincerely,
Cecily Lynn

Subject: What is going on with our country?

Obama has gone

Yours faithfully,
Rodney Lynch

The link in the actual emails (we're not linking to anything in the examples above) point to the following site:

What is the Threat?

The site instantly attempts to bypass any browser security and install malware on your computer. If that fails, any link on the site will download and install malware software. The software is called W32.Waledac. Here's what it does, as described from the Symantec web site:

Rest assured that we detect this piece of malicious software under the name W32.Waledac. This particular piece of malware is capable, among other things, of:

• harvesting sensitive information on your computer
• turning your machine into a spam zombie
• establishing a back door on your computer that will allow it to be remotely accessed

How Can I Protect Myself?

Resist the Impulse to Click - scammers will try to provoke an emotional response in order to keep us from thinking about what we're doing. When you see an email like this, think for a moment if it's even reasonable. Ask why someone would send an email like this. What's the point?

Keep Your Software Up to Date - we've recently talked about keeping your Windows systems updated. The same goes for browsers, email clients, or anti-virus software. If you're software is up-to-date, you're more likely to avoid being hurt by scams like this.

By the way, Obama certainly didn't refuse to be president. I watched the inauguration myself and my thoughts and prayers are with him. Whatever your political affiliation or citizenship, we should all hope and work for his success.

Thanks to our friends at Kroll Fraud Solutions, we have some excellent 2008 tax season tips for avoiding identity theft:

The U.S. economy may not be the only beneficiary of the recently passed federal economic stimulus package – identity thieves are getting a boost, too. Why? In the wake of the recent IRS announcement that more than 130 million Americans will receive tax rebates this year, identity thieves are using the promise of extra cash to lure Americans into disclosing their sensitive personal information.

These “phishing” schemes can take a variety of forms, the most common of which involves an identity thief who calls or e-mails a consumer pretending to be an IRS employee. The consumer is promised a sizable rebate if they file their taxes early. All the caller needs in exchange is the consumer’s bank account number to deposit the check.

The bad news is that schemes like the one described above are common; the good news is that falling victim to one is avoidable – as long as consumers get smart on the facts and follow the proper precautions.

Below ID theft expert Brian Lapidus, chief operating officer of Kroll’s Fraud Solutions, offers some important advice that every consumer should know about protecting their personal information during tax season. At Kroll, Lapidus oversees a highly-skilled team that includes veteran licensed investigators who meet regularly with IRS agents to stay apprised of emergent tax fraud issues – bolstering the team’s specialized work supporting breach victims and restoring individuals' compromised identities to pre-theft status.

Preparing your taxes?

• Beware of phishing schemes. The IRS never contacts consumers by e-mail or phone to request sensitive personal information (SSN, checking account information, etc.). If you receive a phone call or e-mail that you suspect may be a “phishing” scam, file a complaint with the Anti-Phishing Working Group and contact the IRS immediately.
• Avoid shopping mall kiosks or pop-up preparers who offer to assist you with tax preparation. Considering the amount of sensitive personal information involved in the tax preparation process, you probably don’t want to hand over your files to someone whose experience and background are unfamiliar to you. Ask a trusted friend to introduce you to his/her tax preparer or consult a local CPA association for trustworthy members.

Filing electronically?

• Avoid using wireless networks. Use of wireless networks means your data is being transmitted over open airwaves, similar to a radio transmission. If not properly secured, data can easily be picked up by an uninvited party.
• Don't prepare your taxes on a public computer. Public computers can contain “keylogger” spyware, which records every keystroke including passwords and account information. Keyloggers make it possible for an identity thief to steal any information entered into the computer during your session. Preparing your taxes on a public computer also increases your vulnerability to “shoulder surfers” – individuals who look over your shoulder to observe what you are doing and, more importantly, collect the sensitive data you’re entering.
• Only keep a record of your tax claims as long as necessary. Thieves can't steal what you don't have. Purge the data once the need for it has expired. Suggested guidelines for individual recordkeeping are available online through the IRS at: http://www.irs.gov/publications/p552/ar02.html#d0e617.

Filing by mail?

• Don't put your completed claim in an unlocked mailbox for pick-up. Instead, deposit outgoing mail at a post office.
• Take it one step further and opt for delivery tracking. That way you can be certain that your information has gotten to the IRS safely.
• Waiting for your tax rebate? Promptly remove mail from your mailbox after delivery. The longer your mail sits in an unsecured mailbox, the greater your chances of it falling into the wrong hands.
• You may also choose to have the IRS deposit your tax rebate directly into your bank account, further minimizing the risk of theft.