What Real-ID means to Maryland drivers

Maryland Real ID

You may have seen news reports about the need for Maryland drivers to further document their identification and citizenship or risk confiscation of driver’s licenses. This isn’t hype. It is true and deadlines are fast approaching. If affected drivers do not update their status with the MD MVA, their license will not be considered valid. Which means a police encounter could result in the confiscation of your license and TSA will not accept the license as proper ID.

REAL ID Act

The REAL ID Act was passed in 2005 setting the benchmark for personal forms of identification and establishing minimum security standards for driver’s license issuance and production. The act prohibits federal agencies, like the TSA, from accepting driver’s licenses from states that do not meet the standards. The deadline set by the Act is October 1, 2020. After that date residents of all states will need a Real ID Act compliant driver’s license to pass through airport security. 

How does this affect Maryland?

Maryland began issuing Real ID Act compliant licenses in 2016 and is listed as a state compliant with the Act. The licenses feature the state flag as the backdrop and the Real ID star logo. The license has multiple security features to guard against counterfeiting and was touted at the time as the most secure license in the U.S. 

The problem? While Maryland issued a license that met all of the Real ID Act physical security features the MVA did not always require the license holder to submit proper documentation for proof of identity or citizenship. Now those with the new “Flag” license are in danger of either losing their license or not being able to pass through federal security. 

MD MVA estimates that over a million drivers have the new license but not the necessary documentation on file. Trying to alleviate a renewal nightmare Maryland officials have set staggered renewal dates in June and November 2019 to clear the backlog before the federal October 2020 deadline. Over sixty-six thousand drivers have deadline dates in June 2019 to provide documentation. 

Is your license compliant?

Those holding the older licenses with the blue banner and crab logo are not required to update their records and may maintain their licenses until they expire. However, after October 1, 2020, these style licenses will not be accepted by TSA or other federal agencies. Even if you have been issued a flag design license you may still need to update your documentation with MVA.

You should get a notice by email and/or mail notifying of the MVA need for documentation. Rather than wait for the MVA renewal notice you can check if your license is compliant at this link RealID Lookup . After searching your license number you will be told if anything further is required and what to do next.

Documentation

If you are required to update your records you will need,

1) Proof of age and identity-Original or certified copy of your birth certificate OR a valid U.S. passport

2) Proof of Social Security-Original Social Security card or W-2 form, or SSA-1099

3) Proof of Maryland residency-Two documents required: insurance card, vehicle registration, credit card bill, utility bill, or bank statement. Any must have your name, Maryland address and be from two separate entities.

This link has further information on Real ID FAQs .

Good luck!

Previous blog about licenses at "Real" ID .

It’s Cyber Monday, Y'all!

Cyber Monday credit card security

It’s Cyber Monday, Y'all! Do you know where your credit card is? Of course, you do. It’s in your wallet, or purse, or poised on your keyboard, ready to be put into service. I should have asked do you know where your credit card number is? 

In 2017, according to the National Retail Federation, 81 million people in the U.S. shopped online on Cyber Monday.  About 15 million more than on Black Friday. The only way to snatch up on those cyber deals is to pay with a credit card. And pay we did. Business Insider reported that we spent six and a half billion dollars in 2017. Over $1.5 billion than on Black Friday that same year.

We’ve become trained to look for https or the little padlock to indicate we are dealing with a secure site. And that is true for the transaction. E-commerce is mostly protected by encrypted communications. The security issue here is saving your personal and financial data on the company’s website. Creditcards.com posted a story in 2017 in which they conducted a poll of credit card users. The poll found that 94 million Americans store their card information online

There may be encryption for the transaction but when you store your data you’re giving the site all the information a cyber thief needs. That data sits in a database on the company’s servers for who knows how long. See a previous post on this blog about Cleaning Up Your Online Presence. 

Storing your card information makes it much easier to check out but also exposes your data to hacking. Think about all the stories in the news this year alone about companies getting hacked. And if not directly then through third party vendors. It’s so common that we almost stop paying attention to the reports. If we do feel we’ve been affected, we change our password and move on. It’s become so a part of our lives we’ve become complacent about e-commerce and our privacy.

Tips

·     You have to use plastic to shop online. When you do use credit instead of debit. 

·     Best not to store your information, especially if it’s a little used site or one-time purchase. Type your card in each time. Don’t create accounts. Check out as a guest.

·     Research with whom you’re shopping. The bigger the company the better, to some extent. As opposed to smaller businesses that have less traffic and do not have the resources to support update to date and effective security. 

·     Considering having a card you use specifically for online shopping with a low limit

·     Monitor your accounts. Especially after a shopping spree or big shopping day like Cyber Monday.

Not trying to be Chicken Little. Just trying to remind people to take a beat and check their online shopping practices. Coming back from identity theft or online fraud is not an easy path.

Even though it’s not credit card related here’s another tip that could help protect your card. If you‘re shopping Amazon or looking at reviews on Yelp or TripAdvisor, run the link to the product through a review analytics site like Fakespot. 

The results will give you an idea about how reliable the seller is and if it a reliable company. If using Fakespot, after you find a product on Amazon copy the link from the search bar and past into Fakespot. The results will be a grade regarding the site and advisement on whether you should proceed or not.

Please feel free to share. Visit the blog archive for more posts about Privacy. https://mazzellainvestigations.blogspot.com/search/label/privacy

No autographs, please

Beginning April 14, 2018, some of the major credit card companies eliminated the need to sign receipts, for any amount. American Express, Mastercard, Visa, and Discover had a previous signature requirement for any purchase over $50. The major card companies ended the requirement hoping to expedite customer experience at checkout. Since the announcement, it seems as if every store now has a different requirement at checkout. Some checkouts are as simple as tap and go-some still require a signature.

Signing

Signing the keypads was a holdover from the credit receipt days when your signature acknowledged that you were responsible for the charge. This carried over to the electronic signature pads, which really just became an acknowledgment of the purchase. Even if someone did steal your card they could sign any name. Credit card companies and merchants would use the signature to settle sale disputes, but with advancement, in fraud detection technology they say signatures are no longer necessary. Over the years the need for a signature had become a joke to some. People scribble on signature pads, sometimes with their fingers, illegible signatures or actually write, “This is not my card”, to test cashiers. The truth is, cashiers would rarely look at the back of the cards. With the advent of the keypads, the cards rarely exchanged hands so cashiers could not compare the signatures. Some retailers would ask for ID to compare the customer with the name on the card. This is becoming even rarer.

Why sign the back?

Most cards require a signature on the card to “validate” the card. In an attempt at fraud protection, some customers refuse to sign the card or write, “Ask for ID”.  Sometimes this works, but most of the feedback I’ve heard is the cashier refusing to accept the card. If the card is not signed and is stolen then the thief could use his or her own signature. 

Card signatures are probably moot because the card rarely exchanges hands. Except in the restaurant industry. With all of the fraud protection and level of security awareness, we assume we achieve, a restaurant is still one of the very few places we had our cards to strangers and allows them to walk out of our view.

As fraud detection technology advanced the need for signatures has decreased in the last several years. The implementation of the EMV (Europay, Mastercard, Visa-Which are the companies that developed the technology) chip and contactless readers has eliminated the need for the signature as these advancements have decreased the use of fraudulent cards. Unlike the magnetic strips, chips protect against hacking as the chips produce a one-time password or token to exchange the card data. Hackers may be able to obtain the information through breaches but it is unlikely they would be able to use the data or it would be too costly to decipher. This is the same technology used when using a Smartphone to pay at a contactless reader.  

Speed speed speed

In reading all the news releases regarding the removal of the signature requirement, the constant theme was speed at the checkout. Banks and merchants want to get customers through the checkout as quickly as possible. This also removes the cashier’s interaction with the customer’s card. The onus is on the “system”, not the cashier to verify the card. What it doesn’t do is verify the identity of the possessor.

Chip technology only proves that the card is real. It does not provide security as to the identity of the possessor. Therefore, if your card is stolen it can still be used until canceled. That is why it is extremely important to report your cards as lost or stolen immediately after discovering such. Some banks offer a mobile feature that allows you to remotely freeze your card until it can be found or verified that it has been lost or stolen.

Banks are experimenting with biometric identification methods to further verify the card’s user. Similar to your Smartphone, fingerprint verification would be needed to approve the transaction. Europeans have been using chip-embedded cards, since 1994. The next step in European credit security will be chip and PIN, which will require users to enter a PIN to verify identity. The same as using a debit card. America had been slow to adopt chip-embedded cards due to the millions of magnetic strips already in use. With the push for speed at checkout, Americans will get use to not having a signature pause and may balk at having to add a PIN to the process.

Retailers will have the decision whether or not to require the signature. Some have already become removing the requirement. Some may be restricted by the hardware used to complete the credit transactions. As point of sale equipment is updated even more merchants will not require signatures.

Until then don’t be shocked if the clerk just smiles and hands you the receipt. Or would you like it emailed?

Refer to the blog archive and categories for more posts about identity theft and fraud.

Time expired on parking meters

You approach the parking meter. It is a standalone machine in the parking lot; not connected to a building or a visible wired connection. While the meter does accept cash, it also has a credit card slot. You unsheathe your card and slide into the slot as instructed by the screen instructions. The meter reads your card and communicates, wirelessly, with the bank. If the card is authenticated, the transaction is approved and the meter distributes a receipt. Transaction complete. So what just happened? 

In the digital communication-everything is hackable world we live in how are parking meters safe? Research on this topic seems to indicate a risk reward scenario or more likely a Not worth the effort scenario. As we have seen in recent years, any system of any entity is subject to hacking. No matter the type of hardware or the owner. This article continues the discussion regarding the security of parking meters raised in the post Skimmers, August 2017.

The parking meter

Before we get into the security of the parking meter, first a little history.

According to Wikipedia, Massachusetts entrepreneur Roger Babson filed the first patent for a parking meter in 1928. The electric meter was meant to be powered from the battery of the parked car. Either due to design or necessity at the time the Babson meter never caught on. In 1935, Oklahoma City newspaper publisher Carl C. Magee had identified parking issues in the business district and was asked to find a solution. His idea was to regulate parking through coin operated meters associated with spaces determined by lines painted perpendicular to the curb. Magee asked Oklahoma State University engineering professors Holger Thuesen and Gerald Hale to develop a machine. The result was the Park-O-Meter, which Magee received a patent in 1938. The first Park-O-Meter was installed in downtown Oklahoma City in July 1935. Retailers loved the meters as they encouraged a quick turnover of cars and potential customers. Drivers, initially opposed, were forced to accept them. The cost for that first hour was five-cents.

The first meters accepted coins and had a dial to engage the timing mechanism with a red flag to indicate expiration of time. Those meters required a service person to keep the mechanism wound. Later iterations by other companies provided a system that remained wound by the action of the user setting the time, eliminating the need for service personnel. Since the parking meter made its debut there have been many styles and mechanisms deployed. All of which have completed the same task, measuring an amount of time for a price. Manual mechanisms remained in service for fifty some years until advancement in technology allowed for digital operations in the 1980’s.

At this point in our history lesson drivers looking to park their cars still had to use coins. Some machines only accepted one kind of coin. Different variations of the parking meter existed depending on the maintenance and replacement by local governments.  

Again Wikipedia tells us that in 2007 the IPS Group from San Diego, California introduced the solar powered credit card accepting parking meter. (Wikipedia is used as a source because there isn’t much out there in the way of the history of the parking meter)  The so called smart parking meter was born.

Smart parking meters

Advances in wireless technology have been applied to parking meter design to develop the “smart meter”. These meters are solar powered with wireless connectivity. This gives the meters the capability to talk to maintenance crews and banks, allowing for service calls and electronic transactions. This type of technology also allows drivers to pay through the use of phone apps and single machines to regulate multiple spaces. They also can be designed to alert enforcement personnel when cars are over parked.

The market is flooded with types and styles from a variety of vendors. Some municipalities use single pole meters per space and others use machines that regulate multiple spaces. All use wireless connectivity. Which brings up the question-Can they be hacked?

Are smart parking meters secure?

Shortly after the introduction of the smart parking meter three hackers revealed at the Black Hat conference in Las Vegas in 2009 that they had hacked meters in San Francisco. In an attempt to prove the security flaws of the new technology, the hackers’ reverse engineered the technology and found that the machines had little in the way of protection or encryption. They were able to “trick” a variety of meters into providing free parking. This infiltration manipulated the meters but did not attempt to intercept or steal credit card transactions.

Since this report was made public parking meter manufacturers have worked to improve the technology to protect electronic data transfer. Even the FTC issued a report in 2015 encouraging all manufacturers of smart devices (Appliances, thermostats, etc.) to invest more into securing the “Internet of things”

The International Parking Institute released a report titled, "What's What in parking Technology" in 2016. The report describes a point-to-point credit card encryption method, which delivers end-to-end encryption. The method instantaneously converts credit card data into an indecipherable code at the time the card is swiped to prevent hacking. Similar to how Apple Pay creates a token that has no exploitable meaning or value except to the key holders at either end of the transaction. This allows the meters to communicate directly to the banks.

This also means that any credit card data stored on the meter is encrypted as well so that it cannot be read by anyone, including maintenance personnel. As with any electronic transaction it is recommended that you keep your receipt as it contains a bank authorization number on your receipt to reference your transaction with your credit card company.

Hacking the wireless connection to obtain credit data may not be fruitful but there have been a few instances reported regarding skimming. This is when a thief attaches a device over or into the manufacturers credit card slot. The device collects credit card data as they are swiped. The problem is that parking meters are smaller than ATMs and gas pumps. So it is harder to hide the skimming devices. Not that it cannot be done or tried. On ANY type of machine that accepts credit cards you should check for evidence of tampering before swiping your card.  

So, our journey brings us back to the question, is it safe to use your credit card in a smart parking meter? For the most part, yes. The meters themselves either do not store data or the data is encrypted. The transactions also are encrypted. The machines themselves offer little space for skimming devices. Can they be hacked? More than likely a resounding yes as anything can be. Is it worth the criminals’ effort? Other than bragging rights probably not. The pay off is not worth the effort.

Another source of curiosity are vending machines that accept credit cards. There have been no indications that they’ve been targeted. But with what we’ve learned about parking meters, we’ll chalk those up to the pay off is not worth the effort as well.

Please feel free to share any and all posts. See the blog archive for more posts about wireless and personal security

Skimmers August 2017

Public Wi-Fi for dummies July 2017

Pain at the pump October 2016

Taking your identity on vacation June 2013

“Real” ID

The other day I jumped in a friend’s car for a quick errand. Doing the quick pocket check I noticed that all I had was my cell phone. Oh well, where we were going didn’t require the need for money or identification. If I did need money I could probably use the mobile pay feature. The thought did cross my mind though,  “What if I needed to identify myself to authorities”? Would security officers or the police accept the personal contact card on my phone as my identity?

Without a government issued ID isn’t your phone just like a wallet full of credit, library, reward cards, etc.? Lots of stuff with your name on it but no official identification. For the most part I doubt any police officer would accept information about you on a phone in your possession as a positive ID. They’d probably take it into consideration and just do it old school. Get all of the pertinent details and run a computer check to verify your identity.

Driver’s licenses as ID

When automobiles started roaming the countryside they and their operators were unregistered. In 1901 New York was the first state to require automobiles to be registered. Many states followed suit and required licenses for autos but not the drivers. Massachusetts and Missouri required the first personal U.S. driver’s licenses in 1903. Since that time driver’s licenses have been used not only as an affirmation that the state approved the holder to operate an automobile, but also as a form of personal identification.

Since the U.S. has no national identification cards, the driver’s license has filled that void.

Digital driver’s licenses, to be displayed on phones, are being considered in several states, Maryland being one of those. Security and privacy issues are at the forefront of these considerations. In the Apple v FBI standoff we saw how difficult it is for law enforcement to unlock and/or view information on a persons phone. So until your state adopts a digital driver’s license using your phone to identify yourself probably wouldn’t be taken as official.

Security? Using your phone probably a definite no, as you need a government issued photo ID to get in to facilities and to travel. Airlines accept digital boarding passes when backed by government issued photo DI’s. Even your standard driver’s license is changing. To combat fraud and counterfeits states have been updating licenses and the way they are issued. Although many states took up the license issue themselves, Congress ensured that all states would have to get on board passing the REAL ID Act in 2005.

REAL ID Act

The REAL ID Act set the benchmark for personal forms of identification establishing minimum security standards for driver’s license issuance and production. Further, the act prohibited federal agencies like the TSA from accepting driver’s licenses from states that do not meet the standards. The deadline set by the act is January 22, 2018. After that date residents of all states will need a Real ID Act compliant driver’s license or a passport to pass through airport security.

The act requires that driver’s licenses include all the identification features you would assume but also digital photographs, physical security features that prevent tampering or counterfeiting, and machine readable technology (barcodes/magnetic stripers). As the concept of digital driver’s licenses is being studied, the effective date of the REAL ID Act in 2018 will either extend or quash those studies.

List of REAL ID compliant states can be found on the Department of Homeland Security page, REAL-ID 

While you could probably identify yourself with the contents of your phone it is doubtful you’d get through a serious police encounter. You certainly couldn’t board an airplane. Probably better to add “license” to your pocket checklist.

Read the blog archives for another post about personal identification.

Can I see some ID? February 2014

Skimmers

We’re not talking about water bugs, tools to clean your pool, or skipping rocks. These skimmers steal your financial identity. The news had reported that skimmers were discovered on a local gas station’s pumps. This particular station consistently has problems with pump maintenance and just the overall condition of the pumps seems to be “beat up”.  It was not a surprise that skimmers had been installed. Not that the owners had any involvement, but meaning that the owners/operators are not paying attention to the condition of the pumps. Or what is going on at the pumps. This station is also known to allow third party vendors to sell their goods on the lot and accost customers at the pumps. Big personal security peeve-Do not approach me while I’m using a gas pump or ATM. These little things add up and go back to not being surprised. The condition and environment of a business can be both a determent and invitation to criminals.

Not everyone may know exactly what a skimmer is or the extent of the problem. I thought some background might help us from becoming victims. A little education goes a long way.

Skimmers

So what are skimmers?  Credit card skimmers or skimmers are electronic devices that are attached to machines with credit card slots. Mostly ATM’s or gas pumps. The parasite device usually fits over top of the original slot so that the customer believes they are inserting their card into the machine’s card slot. When in reality the card is swiping through the criminal’s device. The device retrieves the credit card data from the magnetic strip and stores it until the criminal retrieves the device. Newer, more sophisticated devices attach internally to the machine’s card slot or transmit the data via Bluetooth.

Although criminals can make use of debit card information, it is much easier with the associated PIN. To gather this information there will also be a camera attached somewhere to video the customer entering the PIN on the keypad. Or a fake keypad accompanies the slot reader and records the keystrokes. Most times the operation of the machine is not affected. If the machine fails to work, you may have already become a victim.

History of skimmers

The idea of the use of credit card skimmers was mostly urban myth. In the late 1990’s, we were just getting use to personal computers, let alone tiny devices that could steal data from a magnetic strip. Nobody believed that such things existed or could work.

The skimmer myth also gained notoriety in restaurants. Wait staff would be issued a small skimming device to carry with them. They covertly slide the card through the device to collect the data from the magnetic strip on the way to cash register. The device holds all of the data until the end of the shift when they pass off device and are paid for their efforts. The victims then start seeing charges on their cards.

If you think about it, a restaurant is the only place you hand a stranger your credit card and let them walk out of sight.

Gizmodo.com featured a good 2014 article on skimming history, The Evolution of ATM Skimmers 

Here is a synopsis:

2002- A CBS report confirmed the existence of skimmers when they reported devices that could record the names, account numbers and other identifying information from credit card magnetic stripes.

2008-Naples Police Department investigated a rudimentary device jammed over an ATM's actual reader. The thief inserted a "micro camera" under a plastic sheet to capture the victims' keypad strokes. This was one of the first times a device had been recovered.

2009-Skimming really takes off as the devices, in different shapes and sizes began being discovered on ATM’s.

Over the next few years the technology progressed. The Internet allowed for distribution networks to manufacture devices and kits that were identical to the machine the criminal hoped to crack. 
            2011-ATM manufacturers began cracking down on skimming by installing anti-skimming devices on their machines. These consisted of translucent, circular casings over the card reader, which the criminals quickly learned to replicate.

2012-Skimmers become too small to be detected. Some being paper thin and inserted into the card slot.

2013-Gas pumps became targets.  A series of scams in Oklahoma saw thieves take home $400,000 from a chain of Murphy's gas stations before they were eventually caught. The thieves used a card skimmer and fake PIN pad overlay to obtain the necessary information. Even more eye opening, these skimmers used Bluetooth enabled devices that sucked power from the pumps themselves allowing them to run indefinitely, and allow remote access to the data. ; once it was installed, the thieves would never need touch the skimmer again.

How it works

The devices used come in all shapes and sizes. Most fit over the card slot. Some actually are big enough to replace the machine face. The closer to resembling the original card slot the less chance of being detected. Home 3D printers are making these deceptions a lot easier. As with everything else electronic, these devices are getting smaller everyday. Some skimming devices are so small and thin, they slide inside of the card slot itself. Newer devices attach to the internal wiring of the card slot. These are mostly used on gas pumps. How do criminals get inside the pumps you ask? Universal keys are available that open the pump faces exposing the card readers. The criminal will have one or more accomplices to block camera/attendant views while they install the device. Victims never know what hit them.

Once collected, the numbers are used in different ways depending on the criminal. Some are sold on the Internet for around $50 a piece (+/-).  Some criminals use the collected numbers to make counterfeit cards, which they use to purchase items, usually electronics, for resell. (Similar to Melissa McCarthy in the movie Identity Thief) The more advanced organizations use the cards to purchase gas. They drive around in specially outfitted passenger vehicles filling up covert gas tanks. This gas is then off loaded into tanker trucks and sold to less than scrupulous gas stations. 

There are thousands of iterations of card skimmers. If you’d like to see what they look like just search “credit card skimmers” in Google images.

Protection

Criminals and the technology they use are getting more sophisticated. The Internet provides enough intelligence that consumers can protect themselves. But criminals are sharing information as well. Once law enforcement or consumers defeat one strategy, criminals learn and improve their methods. So what can you can do.

Some gas stations are installing seals to cover the seams that hold the payment box. A broken seal is obvious, but multiple seals overlaid is a clue and, of course, enterprising thieves can replicate seals. Another clue can be the condition of the machine in which you are about to slide your card. If the payment box area is not maintained or appears to have been forced open, be wary. Inspect the card slot. Give it a tug. If anything is out of sorts or the slot comes off in your hand report it to the station and the police.

If your transaction attempt doesn’t work, don’t keep trying. Stop and perform an inspection. The skimmer may be causing a malfunction.

Some habits to get in to help protect your card security:

• Use Pumps/ATMs near attendants. Less chance they were compromised.
• Pay inside
• Pause before you swipe, inspect car slot, look for security seal
• Feel for difficulty inserting or sliding card
• Wiggle slot housing. Don’t have to break it. Criminals aren’t going to install anything that takes time or is permanent
• Check nearby pumps, compare slots for differences
• Guard the card number
• Use Apple/Samsung/Android pay whenever possible
• Check accounts regularly

Any suspicions report to the business owner, the police, and the issuing bank.

This post focused mainly on gas pumps. Another area of concern is the new style parking meters that allow you to swipe at the meter. Seems like easy targets. Get back to you on those.

Please feel free to share. See the blog archive for more articles on personal security

Public Wi-Fi for dummies July 2017

Pain at the pump October 2016

Taking your identity on vacation June 2013

Teach your employees well

Small business hacking is becoming more prevalent. The payoff isn’t as big but the opportunity is greater and security is lacking. Security firm Symantec reported in 2016 that 43% of cyber attacks were against small business. Small businesses have little in the way of security and employee training. They often have more to lose in the sense that they have less cash flow or all of their money is tied up in their business. Making them more likely to pay ransoms. (Ransomware is explained in more detail in our post-If you ever want to see your files again…)

Attacks can be as simple as rerouting the web address to a porn site, locking all of the computers for a ransom, all the way to hacking financial data and cleaning out bank accounts. More than half of the companies attacked were forced to go out of business. Maintaining sound computer security cannot be emphasized enough.

The website Small Business Trends, in an article posted January 3, 2017, stated that 48% of attacks are caused by an employee error. In addition to updating security software one of the biggest defenses owners can deploy is educating their employees on cyber attack indicators. The malware has to enter the system somehow. Simply clicking on attachments will send the virus into the network to do its work. The more stealthy viruses will enter the system without a show of existence. These are meant to mine data from the system. By the time you find the virus the bank accounts are fleeced.

Regularly train employees on different types of attacks and how to defend against them. Establish a policy for computer usage. Explain what is acceptable Internet use. Malware can be injected via email attachments or links to websites. These links can be introduced through email or social media. Demonstrate what a suspicious email, link, social media contact looks like. Practice solid password policies and change regularly. Encourage employees to speak up when something is suspicious and do not click on the suspicious activity.

Even if you do not think you store valuable data, although customer records are a valuable commodity, the chance of losing your business data or risking a financial attack is too great a chance to take.

See our blog archive for other posts relating to cyber security:

Scam Websites November 2016

If you ever want to see your files again…August 2016 

There’s been a breach February 2015

Tax [Fraud] Season

Once the calendar year turns over thoughts of filing taxes begin. So do the warnings of tax fraud and prevention tips. Having been the victim of tax fraud I know the inconvenience of proving your true identity to the IRS; now having to file under a number rather than your true name. As the digital world expands, so does tax refund fraud. It’s a good bet that you know someone who has been a victim or that you, yourself, are a victim.

Theft

Most people will file their tax returns electronically, either themselves or through a tax preparer. It’s quick, it’s easy, you get your refund faster. Unless you get an error saying that you have already filed. You’re first reaction is that there is a mistake, but you soon realize that you have been the victim of identity theft. Someone has obtained your name and social security number and filed your taxes on your behalf.

It may not have been a direct theft in the classic sense. It could have happened during an electronic data breach of a larger scale or someone hacked your computer, any number of ways. Your information is uploaded to the dark web (it’s a real thing that criminals use to conduct their business or exchange information) and resold many times. The criminal then fills out an electronic tax return with your information and bogus financial information and has the refund sent to a direct deposit or PO Box. The IRS does compare information against past filings but that doesn’t occur until well after the refund has been issued. Software is in place to try and stop fraud, but, again, the refunds are issued so quickly it happens before any alarms go off.

You then have to go through an arduous process to prove yourself to the IRS, file the fraud report, and wait for the IRS to investigate your claim. If they find that you are a victim they will then issue your return and assign you an identification number to use for future filings. The whole process takes several months. Other than the waiting, it really wasn’t an unpleasant experience and the refund was issued in a timeframe shorter than expected. It’s also interesting to request a copy of the fraudulently filed return from the IRS. You get to see what deductions your other self made and the amount some PO box received.

Prevention

One school of thought of being susceptible to fraud is filing returns late in the season, near the April 15 deadline. This gives the criminals time to file their fake returns and receive the refunds before you file. Tax regulators say to file early to get a refund as quickly as possible, thus beating the criminals to your money. States have even made the effort to streamline the process so that refunds are received as quickly as possible after the return is filed.

Law enforcement doesn’t comment on the timing of the filing, but rather to delay the issuance of the refund so that fraudulent returns can be identified.  At a recent tax security summit, the U.S. Attorney for Maryland, Rod Rosenstein, commented from the panel, “The quicker you are on paying refunds, the greater the risk of not finding fraud.”

Hawaii, Illinois, Louisiana, Minnesota, Montana, North Dakota, South Carolina, and Utah are some of the states that are slowing returns to further prevent fraud. Maryland issues refunds within two days of receipt of the return. The comptroller’s office relying on analytical software to detect digitally filed fraudulent returns. Additionally, Maryland will not issue refunds until the comptroller’s office has a W-2 on file. With these methods in place the comptroller’s office hopes to combat fraud while at the same time efficiently serving the taxpayers.

The Maryland legislature this year is considering a bill named the Taxpayer Protection Act of 2017. This bill would give the comptroller’s office broader authority to build criminal cases against fraud and extend the statute of limitations for prosecution to six years.

There is no way to know if your personal data has been stolen. Regarding taxes it is best to file early. If you do become a victim, report it to the comptroller’s office and IRS as soon as you are aware. Document everything you do and who you speak to. Secondarily, begin looking into your banking and credit cards as they may have been breached as well. Review statements and set up alerts.

Be sure to read our others posts related to identity theft.

Keys to the vault August 26, 2015

There's been a breach February 18, 2015

Taking your identity on vacation June 17, 2013

Scam websites

 Note: This post was originally published on November 27, 2016 and has been updated with new information.

On top of all the safety concerns we have for shopping in the real world, you have to be careful online as well.  Not only from identity theft issues but bogus, price too good to be true deals, on fake websites and fake mobile apps.

You use to be able to look at a website and have your spider sense tingle warning that this doesn’t look quite right. But now, at first glance, it’s hard to pick out a thrown together site. Site building skills and packages are such that pretty much anyone can construct a site that looks like a multi billion dollar corporation is at the other end. When in reality it’s a small time operation or worse an out of country company that is selling bogus products or collecting personal data.

Scam Busting

One quick way to tell if the site is not quite on the up and up is to take a tour and make note of the grammar. One thing the scammers haven’t quite grasped is writing in grammatically correct English. Sites that do not pay attention to simple grammatical structure probably don’t have your best interest in mind. We’re not talking about a typo here or their or misusing there,  they’re, or their, you'll see serious grammar issues that scream no quality control. But don’t use this as your only method.

There are several “detectors” that can be found online that you enter the questionable website address and the detector gives you a report on the site, including a score, location, technical data, owner, and contact information. One such site is Scamadviser.com. [This is just one of many and no endorsements are being given.] This site seemed to provide the most detailed information that online users could use.

If you’re not sure of a site, run it through a “scam busting site”, you should be able to get enough laymen details to make a determination if the site in question is someone you want to provide your credit card.

Typosquatting

In the early days of the Internet, criminals would identify the most popular retailing websites and then figure out the commonly mistyped spellings of the retailer’s names. They create their own sites under the misspelled names. Users always misspelled Amazon, or example. Type in Amason, and you are directed to the scammers’ site. Companies figured this out and began buying up the domain names associated with the misspellings.

The technique is called typosquatting. The practice diminished but is picking up popularity again. It’s hard to think of or even buy every possible spelling combination, so criminals are able to slip past the gatekeepers. The fraudulent sites are very close facsimiles to the real sites. Once a user interacts, malware is downloaded onto the users computer and/or information is stolen.

Mobile devices are targeted as well through fake retail apps sold in smartphone stores. The apps mimic legitimate retailers, but they install malware that steal identity, financial information, and sometimes install ransomware (If you ever want to see your files again August 8, 2016) The RiskIQ cybersecurity company estimates that 1 in 10 Black Friday apps were fraudulent. The biggest app stores fall victim to fake apps. Retail apps may be safer downloaded from the retailers website.

  

Another oldie but goodie is fake shipping notices sent via in email. They are always prevalent but become more so when criminals know that there will be an increase in online shopping/shipping. The notices can look real and appear as they are from a retailer from which you recently purchased. With the flurry of shopping everyone does at this time of year, it’s easy for fake notices to lost in all the emails received. Know what you purchased and from whom, monitor the confirmations and shipping. Most companies will send out a confirmation email, a product shipped email, and possibly a follow up.  Be on guard for anything more.

It’s hard to say stick with nationally named brands and big retailers. Lots of small businesses make their living through online sales and often have good deals especially on unique items. Just as if you were shopping in the real world, you wouldn’t buy from a questionable character off the street, so do some research before you buy online. And watch out for too good to be true deals, especially on hard to find items. Use common sense.  Check reviews. Do your homework.

Be safe. Enjoy the thrill of the hunt.

See our blog archive for other posts relating to shopping safety:

Gift cards-Less than you bargained for? December 2012

Psssst...Need some speakers? December 2015

Verified to work within the U.S.

Some relate identity theft with the actual assumption of your name and personal data. Living a carefree life under your name, sticking you with all of the debt. But there are several ways your identity or even parts of it can be used fraudulently.

Having the pleasure of someone else file your taxes takes out all of the stress. When it’s a trusted professional it gives you peace of mind. When it’s a complete stranger who also accepts your refund on your behalf, it’s frustrating to say the least. Not long ago we were among the hundreds of thousands of victims of tax refund fraud. You file your taxes electronically and it gets rejected because someone else has already filed. You don’t know how your data was compromised or why the IRS accepted such an oversimplified return that is out of character with years of your own filings, but it happened. The IRS doesn’t figure out who is the real you, you have to prove it.

You go through the IRS process of identifying yourself and after a few months you are good to file again, except now you have to use a special PIN. Due to your social security number (SSN) being compromised, you can no longer use it to file.

Job search

Probably everyone reading this has been the victim of some level of identity theft. Whether it is credit card skimming or tax refund fraud, with very little information someone can take your identity. Depending on the level, the fixes can be arduous. Prevention is easier. File your taxes early. Monitor your credit scores and your accounts. You can increase the security on credit card accounts, opting for notifications when someone accesses your account. Be mindful of how and when you use your credit card, but these are financial issues. If your SSN has been compromised, you may also be applying for jobs that you are not aware. 

A lot of systems are still set up to identify you through your SSN, one of those being employment. Not only can your, now compromised, SSN be used to get tax refunds and buy merchandise, it can also be used by someone to apply for a job. If you’re not collecting social security you may not know your identity has been stolen is this manner. This type of SSN fraud is more prevalent with illegal aliens who use their own name but a stolen SSN. It is estimated by several sources that over seventy-five percent of illegal aliens use fraudulent SSNs to obtain employment.

EVerify

EVerify is an Internet based system that compares an employee’s personal data with data from the U.S. Department of Homeland Security and the Social Security Administration records to confirm employment eligibility. Basically, is the employee legally within the U.S. and is the information provided not being used fraudulently. EVerify is administered by the U.S. Citizenship and Immigrations Services (USCIS). USCIS have created, within the EVerify system, a new service called myEVerify. myEVerify allows the user to monitor the use of their social security number within the EVerify system. EVerify is used by employers…myEVerify is used by workers.

Not having afforded myself this level of SSN protection, I decided to take it for a spin. The process took about five minutes and wasn’t that painful. In addition to the normal web account setup process, you must also go through a series of identification questions. An added level of identification verification is an “identification quiz” that further confirms your identity. One can tell from the questions asked that the personal identifiers provided in the account setup process are checked against financial and public databases to generate the questions. This is all done to ensure that the person setting up the account is, in fact, you. A side benefit of establishing the account is verification that you are approved to work within the U.S. At least, you should get this verification. Once your account is created you can perform self-checks to see if your SSN has been used for employment, check the status of any EVerify cases you may have, and lock your SSN.

Locking your SSN

Locking your SSN basically freezes your SSN so that someone else cannot use it for employment purposes.  If you wish to lock your SSN, login into your account and click on Self Lock. You will go through a level of identification and security questions before the process is complete. Again, all to ensure that you are the one performing the action.

Locking your SSN also locks you out. If you will be seeking employment after you lock your SSN you will have to login to your account and unlock the SSN. As with the locking process, unlocking will require you to go through a series of security features. Each step of the above processes seemed to be followed by confirmation and notification emails.

Criminals will make use of what they are offered. Be it a credit card number, your name and address, your birthday, or all of your personal data. Locking your SSN from being used in the EVerify system is yet another action you can take to attempt to protect yourself from identity theft.

The myEVerify site can be found through this link.

https://www.uscis.gov/mye-verify

Checkout our blog archive for other posts relating to identity theft:

Taking your identity on vacation-June 2013

There’s been a breach-February 2015
Keys to the vault-August 2015

Can I see some ID?

By now you’ve probably seen the video of the guy who crashed the Super Bowl MVP interview. Matthew Mills claimed to be a 9/11 “truther” and couldn’t believe it when he was able to get so close without proper credentials or reason to be there.

Mills was quickly apprehended and escorted out of the room. His post arrest statement explained how he had made it to the podium. Mills said he told officials that he was running late for work and had to get in. He was allowed to pass. Mills did not think that he would get as far as he did as he moved further and further through each level of security. Once past the final gate and into the stadium it was just a matter of jockeying to the podium.

The NFL and local law enforcement had concentric circles of security that had an extended perimeter well beyond the stadium. So how did an individual get so close as to snatch the microphone away from the podium? Apparently, walk fast and act like you belong came into play here as Mills just talked his way through.

Impostors

Impostors are regularly in the news portraying doctors, lawyers, and professors. In 2009, Michaele and Tareq Salahi made headlines when they were found to have crashed a State dinner at the White House. Without invitations, they looked and dressed the part of invitees and were able to penetrate several layers of security. One the most famous imposters is Frank Abagnale. Abagnale impersonated airline pilots, doctors, and attorneys, all before his capture at the age of 21. He simply looked and acted the parts. It’s how phone scammers are able to get people to wire their life savings to a complete stranger. They are confident and convincing in whatever it is they’re selling.

Steve Jobs was once quoted as saying, “Pretend to be completely in control and people will assume that you are.”

Everyone falls for a scam of one kind or another at some point. Whether it’s helping a Nigerian prince get his money to safety or giving money to a panhandler, we all have either fallen for it or been hit on. Why does it work? Most people are trusting and want to see the good in others. We trust authority and are vulnerable to financial gain. When you get a call from a “reputable” company announcing a refund you’re more likely to give up personal information.

Matthew Mills probably caught security at just the right moment. The big game is over and suddenly someone rushes up excitedly saying he’s late and needs to get to his job. The game is over. Who’d be trying to sneak in then?

You don’t have to be gullible to be taken by con artists. Even the FBI and Secret Service have their moments. Remember, just because someone “looks or speaks the part” doesn’t mean it’s true. A lot of times a few questions will get through their mask.

Keep your guard up and be safe.