Locking down the Internet of Things

WiFi security on the Internet of Things

Have you gotten all of your new tech gadgets hooked up after Christmas? Seems like every gift that had a plug also had a phone app and connected to Wi-Fi. Throughout the year as new toys or even appliances enter your home, setting up individual devices isn’t that noticeable. But after Christmas rolls through and you start setting up all the new goodies it really makes you sit back and notice-You have entered the new age of a smart home. Without realizing it we have created our own attachment to the Internet of Things (IoT).

That's a lot of things

Leichtman Research Group in 2018 found that 74% of U.S. homes had at least one smart device. Statista estimates that there will be 42.2 million smart homes in 2019. Spending on IoT devices was $23.3 billion (yes, billion) and is estimated to be $75 billion by 2025.  While there are Bluetooth connections, the primary connection for IoTs is Wi-Fi. Statista reported that the average number of connected devices per person, worldwide, in 2015 was 3.47 and is estimated to be 6.58 by 2020. That is connected devices per person. Multiply that by people in your home and the for-the-common-good devices like appliances, cameras, plugs, bulbs, etc, and that’s a lot of connectivity. 

If you want to keep up with technology it is how it’s going to be. I didn’t set out to convert the ol’ analog home to “smart”. It just happened. Garage door opener, a new appliance here and there, TVs, Hey Google, Hey Siri, Alexa, before you know it you’re your home is smart. The router sent me a message, yes it communicates as well, that the network was getting full. You’re aware of connectivity for your phones and computers but forget about the other electronics-appliances/TVs/cameras/power strips/gaming systems/eBooks, etc-that are on all the time and trying to communicate with the mother ship. Not only are these devices taxing on your home network they are all portals for security breaches.

Anyone of these connected devices can be hacked at the source, through the controlling app, or the company that provides the service. All the more reason to review your home network security.  If you haven’t done so recently, with the onset of all your new tech wonderness, you’ll need to upgrade your Internet service.  Most times these types of upgrades come with new routers. 

Security

One of the first actions you should take on all routers and new devices is set up your own logins and passwords. Many people still use the default settings, which cybercriminals are aware. Changing this information will at least slow them down. I say slow down because, as we’ve seen, anyone can be hacked. At least changing the settings will offer some protection.

For all of your connected devices actually, read the setup instructions and pay attention to what you are agreeing to during the process. Data collection is big business and those companies want your data. As consumers get more privacy savvy the product providers are finding counteractions. I recently loaded an app that wanted access to my phone’s camera, microphone, location, and to send user data. Answering no to any of those requests denied the user access. Or sometimes certain features are denied or dampened if the user doesn’t agree to the terms.

Devices that listen, your phone, TV, Echo, Google home, are also collecting data and have been proven to also be recording your conversations. In the interest of improving their service, of course. Again, go through the setup and privacy menus carefully. Understand what the device, i.e.-manufacturer is asking you to allow.

Overall, you have to understand that if you allow “smart” devices into your home you are giving up privacy. It’s hard not to get caught up in the technology craze, but understand that what you’re getting yourself into.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

What we give up for convenience

If you think about it, who is the culprit in the multitude of personal data breaches? The hackers? The companies that failed to protect the data? Or is it ourselves for uploading our personal data in the first place? This really isn’t a proper question because we aren’t the culprits. But the point is that we, ourselves, allow more and more data to be collected by mega corporations. Sometimes it is innocuous as registering on a web site or app, which we cannot always avoid because in order to do business in the digital world we have to. What I mean by allow is two pronged. One, we are not outspoken enough about the Google’s and Facebook’s of the digital world collecting data. Facebook has seen a little backlash recently, but people will continue over sharing every detail of their life. But that’s the really big picture. 

Second, and more specific to personal security, is what we allow by making choices to upload or share personal data. We do this by plugging in the new smart TV without learning about its capabilities and without changing the settings. Or by installing the multitude of other appliances, cameras, digital assistants that we bring into our homes and plug and play. Anything you can talk to on demand and receive a response has to be listening all the time. Creepy? We will allow apps to track our location so that when we are in certain stores or near certain locations we receive notifications. As with listening, these apps aren’t waiting for you to arrive at a certain location, they are tracking and storing your every move until you arrive at the specific location.

How much privacy are we willing to give up?

Last month police and the FBI captured a man suspected of being a serial rapist and murderer in a multitude of cases from forty years ago. The case was broken through the use of DNA. The suspect himself was smart enough not to have his DNA logged into any DNA databases. Smart detectives realized that outside of justice system DNA databases there is a plethora of information being collected by private entities. Ancestral research companies provide DNA collection kits, which allow people to submit their DNA for comparison to other samples in hopes of finding family matches. You guessed it, the profiles are stored in databases so that they can be pinged during searches.

Checking crime scene DNA against public sources of DNA, police were able to get a familial match. That match narrowed the pool of suspects down to one family. Then through traditional police work detectives were able to identify a suspect. As you can imagine privacy watchdogs are all over the issue of law enforcement having access to private sector databases.

For some time Amazon has been offering package delivery inside of your home. Utilizing an Amazon smart lock, with the customer’s permission and knowledge, delivery personnel can unlock your door and drop the package inside. Of course, you are alerted each step of the process. Amazon recently announced package delivery to your vehicle. Currently the service is only offered to owners of GM and Volvo vehicles in certain cities.  The privacy we give for convenience. We allow cleaning and pet sitting services into our vacant homes but more than likely we have met the workers performing the services. I’m sure Amazon does a fantastic job vetting it’s employees. The point is we are giving complete strangers access to our homes and vehicles. We are then shocked and surprised when something bad happens. 

Check yourself

As with corporations and social media we gladly share and upload personal data, even our current location and DNA profiles. Trusting souls that we humans are we don’t cry foul until there is a breach or government overreach. Even though we are the ones that probably share a little too much.

You can’t always avoid uploading data or providing data through registrations. What you can do is be aware of what and to whom you are sharing. Monitor your financial accounts and pay attention to announcements of breaches. You may not be directly affected, but your other accounts may have been compromised through third party links to the breach victim.

Just as we are told to change smoke detector batteries at Daylight Saving Time, maybe we should get in the habit of doing online security checks every time there is a breach announcement.

Please see the blog archive for other posts relating to privacy.

There’s been a breach May 2018

How secure are apps? April 2018

One born every minute February 2018

Are you being watched? February 2018

Cleaning up your online presence September 2017

Public WiFi for dummies July 2017

Keys to the vault August 2015

There’s been a breach

Note: This post was originally published in 2015. It has been updated with new information relating to the topic. 

Last week Twitter announced a breach of passwords. Twitter claimed that no personal data was released and encouraged users to change passwords. Since the big breaches from the fall of 2014 it seems like every month we have heard about a new breach. If not banks then major retailers or healthcare systems. The private information we entrust others to keep safe is being violated on a regular basis.

Try as you might to stay off the “grid” by paying cash, getting paper statements, or banking in person, eventually you will be a victim of identity theft or some sort of financial intrusion. Either because of convenience or because a company demands you use an electronic system. It is difficult to navigate in today’s world without having some portion of personal data stored on an institution’s computer.

Personal data

Ever check out at a store that you shop infrequently and they ask for your address, phone number, or name, and you’re in their system? Freaky right? At some point you’ve provided them with your personal information. Larger companies own smaller companies…your personal data is bought and shared daily.

Tax season just passed and it’s a good bet that when you filed your taxes, electronically of course, your return was rejected by the IRS because, surprise, the return associated with your social security number has already been filed.  

The IRS estimates that more than 122 million returns were filed electronically in 2017. While the IRS has seen a decline in personal tax fraud, falsified business returns have increased. The IRS identified 10,000 compared to 4,000 fraudulent business returns in 2016.  The IRS doesn’t publish everything it is doing to combat tax identity fraud. Some of the public efforts are tightening access to private sector filing software and more thoroughly scrutinizing refunds. When your SSN has been compromised the IRS issues you an electronic identification number for future filings. This solution should keep your tax information safe, as it is a unique number. But so was you’re your SSN at the time it was generated. 

We use to worry about someone stealing a driver’s license or credit card. If that didn’t happen you didn’t have much to worry about. Years ago, while working as an undercover detective, and when I say “years ago” I mean before there was a computer in every home and a world-wide inter web of computers.  A senior administrator had a briefcase stolen that contained contact information for all of the detectives. Not just name and phone numbers but addresses, birthdays and yes the coveted social security number. Not sure what we called it then, but it wasn’t a breach. But in today’s terminology, the breach compromised so much personal information what could one do? You couldn’t completely change everything. In those days though we were more concerned with operational security than identity theft. Yes, identity theft occurred, but not on the level or frequency as today. The criminals at that time weren’t as sophisticated in that skill set as they are today. Plus, copying and sharing was a literal concept. The documents would have to be photocopied and personally distributed. 

We knew that if we worked hard and fast to recover the documents, we could determine the extent at which the information had been distributed. The faster the culprit was caught, the less chance the information could be distributed. Today, your information can be stolen from a third party vendor’s database by a criminal in another country and uploaded to a distribution network all from a keyboard, in a matter of minutes.

Document, document, document

The tenets of the paper world of long ago still hold true. Identify the breach and work fast to stop the leak.

Once you’ve identified a problem, you need to start working to quickly plug the leak. Contact the source in which you became aware of the breach-credit card, driver’s license, IRS, etc. Get that entity started on resolving the issue. File a complaint with the Federal Trade Commission, your State’s Attorney Generals Office, even the FBI if you seem to be apart of a larger breach. File local police reports also. It may seem for naught but you’ll have a record of the report and a case number to go with any other complaint filings. Most of the entities you will deal with, including law enforcement, have online complaint forms. It doesn’t take long and you can get it done in less than a day.

Document, document, document, everything you do and the entities you’ve contacted. Keep your notes for future reference.

Consider a monitoring program. There are lots of companies out there that perform this service. Of course do your research and choose wisely. If the breach occurred from a major retailer, financial, or health institution, they may offer some sort of credit monitoring or identity repair service for free. Take advantage of it.

Update, update, update

If you get notification of a password breach or hear it on the news, such as the recent Twitter breach, don’t ignore it. Like Twitter, companies publicize that no personal data was infiltrated but passwords “may” have been compromised. It is important to regularly change passwords as a matter of routine. However, when a company has had their password database specifically breached it is important to act quickly and update your settings. It is equally important to update other accounts in which you use that same password. Maybe get in the habit of updating passwords whenever there is a breach in the news. 

We should have different passwords for every account but let’s face it no one does that. So when one password is compromised the other accounts that use that same password are now in danger of being hacked. Cyber-criminals have highly sophisticated search processes. They may not be searching for you, specifically, but once they get your logon or password they can use that to find other accounts. Once they have one piece of the puzzle it is isn’t that difficult to break the rest.

Time expired on parking meters

You approach the parking meter. It is a standalone machine in the parking lot; not connected to a building or a visible wired connection. While the meter does accept cash, it also has a credit card slot. You unsheathe your card and slide into the slot as instructed by the screen instructions. The meter reads your card and communicates, wirelessly, with the bank. If the card is authenticated, the transaction is approved and the meter distributes a receipt. Transaction complete. So what just happened? 

In the digital communication-everything is hackable world we live in how are parking meters safe? Research on this topic seems to indicate a risk reward scenario or more likely a Not worth the effort scenario. As we have seen in recent years, any system of any entity is subject to hacking. No matter the type of hardware or the owner. This article continues the discussion regarding the security of parking meters raised in the post Skimmers, August 2017.

The parking meter

Before we get into the security of the parking meter, first a little history.

According to Wikipedia, Massachusetts entrepreneur Roger Babson filed the first patent for a parking meter in 1928. The electric meter was meant to be powered from the battery of the parked car. Either due to design or necessity at the time the Babson meter never caught on. In 1935, Oklahoma City newspaper publisher Carl C. Magee had identified parking issues in the business district and was asked to find a solution. His idea was to regulate parking through coin operated meters associated with spaces determined by lines painted perpendicular to the curb. Magee asked Oklahoma State University engineering professors Holger Thuesen and Gerald Hale to develop a machine. The result was the Park-O-Meter, which Magee received a patent in 1938. The first Park-O-Meter was installed in downtown Oklahoma City in July 1935. Retailers loved the meters as they encouraged a quick turnover of cars and potential customers. Drivers, initially opposed, were forced to accept them. The cost for that first hour was five-cents.

The first meters accepted coins and had a dial to engage the timing mechanism with a red flag to indicate expiration of time. Those meters required a service person to keep the mechanism wound. Later iterations by other companies provided a system that remained wound by the action of the user setting the time, eliminating the need for service personnel. Since the parking meter made its debut there have been many styles and mechanisms deployed. All of which have completed the same task, measuring an amount of time for a price. Manual mechanisms remained in service for fifty some years until advancement in technology allowed for digital operations in the 1980’s.

At this point in our history lesson drivers looking to park their cars still had to use coins. Some machines only accepted one kind of coin. Different variations of the parking meter existed depending on the maintenance and replacement by local governments.  

Again Wikipedia tells us that in 2007 the IPS Group from San Diego, California introduced the solar powered credit card accepting parking meter. (Wikipedia is used as a source because there isn’t much out there in the way of the history of the parking meter)  The so called smart parking meter was born.

Smart parking meters

Advances in wireless technology have been applied to parking meter design to develop the “smart meter”. These meters are solar powered with wireless connectivity. This gives the meters the capability to talk to maintenance crews and banks, allowing for service calls and electronic transactions. This type of technology also allows drivers to pay through the use of phone apps and single machines to regulate multiple spaces. They also can be designed to alert enforcement personnel when cars are over parked.

The market is flooded with types and styles from a variety of vendors. Some municipalities use single pole meters per space and others use machines that regulate multiple spaces. All use wireless connectivity. Which brings up the question-Can they be hacked?

Are smart parking meters secure?

Shortly after the introduction of the smart parking meter three hackers revealed at the Black Hat conference in Las Vegas in 2009 that they had hacked meters in San Francisco. In an attempt to prove the security flaws of the new technology, the hackers’ reverse engineered the technology and found that the machines had little in the way of protection or encryption. They were able to “trick” a variety of meters into providing free parking. This infiltration manipulated the meters but did not attempt to intercept or steal credit card transactions.

Since this report was made public parking meter manufacturers have worked to improve the technology to protect electronic data transfer. Even the FTC issued a report in 2015 encouraging all manufacturers of smart devices (Appliances, thermostats, etc.) to invest more into securing the “Internet of things”

The International Parking Institute released a report titled, "What's What in parking Technology" in 2016. The report describes a point-to-point credit card encryption method, which delivers end-to-end encryption. The method instantaneously converts credit card data into an indecipherable code at the time the card is swiped to prevent hacking. Similar to how Apple Pay creates a token that has no exploitable meaning or value except to the key holders at either end of the transaction. This allows the meters to communicate directly to the banks.

This also means that any credit card data stored on the meter is encrypted as well so that it cannot be read by anyone, including maintenance personnel. As with any electronic transaction it is recommended that you keep your receipt as it contains a bank authorization number on your receipt to reference your transaction with your credit card company.

Hacking the wireless connection to obtain credit data may not be fruitful but there have been a few instances reported regarding skimming. This is when a thief attaches a device over or into the manufacturers credit card slot. The device collects credit card data as they are swiped. The problem is that parking meters are smaller than ATMs and gas pumps. So it is harder to hide the skimming devices. Not that it cannot be done or tried. On ANY type of machine that accepts credit cards you should check for evidence of tampering before swiping your card.  

So, our journey brings us back to the question, is it safe to use your credit card in a smart parking meter? For the most part, yes. The meters themselves either do not store data or the data is encrypted. The transactions also are encrypted. The machines themselves offer little space for skimming devices. Can they be hacked? More than likely a resounding yes as anything can be. Is it worth the criminals’ effort? Other than bragging rights probably not. The pay off is not worth the effort.

Another source of curiosity are vending machines that accept credit cards. There have been no indications that they’ve been targeted. But with what we’ve learned about parking meters, we’ll chalk those up to the pay off is not worth the effort as well.

Please feel free to share any and all posts. See the blog archive for more posts about wireless and personal security

Skimmers August 2017

Public Wi-Fi for dummies July 2017

Pain at the pump October 2016

Taking your identity on vacation June 2013

Skimmers

We’re not talking about water bugs, tools to clean your pool, or skipping rocks. These skimmers steal your financial identity. The news had reported that skimmers were discovered on a local gas station’s pumps. This particular station consistently has problems with pump maintenance and just the overall condition of the pumps seems to be “beat up”.  It was not a surprise that skimmers had been installed. Not that the owners had any involvement, but meaning that the owners/operators are not paying attention to the condition of the pumps. Or what is going on at the pumps. This station is also known to allow third party vendors to sell their goods on the lot and accost customers at the pumps. Big personal security peeve-Do not approach me while I’m using a gas pump or ATM. These little things add up and go back to not being surprised. The condition and environment of a business can be both a determent and invitation to criminals.

Not everyone may know exactly what a skimmer is or the extent of the problem. I thought some background might help us from becoming victims. A little education goes a long way.

Skimmers

So what are skimmers?  Credit card skimmers or skimmers are electronic devices that are attached to machines with credit card slots. Mostly ATM’s or gas pumps. The parasite device usually fits over top of the original slot so that the customer believes they are inserting their card into the machine’s card slot. When in reality the card is swiping through the criminal’s device. The device retrieves the credit card data from the magnetic strip and stores it until the criminal retrieves the device. Newer, more sophisticated devices attach internally to the machine’s card slot or transmit the data via Bluetooth.

Although criminals can make use of debit card information, it is much easier with the associated PIN. To gather this information there will also be a camera attached somewhere to video the customer entering the PIN on the keypad. Or a fake keypad accompanies the slot reader and records the keystrokes. Most times the operation of the machine is not affected. If the machine fails to work, you may have already become a victim.

History of skimmers

The idea of the use of credit card skimmers was mostly urban myth. In the late 1990’s, we were just getting use to personal computers, let alone tiny devices that could steal data from a magnetic strip. Nobody believed that such things existed or could work.

The skimmer myth also gained notoriety in restaurants. Wait staff would be issued a small skimming device to carry with them. They covertly slide the card through the device to collect the data from the magnetic strip on the way to cash register. The device holds all of the data until the end of the shift when they pass off device and are paid for their efforts. The victims then start seeing charges on their cards.

If you think about it, a restaurant is the only place you hand a stranger your credit card and let them walk out of sight.

Gizmodo.com featured a good 2014 article on skimming history, The Evolution of ATM Skimmers 

Here is a synopsis:

2002- A CBS report confirmed the existence of skimmers when they reported devices that could record the names, account numbers and other identifying information from credit card magnetic stripes.

2008-Naples Police Department investigated a rudimentary device jammed over an ATM's actual reader. The thief inserted a "micro camera" under a plastic sheet to capture the victims' keypad strokes. This was one of the first times a device had been recovered.

2009-Skimming really takes off as the devices, in different shapes and sizes began being discovered on ATM’s.

Over the next few years the technology progressed. The Internet allowed for distribution networks to manufacture devices and kits that were identical to the machine the criminal hoped to crack. 
            2011-ATM manufacturers began cracking down on skimming by installing anti-skimming devices on their machines. These consisted of translucent, circular casings over the card reader, which the criminals quickly learned to replicate.

2012-Skimmers become too small to be detected. Some being paper thin and inserted into the card slot.

2013-Gas pumps became targets.  A series of scams in Oklahoma saw thieves take home $400,000 from a chain of Murphy's gas stations before they were eventually caught. The thieves used a card skimmer and fake PIN pad overlay to obtain the necessary information. Even more eye opening, these skimmers used Bluetooth enabled devices that sucked power from the pumps themselves allowing them to run indefinitely, and allow remote access to the data. ; once it was installed, the thieves would never need touch the skimmer again.

How it works

The devices used come in all shapes and sizes. Most fit over the card slot. Some actually are big enough to replace the machine face. The closer to resembling the original card slot the less chance of being detected. Home 3D printers are making these deceptions a lot easier. As with everything else electronic, these devices are getting smaller everyday. Some skimming devices are so small and thin, they slide inside of the card slot itself. Newer devices attach to the internal wiring of the card slot. These are mostly used on gas pumps. How do criminals get inside the pumps you ask? Universal keys are available that open the pump faces exposing the card readers. The criminal will have one or more accomplices to block camera/attendant views while they install the device. Victims never know what hit them.

Once collected, the numbers are used in different ways depending on the criminal. Some are sold on the Internet for around $50 a piece (+/-).  Some criminals use the collected numbers to make counterfeit cards, which they use to purchase items, usually electronics, for resell. (Similar to Melissa McCarthy in the movie Identity Thief) The more advanced organizations use the cards to purchase gas. They drive around in specially outfitted passenger vehicles filling up covert gas tanks. This gas is then off loaded into tanker trucks and sold to less than scrupulous gas stations. 

There are thousands of iterations of card skimmers. If you’d like to see what they look like just search “credit card skimmers” in Google images.

Protection

Criminals and the technology they use are getting more sophisticated. The Internet provides enough intelligence that consumers can protect themselves. But criminals are sharing information as well. Once law enforcement or consumers defeat one strategy, criminals learn and improve their methods. So what can you can do.

Some gas stations are installing seals to cover the seams that hold the payment box. A broken seal is obvious, but multiple seals overlaid is a clue and, of course, enterprising thieves can replicate seals. Another clue can be the condition of the machine in which you are about to slide your card. If the payment box area is not maintained or appears to have been forced open, be wary. Inspect the card slot. Give it a tug. If anything is out of sorts or the slot comes off in your hand report it to the station and the police.

If your transaction attempt doesn’t work, don’t keep trying. Stop and perform an inspection. The skimmer may be causing a malfunction.

Some habits to get in to help protect your card security:

• Use Pumps/ATMs near attendants. Less chance they were compromised.
• Pay inside
• Pause before you swipe, inspect car slot, look for security seal
• Feel for difficulty inserting or sliding card
• Wiggle slot housing. Don’t have to break it. Criminals aren’t going to install anything that takes time or is permanent
• Check nearby pumps, compare slots for differences
• Guard the card number
• Use Apple/Samsung/Android pay whenever possible
• Check accounts regularly

Any suspicions report to the business owner, the police, and the issuing bank.

This post focused mainly on gas pumps. Another area of concern is the new style parking meters that allow you to swipe at the meter. Seems like easy targets. Get back to you on those.

Please feel free to share. See the blog archive for more articles on personal security

Public Wi-Fi for dummies July 2017

Pain at the pump October 2016

Taking your identity on vacation June 2013

Teach your employees well

Small business hacking is becoming more prevalent. The payoff isn’t as big but the opportunity is greater and security is lacking. Security firm Symantec reported in 2016 that 43% of cyber attacks were against small business. Small businesses have little in the way of security and employee training. They often have more to lose in the sense that they have less cash flow or all of their money is tied up in their business. Making them more likely to pay ransoms. (Ransomware is explained in more detail in our post-If you ever want to see your files again…)

Attacks can be as simple as rerouting the web address to a porn site, locking all of the computers for a ransom, all the way to hacking financial data and cleaning out bank accounts. More than half of the companies attacked were forced to go out of business. Maintaining sound computer security cannot be emphasized enough.

The website Small Business Trends, in an article posted January 3, 2017, stated that 48% of attacks are caused by an employee error. In addition to updating security software one of the biggest defenses owners can deploy is educating their employees on cyber attack indicators. The malware has to enter the system somehow. Simply clicking on attachments will send the virus into the network to do its work. The more stealthy viruses will enter the system without a show of existence. These are meant to mine data from the system. By the time you find the virus the bank accounts are fleeced.

Regularly train employees on different types of attacks and how to defend against them. Establish a policy for computer usage. Explain what is acceptable Internet use. Malware can be injected via email attachments or links to websites. These links can be introduced through email or social media. Demonstrate what a suspicious email, link, social media contact looks like. Practice solid password policies and change regularly. Encourage employees to speak up when something is suspicious and do not click on the suspicious activity.

Even if you do not think you store valuable data, although customer records are a valuable commodity, the chance of losing your business data or risking a financial attack is too great a chance to take.

See our blog archive for other posts relating to cyber security:

Scam Websites November 2016

If you ever want to see your files again…August 2016 

There’s been a breach February 2015

Tax [Fraud] Season

Once the calendar year turns over thoughts of filing taxes begin. So do the warnings of tax fraud and prevention tips. Having been the victim of tax fraud I know the inconvenience of proving your true identity to the IRS; now having to file under a number rather than your true name. As the digital world expands, so does tax refund fraud. It’s a good bet that you know someone who has been a victim or that you, yourself, are a victim.

Theft

Most people will file their tax returns electronically, either themselves or through a tax preparer. It’s quick, it’s easy, you get your refund faster. Unless you get an error saying that you have already filed. You’re first reaction is that there is a mistake, but you soon realize that you have been the victim of identity theft. Someone has obtained your name and social security number and filed your taxes on your behalf.

It may not have been a direct theft in the classic sense. It could have happened during an electronic data breach of a larger scale or someone hacked your computer, any number of ways. Your information is uploaded to the dark web (it’s a real thing that criminals use to conduct their business or exchange information) and resold many times. The criminal then fills out an electronic tax return with your information and bogus financial information and has the refund sent to a direct deposit or PO Box. The IRS does compare information against past filings but that doesn’t occur until well after the refund has been issued. Software is in place to try and stop fraud, but, again, the refunds are issued so quickly it happens before any alarms go off.

You then have to go through an arduous process to prove yourself to the IRS, file the fraud report, and wait for the IRS to investigate your claim. If they find that you are a victim they will then issue your return and assign you an identification number to use for future filings. The whole process takes several months. Other than the waiting, it really wasn’t an unpleasant experience and the refund was issued in a timeframe shorter than expected. It’s also interesting to request a copy of the fraudulently filed return from the IRS. You get to see what deductions your other self made and the amount some PO box received.

Prevention

One school of thought of being susceptible to fraud is filing returns late in the season, near the April 15 deadline. This gives the criminals time to file their fake returns and receive the refunds before you file. Tax regulators say to file early to get a refund as quickly as possible, thus beating the criminals to your money. States have even made the effort to streamline the process so that refunds are received as quickly as possible after the return is filed.

Law enforcement doesn’t comment on the timing of the filing, but rather to delay the issuance of the refund so that fraudulent returns can be identified.  At a recent tax security summit, the U.S. Attorney for Maryland, Rod Rosenstein, commented from the panel, “The quicker you are on paying refunds, the greater the risk of not finding fraud.”

Hawaii, Illinois, Louisiana, Minnesota, Montana, North Dakota, South Carolina, and Utah are some of the states that are slowing returns to further prevent fraud. Maryland issues refunds within two days of receipt of the return. The comptroller’s office relying on analytical software to detect digitally filed fraudulent returns. Additionally, Maryland will not issue refunds until the comptroller’s office has a W-2 on file. With these methods in place the comptroller’s office hopes to combat fraud while at the same time efficiently serving the taxpayers.

The Maryland legislature this year is considering a bill named the Taxpayer Protection Act of 2017. This bill would give the comptroller’s office broader authority to build criminal cases against fraud and extend the statute of limitations for prosecution to six years.

There is no way to know if your personal data has been stolen. Regarding taxes it is best to file early. If you do become a victim, report it to the comptroller’s office and IRS as soon as you are aware. Document everything you do and who you speak to. Secondarily, begin looking into your banking and credit cards as they may have been breached as well. Review statements and set up alerts.

Be sure to read our others posts related to identity theft.

Keys to the vault August 26, 2015

There's been a breach February 18, 2015

Taking your identity on vacation June 17, 2013

Scam websites

 Note: This post was originally published on November 27, 2016 and has been updated with new information.

On top of all the safety concerns we have for shopping in the real world, you have to be careful online as well.  Not only from identity theft issues but bogus, price too good to be true deals, on fake websites and fake mobile apps.

You use to be able to look at a website and have your spider sense tingle warning that this doesn’t look quite right. But now, at first glance, it’s hard to pick out a thrown together site. Site building skills and packages are such that pretty much anyone can construct a site that looks like a multi billion dollar corporation is at the other end. When in reality it’s a small time operation or worse an out of country company that is selling bogus products or collecting personal data.

Scam Busting

One quick way to tell if the site is not quite on the up and up is to take a tour and make note of the grammar. One thing the scammers haven’t quite grasped is writing in grammatically correct English. Sites that do not pay attention to simple grammatical structure probably don’t have your best interest in mind. We’re not talking about a typo here or their or misusing there,  they’re, or their, you'll see serious grammar issues that scream no quality control. But don’t use this as your only method.

There are several “detectors” that can be found online that you enter the questionable website address and the detector gives you a report on the site, including a score, location, technical data, owner, and contact information. One such site is Scamadviser.com. [This is just one of many and no endorsements are being given.] This site seemed to provide the most detailed information that online users could use.

If you’re not sure of a site, run it through a “scam busting site”, you should be able to get enough laymen details to make a determination if the site in question is someone you want to provide your credit card.

Typosquatting

In the early days of the Internet, criminals would identify the most popular retailing websites and then figure out the commonly mistyped spellings of the retailer’s names. They create their own sites under the misspelled names. Users always misspelled Amazon, or example. Type in Amason, and you are directed to the scammers’ site. Companies figured this out and began buying up the domain names associated with the misspellings.

The technique is called typosquatting. The practice diminished but is picking up popularity again. It’s hard to think of or even buy every possible spelling combination, so criminals are able to slip past the gatekeepers. The fraudulent sites are very close facsimiles to the real sites. Once a user interacts, malware is downloaded onto the users computer and/or information is stolen.

Mobile devices are targeted as well through fake retail apps sold in smartphone stores. The apps mimic legitimate retailers, but they install malware that steal identity, financial information, and sometimes install ransomware (If you ever want to see your files again August 8, 2016) The RiskIQ cybersecurity company estimates that 1 in 10 Black Friday apps were fraudulent. The biggest app stores fall victim to fake apps. Retail apps may be safer downloaded from the retailers website.

  

Another oldie but goodie is fake shipping notices sent via in email. They are always prevalent but become more so when criminals know that there will be an increase in online shopping/shipping. The notices can look real and appear as they are from a retailer from which you recently purchased. With the flurry of shopping everyone does at this time of year, it’s easy for fake notices to lost in all the emails received. Know what you purchased and from whom, monitor the confirmations and shipping. Most companies will send out a confirmation email, a product shipped email, and possibly a follow up.  Be on guard for anything more.

It’s hard to say stick with nationally named brands and big retailers. Lots of small businesses make their living through online sales and often have good deals especially on unique items. Just as if you were shopping in the real world, you wouldn’t buy from a questionable character off the street, so do some research before you buy online. And watch out for too good to be true deals, especially on hard to find items. Use common sense.  Check reviews. Do your homework.

Be safe. Enjoy the thrill of the hunt.

See our blog archive for other posts relating to shopping safety:

Gift cards-Less than you bargained for? December 2012

Psssst...Need some speakers? December 2015

Verified to work within the U.S.

Some relate identity theft with the actual assumption of your name and personal data. Living a carefree life under your name, sticking you with all of the debt. But there are several ways your identity or even parts of it can be used fraudulently.

Having the pleasure of someone else file your taxes takes out all of the stress. When it’s a trusted professional it gives you peace of mind. When it’s a complete stranger who also accepts your refund on your behalf, it’s frustrating to say the least. Not long ago we were among the hundreds of thousands of victims of tax refund fraud. You file your taxes electronically and it gets rejected because someone else has already filed. You don’t know how your data was compromised or why the IRS accepted such an oversimplified return that is out of character with years of your own filings, but it happened. The IRS doesn’t figure out who is the real you, you have to prove it.

You go through the IRS process of identifying yourself and after a few months you are good to file again, except now you have to use a special PIN. Due to your social security number (SSN) being compromised, you can no longer use it to file.

Job search

Probably everyone reading this has been the victim of some level of identity theft. Whether it is credit card skimming or tax refund fraud, with very little information someone can take your identity. Depending on the level, the fixes can be arduous. Prevention is easier. File your taxes early. Monitor your credit scores and your accounts. You can increase the security on credit card accounts, opting for notifications when someone accesses your account. Be mindful of how and when you use your credit card, but these are financial issues. If your SSN has been compromised, you may also be applying for jobs that you are not aware. 

A lot of systems are still set up to identify you through your SSN, one of those being employment. Not only can your, now compromised, SSN be used to get tax refunds and buy merchandise, it can also be used by someone to apply for a job. If you’re not collecting social security you may not know your identity has been stolen is this manner. This type of SSN fraud is more prevalent with illegal aliens who use their own name but a stolen SSN. It is estimated by several sources that over seventy-five percent of illegal aliens use fraudulent SSNs to obtain employment.

EVerify

EVerify is an Internet based system that compares an employee’s personal data with data from the U.S. Department of Homeland Security and the Social Security Administration records to confirm employment eligibility. Basically, is the employee legally within the U.S. and is the information provided not being used fraudulently. EVerify is administered by the U.S. Citizenship and Immigrations Services (USCIS). USCIS have created, within the EVerify system, a new service called myEVerify. myEVerify allows the user to monitor the use of their social security number within the EVerify system. EVerify is used by employers…myEVerify is used by workers.

Not having afforded myself this level of SSN protection, I decided to take it for a spin. The process took about five minutes and wasn’t that painful. In addition to the normal web account setup process, you must also go through a series of identification questions. An added level of identification verification is an “identification quiz” that further confirms your identity. One can tell from the questions asked that the personal identifiers provided in the account setup process are checked against financial and public databases to generate the questions. This is all done to ensure that the person setting up the account is, in fact, you. A side benefit of establishing the account is verification that you are approved to work within the U.S. At least, you should get this verification. Once your account is created you can perform self-checks to see if your SSN has been used for employment, check the status of any EVerify cases you may have, and lock your SSN.

Locking your SSN

Locking your SSN basically freezes your SSN so that someone else cannot use it for employment purposes.  If you wish to lock your SSN, login into your account and click on Self Lock. You will go through a level of identification and security questions before the process is complete. Again, all to ensure that you are the one performing the action.

Locking your SSN also locks you out. If you will be seeking employment after you lock your SSN you will have to login to your account and unlock the SSN. As with the locking process, unlocking will require you to go through a series of security features. Each step of the above processes seemed to be followed by confirmation and notification emails.

Criminals will make use of what they are offered. Be it a credit card number, your name and address, your birthday, or all of your personal data. Locking your SSN from being used in the EVerify system is yet another action you can take to attempt to protect yourself from identity theft.

The myEVerify site can be found through this link.

https://www.uscis.gov/mye-verify

Checkout our blog archive for other posts relating to identity theft:

Taking your identity on vacation-June 2013

There’s been a breach-February 2015
Keys to the vault-August 2015

What did you just say?

Just like online security, our day-to-day conversations with strangers can threaten our security. Most of the areas where we express ourselves online are password protected. We can go back and edit things that were written, change our personal data in profiles, Google even has an “unsend” feature for email. The spoken word cannot be retrieved as easily.  Sometimes we just talk too much to the wrong people. We either offer up personal information or unknowingly provide it when prompted by a stranger who knows how to extract information.

Every neighborhood has door-to-door salesman. Are they pushing product or gathering intelligence? Some criminals pose as salesman, going from house to house trying doors hoping not to run into anyone and making note of what they can; alarm signs, cars in driveway, shrubbery, lights, the presence of dogs, etc. Some are bolder by selling random products, services, or free estimates looking to speak to homeowners, gain their trust and glean the information they need through conversation.

A conversation was overheard between a female neighbor and a salesman. The gentleman was selling organic cleaning products. He was very charming, loquacious, and had quite the patter. Throughout a ten-minute, low key, no pressure conversation in which he demonstrated his product, the salesman was able to determine that the lady was willing to open the door, home alone during the day, with one, two-year-old child, and no dogs. By sight he could determine her age, physical makeup, and basic layout of the home as seen through the front door. He never really asked any direct questions, but through friendly conversation the lady was put at ease and freely provided the information.

Running con games on people isn’t the oldest profession but it’s been around long time. People trying to trick and deceive are excellent speakers. You can be in the middle of a conversation and giving up details before you realize it. They manipulate conversation to their advantage. Mind reading acts don’t actually intercept your brainwaves, they pickup on subtle cues that are provided through your words and body language. Pronouns and conjunctions can provide a lot of information if you know how to listen.

We do not want to be rude to others. We want to be friendly. So it’s easy for others to approach and engage in what seems like innocent conversation. The trick is finding that line that allows us to be nice without providing our biography.