Skip to content
Dec 16 13

The Top 10 Most Common Identity Theft Myths

by Neal O'Farrell

Every year around this time we see the same experts dole out the same identity theft prevention tips. And yet, identity theft keeps getting worse. Maybe it’s because we have to take a step back, and start by exposing some of the myths that can lead to consumer apathy about identity theft. If we help consumers to better understand the reality of identity theft, they might better appreciate these tips and apply them more often.

So here goes:




Identity theft may be the single greatest crime epidemic in the history of America. According to research firm Javelin Strategy and Research, identity theft claimed an average of more than a million victims a month in 2012. The Department of Justice recently put the total number of victims at more than 16 million last year.

That means there were more victims of identity theft last year that there were burglaries, attempted burglaries, assaults, robberies, arsons, vehicles thefts, purse snatchings, pick pocketings, check fraud, and shoplifting combined.

Myth #2



The biggest cost for victims of identity theft is the long term emotional harm. If a thief has your Social Security Number, or a grudge, as a victim you can be fighting for your identity for years. Victims often talk about the emotional harm being the worst – the worry, the harm to their credit, their lack of trust, their feelings of betrayal, wondering when the next shoe will drop, if it will impact their credit worthiness, their job, etc.

Myth #3



If you lose a small amount, say a few hundred dollars, your bank, credit union, or credit card company is likely to reimburse you. But if it’s more than that, or you can’t explain how the money was removed from your bank account, banks will often either deny your claim outright or tell you they will need to launch an investigation – which can take months.

And you may be in even bigger trouble if your debit card is copied through skimming. The thieves will have your card and pin, without your knowledge, and banks will often us that as an excuse to blame you, the victim.

Myth #4



A freeze is helpful but only protects against new account creation. It doesn’t stop a thief misusing an existing account or credit card, prevent skimming, emptying a bank account, check fraud, using your identity to file fraudulent tax refunds, Social Security fraud, employment fraud and many other types of identity theft. And in a troubling trend, identity thieves are turning to payday lenders as a way to get around freezes, fraud alerts, and monitoring, because payday lenders often don’t run credit checks.

Myth #5



You are 6 more times more likely to be a victim of identity theft than burglary, and 500 times more likely to be a victim of identity theft than purse snatching.




A police report is vital if you need to defend yourself against claims from debt collectors or victimized businesses. But they’re not always easy to get, in spite of the fact the victims are entitled by Federal law to a police report.

Common excuses victims receive when they try to file a police report are “You need to file the report in the jurisdiction where the crime was committed” and “You’ll need hard evidence before a police report can be filed.” Neither are true but you may still have to be patient when trying to get a police report.

Myth #7



Most security experts believe that small businesses are now the number one target for hackers, mainly because of lax security. Web security firm SiteLock reports finding up to 5,000 new small business websites every single day that have already been comprised with malware waiting to infect visitors and shoppers.

Myth #8



A credit card is a much safer bet that a debit card. A debit card connects directly to your bank account. If it’s compromised, the thief is stealing your money. If your credit card is compromised, the thief is stealing the bank’s money. Which would you prefer?

Myth #9



Antivirus software is very important but it’s only one layer of protection. A study by the University of Alabama found that most of the popular antivirus programs in use today only catch about 25% of malware. A test in December 2013 by security firm OPSWAT found that out of 44 of the most popular antivirus products on the market, only one could detect a keylogger.

Myth #10



It’s not you, it’s them. No matter how well you guard your personal information, others will betray you. For example, there has been an average of one reported data breach in the U.S. every single day for the last five years, exposing more than 500 million personal records. Up to 80% of those records may have included Social Security Numbers. Could yours have been one of them?

Dec 11 13

2 Million Hacked Passwords Help Expose Our Vulnerability To Keyloggers

by Neal O'Farrell

safesurfingAs security experts and the media dissected the recently-uncovered stash of more than 2 million hacked passwords on a hacker’s server in the Netherlands, from users of Facebook, Google, LinkedIn and Twitter, did the real story slip by?

One thing was certainly clear from examining the stolen passwords – how many people are still using awful, and awfully weak passwords. Researchers from security firm Trustwave discovered the kidnapped passwords on a hacker server in the Netherlands, and a study of the stash revealed what we already know about passwords; that many users think weak predictable passwords are perfectly OK. Some of the most common passwords discovered in the server and apparently favored by many users included 123456, 11111, and, worst of all, password. Yes, the word password for a password. Maybe we’re not explaining the whole concept of passwords properly.

But the other lesson that came from the discovery is how effective a little known tool called a keylogger can be in fleecing passwords and other information from millions of computers. The initial suspect in this case was a keylogger, a small piece of malware that once installed on a computer will capture whatever the user types. And maybe even more. And there’s a good chance that your antivirus software won’t catch it.

In the same week the 2 million hacked passwords story broke, security firm OPSWAT released the results of somevery interesting tests. When they tested 44 of the most popular antivirus products to see if they could detect a keylogger, only one was successful. A study by the University of Alabama found that those same products only catch around 25% of email-borne malware. And tests by Imperva put the success rate of AV products at detecting new malware at just 5%.

Keyloggers are typically after logins and passwords, often to commit identity theft and fraud or take over bank accounts. But they don’t just log what you type. They can also capture screenshots of what’s on your computer, screenshots of the websites you visit and the folders you open, and even what you search for. And software isn’t the only variety. There are also hardware keyloggers, designed to look like a plug or connector you’d expect to find at the back of a computer or even a cash register. One such keylogger was recently found plugged into a cash register at a Nordstrom store.

More advanced keyloggers can intercept data from wireless keyboards, and even collect and decipher the electromagnetic radiation or electrical signals given off by a keyboard. More than 25 years ago, a couple of former spooks showed me how they could capture a user’s ATM PIN, from a van parked across the street, simply be capturing and decoding the electromagnetic signals generated by every keystroke. They could even capture keystrokes from computers in nearby offices, but the technology wasn’t sophisticated enough to focus in on any specific computer. 25 years later, that’s probably not so difficult.

And using a touch screen won’t help you avoid keyloggers. It’s still a keyboard sending signals that can be intercepted, and good keyloggers will record your screen activity anyway. And if you use public computers, like at a library, you could be especially vulnerable. Library computers are a very popular watering hold for keyloggers for years. They generally have many different users, public access, poor security, and little supervision.

The damage is real and not theoretical. Javelin Strategy and Research esimates that nearly $5 billion was siphoned from U.S. bank accounts in 2012 by crooks using malware, and probably most involved some type of keylogger.

So what can you do defend against this menace?

·         Use anti-keylogger software, like Key Scrambler (free) or Guarded ID ($29.99 for two). They won’t protect you against every type of keylogging but are a good defense against the more common software based. Some work by instantly encrypting or scrambling all your keystrokes so that they’re unusable to hackers.

·         Use a safe surfing tool or plugin, like McAfee Site Advisor or Web of Trust (WoT). As users become more wary of malware hidden in email attachments, hackers are turning to websites instead. Known as watering holes, hackers will find vulnerable websites, load them with keylogging malware, and simply lie in wait for visitors to those sites. Security firm SiteLock says it’s finding more than 5,000 small business web sites every single day already compromised with malware. Safe surfing tools will help alert you of suspicious or dangerous websites before you click on them.

·         Always have good antivirus software on every computer and device you use. Some of the best is free, including for your smartphone and tablet. And scan often – at least once a week is recommended.

·         Change your passwords often and think about passphrases instead. Passphrases are explained below and are a much safer and easier alternative to passwords.

·         Be careful what you download and install. Poor security habits and hygiene are a leading contributor to malware infections. Slow down, guard up, verify first, and only download if you’re really sure and you really need to.

·         Be careful what you type and where. Might sound simple, but as any good spy will tell you, the best way to minimize your exposure to a telephone tap is to avoid saying anything important on a phone. Avoiding accessing your bank account from a public area, like a coffee shop, is a simple way to avoid the threat of a nearby sniffer.

Forget passwords – think passphrases

A passphrase is a short sentence that’s easy for you to remember – that describes something about you and your life, for example – but that a hacker would have a very hard time knowing or guessing.

For example, the phrase could be something like “I graduated from Notre Dame University on June 1st 2002.”  Pick the first letter from every word in that phrase, making sure you include the upper and lower case, and keep all the numbers.

That would give you the following password: “IgfNDUoJ1st2002” That’s a massive 15 characters and includes upper and lower case letters and numbers. Change the “I” to the symbol “!” and now you’ve made it even harder to crack.

Unless the hacker knows you personally, it would be nearly impossible to guess or crack such a passphrase. Even if the hacker did know you, they would have little way of knowing the phrase you chose.

And if you have trouble remembering the phrase, you can still write it down and keep it somewhere in your home, because there’s very little risk a hacker would find it in your home and recognize the phrase as a password. You can use similar or themed phrases to protect other accounts, but instead refer to when you graduated high school instead of college, or when your kids graduated, and so on.

Dec 3 13

Flood of stolen identities forces hackers to reduce their prices

by Neal O'Farrell

hackersHave you any idea how much your identity is worth on the black market? And before you answer, remember that there’s a difference between wholesale and retail. Wholesale is the price hackers charge other crooks for stolen information, like credit card numbers, Social Security numbers, and bank account information. Retail is the value those crooks place the amount of money they can make from the stolen identities they buy.

A couple of weeks ago, Dell Secureworks put together a very compelling summary of exactly how much personal information goes for in the hacker world. Researchers at the company took a peek inside more than a dozen of the more active and professional underground hacker forums, a kind of data bazaar, where hackers buy and sell people just like you.

And it seems like there is so much stolen information in circulation and for sale, it’s driving the prices down. Way down. Which could mean that hackers have to steal and sell even more information just to make a living.

Here’s just a sampling of what Secureworks found:

  • A U.S. Visa, MasterCard, American Express, and Discover card will run between $4 and $8.
  • Data from the mag stripes on those cards fetches around $12. That stripe can include cardholder information, expiration data, and valuable security information.
  • A “Fullz” or complete dossier on an individual costs around $25. That dossier can include name, address, phone numbers, email addresses (with passwords), date of birth, SSN or Employee ID Number (EIN), bank account information (account & routing numbers, account type), online banking credentials (varying degrees of completeness), or credit card information.
  • A date of birth costs just $11.
  • Want to infect computers with data-stealing malware? That will cost you around $20 for 1,000 computers and $250 to infect 15,000 computers.
  • Need someone to develop a Trojan to plant on those infected computers? That can cost as little as $50.
  • Looking to hack into someone else’s website or steal their data? Hire a hacker to do the job for as little as $100.
  • And if you want a bank account that has anywhere between $75,000 and $150,000 on deposit, you can have all bank account details, including routing number and password, for less than $300.

According to Secureworks “Once scammers buy the malware-infected computers, they can do anything they want with the machines. They can harvest them for financial credentials, infect them with ransomware so as to extort money from their owners, or use them to form a spam botnet to send out malicious spam on behalf of other scammers.” Some spammers have made up to $2 million a year.

I’m currently working with a notorious identity thief who maintains that getting personal information is the easiest part, and that there’s so much stolen information in circulation identity thieves can pick and choose which identities to plunder.

I’ve been saying for years. Worry less about whether your information is out there, in the hands of crooks. It probably is, and only a matter of time before you’re the next one in line. Focus more on locking down your little corner of cyberspace. That’s a fight you have a better chance of winning.

Dec 2 13

Why Holiday Security Tips Might Be A Waste of Time

by Neal O'Farrell

letter_to_santaEvery year around this time, the only thing as certain as sales is the same worn out old list of holiday safety tips being trotted out by a whole gaggle of security experts, wannabe experts, and people peddling products. And while these tips are important, especially around this time, I wonder if they work anymore. Or even if they ever worked.

I think the answer is yes, but only to generate some exposure for their authors. I have to admit, I was part of that posse. I started offering holiday security tips back in 2000 when I was the Director of Education for ZoneAlarm (killer firewall!). More recently, it was an annual tradition for me to dust off and tune up my own set of holiday safety tips, beautifully packaged as “The 12 Thefts of Christmas and How You Can Grinch them!” They’re retired now so don’t even ask.

In spite of the same predictable collection of tips on how to avoid identity theft and other scams, I don’t see much movement in the consumer awareness needle. I still do plenty of town halls and community presentations, and get daily calls from victims, and I see little improvement in consumer commitment to self-defense.

Consumer awareness is at an all-time high – there are very few consumers who are not aware of identity theft. But the key ingredient in awareness – vigilance – doesn’t seem to have caught hold. Awareness means knowing there’s a risk and how to avoid it. Vigilance means remembering those rules at precisely the moment it matters – right before clicking on a link, before opening an attachment, before visiting a website, before taking an unprotected laptop home and so on.

A study from Transunion a couple of weeks ago highlighted just one of the problems. In spite of more than a decade of relentless consumer education and wall-to-wall media coverage, the Transunion study found that a third of adults in the U.S. have never checked their credit reports.

And if you look at all those tips that all those experts have been sharing for all those years, the net result seems to be that all those bad old habits are still there.

So what’s the problem? Where’s the disconnect and why is the message not getting through? The fundamental problem, and the reason why identity theft continues to climb every year, is that consumers just don’t care enough. There’s a very common assumption, mainly as a result of good marketing, that zero liability means as a victim you have absolutely nothing to lose. Zero liability has been interpreted to mean zero risk, zero loss, and zero responsibility.

And even if it sounds counter-intuitive, now might not be such a good time to be talking to consumers about identity theft. At least in their eyes :

  • They’re too busy with the holiday hassle to stop and think about identity theft.
  • This is supposed to be a time of good cheer, so don’t bring them down with bad thoughts.
  • Repetition has a dark side, as consumers just tune out the same tips they see everywhere every year.
Apr 30 13

Is college the cure for Facebook safety concerns?

by Neal O'Farrell

apathyblog“All that is necessary for evil to triumph is for good men to do nothing.” Wise words that have served over the centuries and could still be invoked today in our attempts to figure out why so many parents still seem to be so apathetic when it comes to the safety of their own kids.

One question that I’ve probably been asked over the years by worried parents more than any other, is “How do I protect my kids on (or from) Facebook?” And top of the list of my recommendations to these parents has always been that they should start by creating their own Facebook page.

It’s simple advice and an easy fix. By going through the process of creating their own Facebook page, parents will get a much better understanding of how Facebook works, how their kids can be exposed, and how to use Facebook’s own security and safety options to limit the risks to their kids. And if they persuade, or force, their kids to be their friend, even better. At the very least it should help dilute some of the guilt parents feel when they allow their kids to roam Facebook world un-chaperoned.

So how many of these parents over the years have taken to heart at least that one piece of advice? As far as I’m aware, none. Case in point – I recently spoke to one friend I had given this advice to more than four years ago. She has a son and a daughter – the son had just created his own Facebook page and her daughter, although just twelve at the time, was pestering Mom to be allowed “to Facebook.”

When I asked her recently if she ever got around to creating her own Facebook page, she said she hadn’t. She was just too busy. And besides, her son was off to college now, was much more mature, and so the danger had passed. And he said he didn’t use Facebook much anymore because most of his friends were too busy to check in. If his friends were no longer on Facebook, there was no need for him to be there.

I guess that’s one way to deal with danger. Stand your ground, even plant your head firmly in it, cross your fingers, and hope the danger will pass you without noticing you. Like the Wildebeest in the center of the herd.

It reminded me of a similar experience more than a decade ago, when I led an innovate program called Think Security First, a unique experiment by an entire city to make cybersecurity awareness a top priority for the city for an entire year.

Identity theft, online predators, and child safety were major media headlines at the time, so we organized a town-hall meeting at a local school to introduce parents to a team of experts we had assembled to help teach parents and kids about these risks.

The event was heavily promoted and backed by the city council, Chamber of Commerce, school district and many others. It was promoted to dozens of local schools that in turn invited more than 10,000 parents. We picked a location, date, and time that local school principals advised us would make it easiest for the most parents to attend.

We also picked a school that was central to everyone, had plenty of free parking, and had a fantastic auditorium that could seat 400. We hoped that four hundred seats would be enough, especially because the FBI had sent one of their top experts from the Innocent Images task force who had some startling and eye-opening research to share with parents.

We also had the support of the Mayor and the Police Chief, who were there to remind parents just how seriously the city viewed the issue of child safety, and how it was up to all of us to work together to protect each other.

In total, about twenty people showed up. Out of nearly 10,000 invited. And at least half of those were our own volunteers and supporters.

It’s just a reminder that the biggest ally for cybercriminals is the apathy and indifference of their targets, and that cybercrime and identity theft continue to surge because so many consumers won’t get involved in their own protection. Even if it’s very simple and uncomplicated. And it’s also a reminder that things will probably never change – they certainly haven’t in the last ten years.

Or maybe parents were right and experts like me were over-thinking the dangers. After so many years on Facebook, many kids just outgrew it. There’s growing evidence that kids are abandoning Facebook in their millions so at the very least that reduces the number of potential victims, right? And maybe the best way to dodge the dangers is to simply hide in the middle of the herd and hope that by blending in, you won’t be singled out.

Maybe after thirty years in security I should think about changing my focus. Instead of researching the cure for insecurity, I should pursue the cure for apathy. Even if I know there probably isn’t one. The triumph of evil quote was originally pinned on Plato, more than 2,000 years ago. So I guess human nature is constant enough to be its own worst enemy.