Andy ITGuy – Information Security Blog

Lately is seems to me that the Telemarketers are really stepping up their attacks calls. They are hitting me from EVERY angle. They call the house, they call the cell, the leave messages, they hang up when the machine or voice mail answers. They start with recordings, they start with “real” people. They start off nice, they start off excited, they speak english, they try to speak english. They are low pressure, they are HIGH pressure.

Normally I don’t answer if the call is from an 800 number or if caller ID identifies the number as “Sales Center” etc…. Occasionally on my cell phone it says “Unknown Number”. I ignore them but often they turn out to be legitimate calls so if I’m expecting a call I will answer them and it turns out to be a telemarketer.

I’m not sure if my numbers have expired on the “Do Not Call List” or if these calls fall through the loop holes of the law because they have figured out what they can and can’t do to stay “legal”. What I do know is that it’s very annoying and I’m tired of it. I’m tired of them trying to get me to buy an extended warranty on vehicles I don’t own. I’m tired of them trying to get me to answer questions a certain way so they can send me my “free gift” with no strings attached. Yeah right. I’m not that stupid.

What bothers me about some of these calls is that they start off by saying “I’m calling about your recent purchases as Wal-Mart, CVS, or Walgreens.” WHAT! How in the world do they know where I shop? I know that it could be a wild guess but it concerns me that they may know that I recently shopped at one of these stores. Especially in light of what happened a few months ago and detailed here and here. I’m not sure exactly what info they have or what they are trying to accomplish outside of giving me a free gift. Yeah Right.

Another thing has been happening recently that makes me wonder about if my phone ID has been stolen. I regularly get calls for different people from creditors. They want to speak to Paul, April, Beth, John, Tallulah, and others. They leave messages with “disclaimers” telling me that I should only listen to the message if I am the person “de jour”.

Does this mean that my number is being sold as a way to ward off creditors? Is is possible that so many dead beats (I know that not all people who have problems paying bills are dead beats, but I’m making a general assumption about these people since they all give my number) pull my number out of thin air when applying for credit? Maybe it’s just that every person who has ever had this number in the past has fallen on hard times and now is in default on loans and credit cards?

If anyone has any thoughts please let me know. If I can’t make it stop maybe I can at least learn something from it.

WOW! There has got to be a better way. My friend Mort has started a new blog with the Identity Protection company Debix. Today he has a post about a study that was done looking into identity theft and children. Yes, I said children. I’m talking people 17 years old and younger. I’m talking people who can’t legally enter into a contract and therefore can’t legally have credit. I’m talking boys and girls, little children, underage minors. I’m talking stupidity!

The numbers and statistics are frustrating and scary. They are also very irritating to me. Why? Because there is NO (repeat NO) reason for someone 17 or younger to have their identity stolen and to have credit opened in their name. As advanced as we are technologically there is no reason for this to happen. It’s utterly ridiculous that we have let things get to the point where banks and other financial institutions have not put processes in place to verify the information required to get credit opened in your a name. Simple steps and checks could be put in place to verify whether or not the owner of a SSN is 5, 15 or 55 years old.

As irritating as the data is there is also some good tips that we all need to follow, especially for our kids. Check out the blog to learn lots of good things about protecting your, and your kids, identity.

The poll regarding SPAM and who has done what has ended. Just as a recap here is the question and the answer choices.

Have You or anyone you know actually bought something sold via spam or gotten a virus due to clicking on a malicious email link?

Yes, I bought something. (0%)
Yes, I know someone who bought something. (7%)
No, I have not bought anything nor no anyone who has. (45%)
Yes, I have gotten a virus via a malicious email link. (11%)
Yes, I know someone who has gotten a virus via a malicious link. (54%)

What is really interesting is that only 7% of you even know anyone who has bought something via SPAM. It still boggles my mind that anyone would actually buy something via a complete stranger because they received an email. Just think of the possible dangers. 1) You have now given them your address. 2) You have given them your Credit Card or Bank Account information. 3) Even if they don’t do anything malicious w/ the first two you are taking the chance that they will bill you and never ship the product. Unless you are using a 3rd party that guarantees you some sort of protection you are out that money. I guess though that if 7% of all SPAM that is trying to sell you something is acted on that is a whole lot of sales. I don’t know what the average actually is but I’d venture to guess is quiet a bit less than 7%.

That is bad enough but to me the real danger here is the potential of getting your machine infected or owned by clicking on a malicious link in and email. Getting a traditional virus or worm is bad but today the real likelihood is that you will get botware that turns your PC into a SPAM bot or allows it to be used for other nefarious purposes. Worse than that is getting a rootkit or keystroke logger that is used to steal your identity and all of your user ID’s and passwords for online banking, trading, etc… This can really cause nightmares in real life.

Thanks again for taking my poll and I’ll have another one posted soon.

One of my biggest fears is to have my Identity stolen or my financial data compromised. I’m careful about what I do online and when I do transact financial business online I’m careful to do it only from a PC that I trust and feel confident is free of malware. I check the URL to ensure that it’s using a valid SSL cert and that it is the actual URL of the site I want it to be and not a phishing site. I only deal w/ reputable sites. I never give credit card info to those I don’t know. If they won’t accept PayPal then I don’t buy from them. I don’t click on links in emails that point me to financial sites. I always go to the site and navigate manually to the page that I need.

When it comes to physical transactions (ATM cards, Debit Cards, POS, etc) I check to ensure that the terminal is properly installed (as much as a visual inspection can do). I check to ensure that it’s not a “face plate” over the real scanner that will capture my data. I ensure that I enter my PIN in a way that is not easily seen by others. I shred my receipts and others paper documents that may be used to steal my ID or financial data.

I take all of these precautions and still am in danger of being “tricked” into having my data stolen. This article from PC World points out that the crooks are getting better at getting our data. Of course this has been known for a long time, but now they have card terminals that are identical to those you use at WalMart and other stores. The only difference is that they have a circuit board that captures all card data. Then the crooks come back and get their terminals and your data.

Obviously this isn’t easy and it takes skill and planning. It works because it looks and works the same. So now retailers and vendors have to step up their security to ensure that this doesn’t happen. They have to develop and put measures in place to ensure that when a “rogue” terminal shows up on the network that it won’t work. I don’t know what they would be because I don’t know the specifics of how they work, but I’m sure something such as encryption keys or activation keys that have to be entered prior to them coming online is a reasonable possibility. There must be some way of identifying each terminal and not allowing them to come online until they have been “approved” and entered in the system.

The key here is that if we are going to win this war vendors have to design their products in such a way that the plug and play mentality won’t work. Making things easy is great but it doesn’t work. It makes us less secure and makes the lives of the bad guys that much easier.

Dark Reading reports that identity theft and phishing are on the rise at an alarming rate. The bad guys are getting smarter at making emails look legitimate and at making the links look real. More and more the actual link is more realistic instead of being masked in the email. People are getting smarter about checking the link before clicking on them, but if the link looks real in both the email and the status bar it is more likely to be clicked on.

This is why we have to keep pushing forward with user awareness training. People have to learn that clicking on a link in an email is a VERY bad thing. Unless you know that it’s a good link and was sent by a trustworthy source DON’T click on it. This is the word that has to be gotten out to friends and family. Personally I don’t understand how someone could actually buy something that comes to them from someone they don’t know, you are buying it from some place that you don’t know where is, you don’t know the trustworthiness of the seller and mostly from someone who can’t spell, use proper English, or puts “Hey Dude!” in the subject line.

Unfortunately I seem to be in the minority here. I’m a big believer in the adage “With knowledge comes responsibility”. Those of us who know the dangers have to pass that knowledge along to others. We can’t have the attitude that if they are dumb enough to click on the link or give out their credit card info then they deserve what they get. It wouldn’t be right if the only one affected was the person who clicked on the link. What makes it worse is that often they get malware on their PC that makes it a danger to the rest of us.

Martin writes about a new service being offered that allows you to search for your SS# or CC# to see if it has been stolen or compromised. When I saw this I had to drop what I was doing and post about it. Not because it’s BIG news, but because I want as many people as possible to know about this so they can warn their friends. Not because I think the guys who are running it are trying to scam anyone, but b/c it does two things. First, as Martin said, it’s another database that has the potential to be breached. Second, it encourages people to give out information that they don’t need to be giving out.

The site is https://www.stolenidsearch.com/

As I said I’m sure they have good intentions, but I’m not liking the way they are going about it. The site has a Verisign SSL Cert, is a service of TrustedID and is endorsed by the Identity Theft Resource Center. All of these are great organizations that work to keep us secure, but I still don’t like it.