As part of Gemalto’s #ChipAwayAtFraud campaign, I’m being tasked with numerous tasks, some tacky, some essential to living. Gemalto, one of the world’s leaders in digital security, wants a real-world take on the EMV card experience. Which includes the security benefits EMV cards presents. You know EMV; it’s the “chip” credit card that by now, you should have. EMV by the way stands for Euro/MasterCard/Visa. The Euro part essentially means that’s where the card was first deployed.

If you don’t have a chip card by now get on the phone, call your bank and in your loudest, angriest voice scream at them and politely ask why they haven’t sent you one yet.

You, Mr. and Mr.’s credit card holder should support for the new technology in your community by explaining it to people, and encourage its use.

As a Gemalto campaigner I’m deploying two articles, one introductory (this one) and one “wrap-up” piece, detailing my experience during the challenge.

The Challenge:

Complete All Ten Tasks First and Win $400 to a Charity of Your Choice: My Charity is Boston Children’s Hospital

1. Get coffee at a local (not chain) coffee shop
2. Make any purchase at a big-box store
3. Get a meal inside a fast food restaurant
4. Buy a magazine at a gas station
5. Get $50 worth of groceries
6. Buy a tacky t-shirt
7. Get someone special a bouquet of flowers
8. Hit a tourist attraction in your town
9. Buy office supplies for your coworker(s)
10. Mail us a postcard from your local post office

Easy. Let the games begin!

Cyber crime sure does pay, according to a report at Intel Security blogs.mcafee.com. There’s a boom in cyber stores that specialize in selling stolen data. In fact, this is getting so big that different kinds of hot data are being packaged—kind of like going to the supermarket and seeing how different meats or cheeses are in their own separate packages.

Here are some packages available on the Dark Net:

• Credit/debit card data
• Stealth bank transfer services
• Bank account login credentials
• Enterprise network login credentials
• Online payment service login credentials

This list is not complete, either. McAfee Labs researchers did some digging and came up with some pricing.

The most in-demand type of data is probably credit/debit card, continues the blogs.mcafee.com report. The price goes up when more bits of sub-data come with the stolen data, such as the victim’s birthdate, SSN and bank account ID number. So for instance, let’s take U.S. prices:

• Basic: $5-$8
• With bank ID#: $15
• With “fullzinfo” (lots more info like account password and username): $30
• Prices in the U.K., Canada and Australia are higher across the board.

So if all you purchase is the “basic,” you have enough information to make online purchases—and can keep doing this until the card maxes out or the victim reports the unauthorized charges.

However, the “fullzinfo” will allow the thief to get into the account and change information, thwarting the victim’s attempts to get things resolved.

How much do bank login credentials cost?

• It depends on the balance.
• $2,200 balance: $190 for just the login information
• For the ability to transfer funds to U.S. banks: $500 to $1,200, depending on the balance.

Online premium content services offer a variety of services, and the login credentials to these are also for sale:

• Video streaming: $0.55 to $1
• Cable channel streaming: $7.50
• Professional sports streaming: $15

There are so many different kinds of accounts out there, such as hotel loyalty programs and auction. These, too, are up for sale on the underground Internet. Accounts such as these have the thief posing as the victim while carrying out online purchases.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Bottom line: If you have a data security policy in place, you need to make sure that it’s up to date and contains all of the necessary elements to make it effective. Here are 10 essential items that should be incorporated into all security policies:

1. Manage employee email

Many data breaches occur due to an employee’s misuse of email. These negligent acts can be limited by laying out clear standards related to email and data. For starters, make sure employees do not click on links or open attachments from strangers because this could easily lead to a ransomware attack.

2. Comply with software licenses and copyrights

Some organizations are pretty lax in keeping up with the copyrights and licensing of the software they use, but this is an obligation. Failing to do so could put your company at risk.

3. Address security best practices

You should be addressing the security awareness of your staff by ensuring that they are aware of security best practices for security training, testing and awareness.

4. Alert employees to the risk of using social media

All of your staff should be aware of the risks associated with social media, and consider a social media policy for your company. For example, divulging the wrong information on a social media site could lead to a data breach. Social media policy should be created in line with the security best practices.

5. Manage company-owned devices

Many employees use mobile devices in the workplace, and this opens you up to threats. You must have a formal policy in place to ensure mobile devices are used correctly. Requiring all staff to be responsible with their devices and to password protect their devices should be the minimum requirements.

6. Use password management policies

You also want to make sure that your staff is following a password policy. Passwords should be complex, never shared and changed often.

7. Have an approval process in place for employee-owned devices

With more employees than ever before using personal mobile devices for work, it is imperative that you put policies in place to protect your company’s data. Consider putting a policy in place which mandating an approval process for anyone who wants to use a mobile device at work.

8. Report all security incidents

Any time there is an incident, such as malware found on the network, a report should be made and the event should be investigated immediately by the IT team.

9. Track employee Internet use

Most staff members will use the Internet at work without much thought, but this could be dangerous. Try to establish some limits for employee Internet use for both safety and productivity.

10. Safeguard your data with a privacy policy

Finally, make sure that all staff members understand your company’s privacy policy. Make sure that data is used correctly and within the confines of the law.

Companies are constantly attacked by hackers, but what if those attacks come from the inside? More companies than ever before are dealing with insider security threats.Here are 11 steps that all organizations should take to mitigate these threats and protect important company data:

1. Always encrypt your data If you want to minimize the impact of an insider threat, always encrypt data. Not all employees need access to all data and encryption adds another layer of protection.
2. Know the different types of insider threats There are different types of insider threats. Some are malicious, and some are simply due to negligence. Malicious threats may be identified by employee behavior, such as attempting to hoard data. In this case, additional security controls can be an effective solution.
3. Do background checks before hiring Before you hire a new employee, make sure you are doing background checks. Not only will this show any suspicious history, it can stop you from hiring any criminals or those associated with your competitors. Personality tests can also red flag the propensity for malicious behavior.
4. Educate your staff Educating your staff on best practices for network security is imperative. It is much easier for employees to use this information if they are aware of the consequences of negligent behavior.
5. Use monitoring solutions There are monitoring solutions that you can use, such as application, identity and device data, which can be an invaluable resource for tracking down the source of any insider attack.
6. Use proper termination practices Just as you want to be careful when hiring new employees, when terminating employees, you also must use proper practices. This includes revoking access to networks and paying attention to employee actions on the network in the days before they leave.
7. Go beyond the IT department Though your IT department is a valuable resource, it cannot be your only defense against insider threats. Make sure you are using a number of programs and several departments to form a team against the possibility of threats.
8. Consider access controls Access controls may help to deter both malicious and negligent threats. This also makes it more difficult to access data.
9. Have checks and balances for all staff and systems It is also important to ensure there are checks and balances in place, i.e. having more than one person with access to a system, tracking that usage and banning shared usernames and passwords.
10. Analyze network logs You should collect, store and regularly analyze all of your network logs, and make sure it’s known that you do this. This will show the staff that you are watching what they are doing, making them less likely to attempt an insider attack.
11. Back up your data Employees may be malicious or more likely they make big mistakes. And when they do, you’d sleep better at night knowing you have redundant, secure cloud based backup to keep your business up and running.

Robert Siciliano is an expert in personal privacy, security and identity theft. 

No bones about it, 2016 is sure to see some spectacular, news-chomping data breaches, predicts many in infosec. If you thought 2015 was interesting, get your seatbelt and helmet on and prepare for lift off…

Wearable Devices

Cyber crooks don’t care what kind of data is in that little device strapped around your upper arm while you exercise, but they’ll want to target it as a passageway to your smartphone. Think of wearables as conduits to your personal life.

Firmware/Hardware

No doubt, assaults on firmware and hardware are sure to happen.

Ransomware

Not only will this kind of attack continue, but an offshoot of it—“I will infect someone’s device with ransomware for you for a reasonable price”—will likely expand.

The Cloud

Let’s not forget about cloud services, which are protected by security structures that cyber thieves will want to attack. The result could mean wide-scale disruption for a business.

The Weak Links

A company’s weakest links are often their employees when it comes to cybersecurity. Companies will try harder than ever to put in place the best security systems and hire the best security personnel in their never-ending quest for fending off attacks—but the weak links will remain, and cyber crooks know this. You can bet that many attacks will be driven towards employees’ home systems as portals to the company’s network.

Linked Stolen Data

The black market for stolen data will be even more inviting to crooks because the data will be in sets linked together.

Cars, et al

Let’s hope that 2016 (or any year, actually) won’t be the year that a cyber punk deliberately crashes an Internet connected van carrying a junior high school’s soccer team. Security experts, working with automakers, will crack down on protection strategies to keep cyber attacks at bay.

Threat Intelligence Sharing

Businesses and security vendors will do more sharing of threat intelligence. In time, it may be feasible for the government to get involved with sharing this intelligence. Best practices will need hardcore revisions.

Transaction Interception

It’s possible: Your paycheck, that’s been directly deposited into your bank for years, suddenly starts getting deposited into a different account—that belonging to a cyber thief. Snatching control of a transaction (“integrity attack”) means that the thief will be able to steal your money or a big business’s money.

Wow cool! A device that lets you know, via Internet, when your milk is beginning to sour! And a connected thermostat—turning the heat up remotely an hour before you get home to save money…and “smart” fitness monitors, baby monitors, watches…

Slow down. Don’t buy a single smart device until you ask yourself these 10 questions. And frankly, there’s a lot of effort in some of these questions. But, security isn’t always easy. Check it out.

• Was the company ever hacked? Google this to find out.
• If so, did the company try to hide it from their customers?
• Review the privacy policies and ask the company to clarify anything—and of course, if they don’t or are reluctant…hmmm…not good. Don’t buy a device that collects data from vendors that fail to explain data security and privacy.
• Does the product have excellent customer support?
• Is it hard to get a live person? Is there no phone contact, only some blank e-mail form? Easily accessible customer support is very important and very telling of the product’s security level.
• Does the product have vulnerabilities that can make it easy for a hacker to get into? You’ll need to do a little digging for this information on industry and government websites.
• Does the product get cues for regular updates? The manufacturer can answer this. Consider not buying the device if there are no automatic updates.
• Does the product’s firmware also automatically update? If not, not good.
• Is the Wi-Fi, that the device will be connected to, secure? Ideally it should be WPA2 and have a virtual private network for encryption.
• Will you be able to control access to the product? Can others access it? If you can’t control access and/or its default settings can’t be changed…then be very leery.
• What data does the device collect, and why?
• Can data on the device traverse to another device?
• Ask the gadget’s maker how many open ports it has. Fewer open ports means a lower chance of malware slithering in.
• Is stored data encrypted (scrambled)? If the maker can’t or won’t answer this, that’s a bad sign.
• Ask the manufacturer how the device lets you know its batteries are low.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention

When it comes to tossing into the rubbish your old computer device, out of sight means out of mind, right? Well yeah, maybe to the user. But let’s tack something onto that well-known mantra: Out of site, out of mind, into criminal’s hands.

Your discarded smartphone, laptop or what-have-you contains a goldmine for thieves—because the device’s memory card and hard drive contain valuable information about you.

Maybe your Social Security number is in there somewhere, along with credit card information, checking account numbers, passwords…the whole kit and caboodle. And thieves know how to extract this sensitive data.

Even if you sell your device, don’t assume that the information stored on it will get wiped. The buyer may use it for fraudulent purposes, or, he may resell to a fraudster.

Only 25 states have e-waste recycling laws. And only some e-waste recyclers protect customer data. And this gets cut down further when you consider that the device goes to a recycling plant at all vs. a trash can. Thieves pan for gold in dumpsters, seeking out that discarded device.

Few people, including those who are very aware of phishing scams and other online tricks by hackers, actually realize the gravity of discarding or reselling devices without wiping them of their data. The delete key and in some cases the “factory reset” setting is worthless.

To verify this widespread lack of insight, I collected 30 used devices like smartphones, laptops and desktops, getting them off of Craigslist and eBay. They came with assurance they were cleared of the previous user’s data.

I then gave them to a friend who’s skilled in data forensics, and he uncovered a boatload of personal data from the previous users of 17 of these devices. It was enough data to create identity theft. I’m talking Social Security numbers, passwords, usernames, home addresses, the works. People don’t know what “clear data” really means.

The delete button makes a file disappear and go into the recycle bin, where you can delete it again. Out of sight, out of mind…but not out of existence.

What to Do

• If you want to resell, then wipe the data off the hard drive—and make sure you know how to do this right. There are a few ways of accomplishing this:

Search the name of your device and terms such as “factory reset”, “completely wipe data”, reinstall operating system” etc and look for various device specific tutorials and in some cases 3^rd party software to accomplish this.

• If you want to junk it, then you must physically destroy it. Remove the drive, thate are numerous online tutorials here too. Get some safety glasses, put a hammer to it or find an industrial shredder.
• Or send it to a reputable recycling service for purging.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention