We’re told to change our passwords often to minimize getting hacked. Now we’re told this is a bad thing.

But not for any inherent techy reason. It’s because frequent password changing makes many people lower their guard when it comes to creating new passwords.

They get lax and end up with passwords like Bear1, Crazy4uand GetHigh1978. Or, they often only minimally change the password, such as going from Hotbaby!! to Babyhot!!.

Believe it or not, despite an infinite number of permutations involving 26 letters, 10 numbers and 10 symbols, many people struggle to create new passwords beyond just minimally altering existing passwords. And don’t even ask these folks to remember any new and very different, strong passwords.

But if you already have unique, strong and jumbled passwords, you do not have to frequently change them. So if your Facebook password is Ihv1dggnPRvGr8tGamz!, there is no reason to change this 90 days after creating it. However, changing ANY password every six months to a year is still a wise idea. And this infrequency won’t leave you drained.

And you can always use a password manager to do the figuring for you anyways. A password manager will create long, strong and unique passwords, and issue you a single master password.

Rules for a Virtually Uncrackable Password

• Does not include any names that are found in a dictionary, including proper names, sports team names, rock group names, city names, etc.
• Does not have any keyboard sequences, no matter how unintelligible. So even though sdfgh looks jumbled, it’s just as much a sequence as 12345.
• It contains numbers, letters and symbols.
• If you predict struggling to remember a bunch of jumbled passwords, then think of a phrase that you will never forget, especially one that pertains to the account you want to create the password for. An example might be the password for your credit card account. You can shorten “I Hate Making Credit Card Payments” to:iH8tmkngCCpymnt$!.

You can also shorten phrases that pertain to things you love, like for instance, a phrase about your favorite movie, food, vacation, TV show, etc.

Identity thieves are after children’s Social Security numbers. With this number, a thief can do so many things like open a credit card account and rent an apartment. Kids’ SSNs have great appeal to crooks because:

• A child’s record is usually very clean.
• This means fertile opportunities for new credit lines.
• Kids usually don’t check their credit reports and thus the fraud can go undetected for years.

Parents should consider putting a freeze on their kids’ credit. Simply getting the credit monitored will not prevent thieves from opening accounts using the child’s SSN. A freeze does literally that: blocks a fraudster from doing anything.

Experian

• Will not create a file for a child unless required by state law, unless they are victimized.
• However, will give a free copy of an existing file of a child to the parent and will freeze it upon request.
• There may be a very small fee unless the parent provides proof that the minor’s identity was stolen.

Equifax

• Their freeze is free and doesn’t answer to any state requirements.
• The child need not already be a victim of ID theft to get the freeze.

Trans Union

• Their site allows parents to check for a credit file of their kids.
• Freezes are permitted only in states that allow this. Fees may apply.

Innovis (another credit reporting agency)

• Parents can place a freeze no matter what their state says.

Not all the states provide protection for minors’ credit. Find out what your state’s requirements are, as some, for instance, provide only a flag on the Social Security number. Other states have protection going up only to age 16.

Signs that someone is using your child’s SSN:

• You receive an IRS notice claiming your child didn’t pay income taxes.
• You get an IRS notice informing you that another tax return used your child’s SSN.
• You receive collection notices for things you didn’t purchase.

Rejection of government benefits because the benefits are going to another account with your child’s SSN.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Ever consider the possibility that a person gets a job as a bank teller…for the sole purpose of stealing a patron’s identity?

Do you realize how easy this would be?

• No techy hacking skills required.
• No gun required.

So we’ve all been instilled with fear of our bank getting data breached by Russian hacking rings, while that mousy looking teller with the sweet smile could be your greatest threat.

A nytimes.com article points out that a teller from Capital One had gained access to seven accounts and gave information to a co-thief who drew checks on these accounts.

Tellers can fake debit cards and wire unauthorized funds. They can also sell personal data to other thieves.

The nytimes.com article says that a teller was part of an ID theft ring that stole $850,000. The idea of tellers committing these thefts is very real. One teller even took photos with a cell phone of account data to cash phony checks. Another thief, who worked at a credit union, took loans out in customer’s names.

There are many ways that tellers can steal, including creating credit cards in customer’s names. Tellers may also be easily bribed by thieves to sell them customer information, as the tellers’ income isn’t that great, averaging about $25,000 a year.

The thieves, who bribe the tellers, don’t necessarily pay them with money. They may offer them luxuries that the teller can only dream of, such as flying in private jets and meeting famous athletes, says the nytimes.com report.

And if you think that banks require rigorous background checks for new teller  hires…think again. Furthermore, continues the article, savvy thief-tellers will keep their fraudulent withdrawals under $10,000, to keep below the detection radar. These sneaks can get away with this for years.

The general rule of thumb is that tellers have way too much access to customers’ data, and banks are lax at correcting this problem beyond simply reimbursing customers with their stolen money. The banks don’t want to invest the money and time in straightening out this problem, though a small number of banks have implemented tighter controls on tellers.

But what can we, the customer, do? We just have to keep our fingers crossed? The most effective way to prevent fraud is to do two things:

1. Go over your accounts security controls with a bank advisor. Set up limits on transactions, require second signatures for large dollar amounts, and restrict money flow in any way that will cause financial harm.
2. Set up alerts and notifications, so you, the account holder can become fully aware of every transaction of any kind.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Everyone has received very obvious “phishing” e-mails: Messages in your in-box that have outrageous subject lines like “Your Account Will Be Suspended,” or, “You Won!”

While some phishing attacks are obvious, others look harmless, such as those in a person’s workplace in-box, seemingly from their company’s higher-ups.

Researchers point out that an e-mail may appear to come from the company’s HR department, for example. E-mails with an “urgent email password change request” had a 28% click rate, Wombat security reported.

Phishing victims act too quickly.

In the workplace, instead of phoning or texting the HR department about this password reset, or walking over to the HR department (a little exercise never hurts), they quickly click.

So one way, then, to protect yourself from phishing attacks is to stop acting so fast! Take a few breaths. Think. Walk your duff over to the alleged sender of the e-mail for verification it’s legit.

Wombat’s survey reveals that 42% of respondents reported malware infections, thanks to hasty clicking. However, employees were more careful when the e-mail concerned gift card offers and social media.

The report also reveals:

• 67% were spear phished last year (spear phishing is a targeted phishing attack).
• E-mails with an employee’s first name had a 19% higher click rate.
• The industry most duped was telecommunications, with a 24% click rate.
• Other frequently duped industries were law, consulting and accounting (23%).
• Government was at 17%.

So as you see, employees continue to be easy game for crooks goin’ phishin.’

And attacks are increased when employees use outdated plug-ins: Adobe PDF, Adobe Flash, Microsoft Silverlight and Java.

The survey also reveals how people guard themselves from phishing attacks:

• 99% use e-mail spam filters.
• 56% use outbound proxy protection.
• 50% rely on advanced malware analysis.
• 24% use URL wrapping.

These above approaches will not prevent all phishing e-mails from getting into your in-box. Companies must still rigorously train employees in how to spot phishing attacks, and this training should include staged attacks.

Protect Yourself

• Assume that phishing e-mails will sometimes use your company’s template to make it look like it came from corporate.
• Assume that the hacker somehow figured out your first, even last name, and that being addressed by your full name doesn’t rule out a phishing attack.
• Get rid of the outdated plug-ins.

Phishing attacks are also prevalent outside the workplace, and users must be just as vigilant when on their personal devices.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

You may be putting your company at risk simply by hiring a new employee. Why? Because that person could have a hidden, malicious agenda.

This is known as an inside threat, and it means that someone within your organization is planning or conducting activities meant to harm the company.

There is a pattern that most insider threats use: The first step is to gain access to the company’s system. Once they have access to the network, they will investigate it and seek out any vulnerable areas. The malicious insider then sets up a workstation to control the scheme and spread the destruction.

What type of destruction can you expect? The hacker could introduce malware or they could steal or delete critical information, all of which can be damaging to your business. Fortunately, there are ways to protect business from these types of hacks.

Most companies protect their IT systems with firewalls, anti-virus programs, data backup software and even spyware-scanning technology. The problem is that these technologies only work when hackers are trying to get information from the outside.

One way to protect against insider threats is to ensure that employees can only access the data necessary to do their jobs. You should look at the flow of data throughout the organization to determine how information is shared and where it becomes vulnerable to theft or other security breaches. Then work with each department to implement the proper security controls.

The process of preventing data loss begins with discovering the data, classifying it, and then deciding how much risk your company may face if the data gets out. Some of the tools and procedures you may want to consider for protection include:

• System-wide encryption
• Password management
• Device recognition
• Access controls
• Data disposal

It’s important to create security policies and procedures that are easy for employees to understand. The more transparent these policies are, the more effective your departments will be when communicating what they want and need.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Companies have been struggling for years to keep cyber-attacks at bay. Cyberthieves are working faster than ever before to send out their malicious attacks, and it’s become increasingly difficult for companies to keep up.

CNN reports that almost one million malware strains are released every day. In 2014, more than 300 million new types of malicious software were created. In addition to new forms of malware, hackers continue to rely on tried and true bugs because many companies simply haven’t found a fix or haven’t updated their systems to mitigate the threats.

In almost 90% of these cases, the bugs have been around since the early 2000s, and some go back to the late 1990s. The irony here is that companies can protect themselves and create patches for these bugs, but there tends to be a lack of effort and resources when it comes to getting the job done.

Some industries are targeted more than others. After hackers get information from these companies, such as proprietary data, they attempt to sell the information on the black market.

Cyberattacks are spreading quickly, and it takes almost no time after an email is sent for a victim to fall for the scheme. When a hacker is successful at breaking into a certain type of company, such as a bank or insurance firm, they will typically use the same exact method to quickly attack another company in the same industry.

New and improved cyber attacks

While old methods of cyber-attack can still be effective, it is the new scams that users should be nervous about. Here are some examples:

• Social media scams
  Social media scams work and cybercriminals just love them because the people being scammed do most of the work. Cybercriminals release links, videos or stories that lead to viruses, and people share them with their friends because they are cute, funny or eye-raising. These tend to spread quickly because people feel as if they are safe.
• Likejacking
  Hackers may also use a practice known as “likejacking” to scam people on social media. In this case, they will use a fake “like” button that tricks people into installing malware. The programs then post updates on the user’s wall or newsfeed to spread the attack.
• Software update attacks
  Hackers are also focusing on more selective attacks. For example, a hacker may hide malware inside of a software update. When a user downloads and installs the update, the virus is set free.
• Ransomware
  These attacks, where thieves steal or lock files on a person’s computer and then demand a ransom for access, climbed more than 110% in the last year alone. Once infected, the only way to regain access to the files is to pay a fee, usually between $300 and $500, for a decryption key.

How can you mitigate insider threats? Tune into the Carbonite webinar that I’ll be hosting live on Wednesday, March 15th at 11 am ET, to learn how. Register here: http://go.carbonite.com/security-threat/blog.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Disasters happen every day. Crashing hard drives, failing storage devices and even burglaries could have a significant negative impact on your business, especially if that data is lost forever. You can avoid these problems by backing up your data.

Backing up means keeping copies of your important business data in several places and on multiple devices. For example, if you saved data on your home PC and it crashes, you’ll still be able to access the information because you made backups.

A great way to protect your files is by backing up to the cloud. Cloud backup services like Carbonite allow you to store data at a location off-site. You accomplish this by uploading the data online via proprietary software.

Cloud backup providers have a reputation for being safe and secure. But you can’t be too careful. Here are a few ways to beef up security even more when you use a cloud backup system:

• Before backing up to the cloud, take stock of what data is currently in your local backup storage. Make sure that all of this data is searchable, categorized and filed correctly.
• Consider taking the data you have and encrypting it locally, on your own hard drive before backing up to the cloud. Most cloud backup solutions – including Carbonite – provide high-quality data encryption when you back up your files. But encrypting the data locally can add an additional layer of security. Just remember to store your decryption key someplace other than on the computer you used to encrypt the files. This way, if something happens to the computer, you’ll still be able to access your files after you recover them from the cloud.
• Create a password for the cloud account that will be difficult for any hacker to guess. However, make sure that it’s also easy for you to remember. The best passwords are a combination of numbers, letters and symbols.

Cloud backups are convenient and have a good record when it comes to keeping your data safe. It doesn’t require the purchase of additional equipment or the use of more energy. You can also restore data from anywhere, to any computer, as long as there is an Internet connection available.

Consultant Robert Siciliano is an expert in personal privacy, security and identity theft prevention. Learn more about Carbonite’s cloud and hybrid backup solutions for small and midsize businesses. Disclosures.

Do you shop at Amazon.com? Are you aware they have a back door through which hackers can slip in?

Let’s look at Eric’s experience with hackers and Amazon, as he recounts at medium.com/@espringe.

He received an e-mail from Amazon and contacted them to see what it was about. Amazon informed him that he had had a text-chat and sent him the transcript—which he had never been part of.

Eric explains that the hacker gave Eric’s whois.com data to Amazon. However, the whois.com data was partially false because Eric wanted to remain private.

So Eric’s “fake” whois.com information wasn’t 100 percent in left field; some of it was true enough for the customer service hack to occur, because in exchange for the “fake” information, Amazon supplied Eric’s real address and phone number to the hacker.

The hacker got Eric’s bank to get him a new copy of his credit card. Amazon’s customer service had been duped.

Eric informed Amazon Retail to flag his account as being at “extremely high risk” of getting socially engineered. Amazon assured him that a “specialist” would be in contact (who never was).

Over the next few months, Eric assumed the problem disintegrated; he gave Amazon a new credit card and new address. Then he got another strange e-mail.

He told Amazon that someone was impersonating him, and Amazon told him to change his password. He insisted they keep his account secure. He was told the “specialist” would contact him (who never did). This time, Eric deleted his address from Amazon.

Eric became fed up because the hacker then contacted Amazon by phone and apparently got the last digits of his credit card. He decided to close his Amazon account, unable to trust the giant online retailer.

• Frequently log into your account to check on orders. See if there are transactions you are unaware of. Look for “ship to” addresses you didn’t authorize.
• Amazon’s customer support reps should be able to see the IP address of the user who’s connecting. They should be on alert for anything suspicious, such as whether or not the IP address is the one that the user normally connects with.
• Users should create aliases with their e-mail services, to throw off hacking attempts. In other words, having the same email address for all your online accounts will make it easy for them to be compromised.
• If you own domain names, check out the “whois” info associated with the account. It may be worth making it private.

Be very careful when sharing information about yourself. Do not assume that just because a company is a mega giant (like Amazon), it will keep your account protected from the bad guys.

Cybercriminals know that the best way to get their claws on the next victim is to appeal to their emotions, not logic.

There’s lots of scary things in life, and one is learning that your computer has been infected with a virus. If this happens, you’re now vulnerable to spending money on getting rid of the malware. The tactic of scaring users is called scareware.

• A pop up tells you “Warning! Your Computer Has Been Infected with Malware!”
• The pop-up can be triggered by visiting an infected website or by making a bad click.
• The pop-up can’t be closed out, or if it can, another appears.
• Additional information in the pop-up lures you into clicking a link inside it, such as buy some downloadable security software that will destroy the virus.
• Once the alleged security software is downloaded/installed, it crashes your computer—even if you already have a legitimate security software program in place.
• You’re screwed at this point. (Hope you had all your data backed up before this happened!)

Here’s another way the scam can unfold, from someone who wrote to me:

“I was notified by a notice supposedly from Windows Security that my PC has been attacked.  They claim that all my PC ID numbers were stolen and that Russia had got about 8-12 other IDs.  They took control of my computer and said they scanned it to find this out. They claimed the only way that I could clear this problem was to have them clear it for $199.99 and security for 1year (sic) for $149.99.  They said the only way to accomplish this was by check.  They said it couldn’t be done by credit card because them (sic) numbers would be stolen too.  I refused to go along with that plan and closed them out.  

P.S. I checked my account and it is paid thru 6/2016.  How do I know if I get a notice from Windows that it is legit? 

All windows notifications come via Windows Update. That “pop-up” emanates via your notifications area on your taskbar and NOT a popup via your browser. What a mess.

Protect Yourself

• Use security software only from a name-brand company.
• Keep it updated.
• See a pop-up? Close it out. Never click inside it—which you can’t do if you close it out immediately.
• Exit the site you think triggered it.
• Play it safe and run a scan using your legitimate security software.

Robert Siciliano is an identity theft expert to BestIDTheftCompanys.com discussing identity theft prevention.

Once a thief knows your Social Security number…you’re at very high risk for having your identity stolen.

A report on bankrate.com says that the IRS is warning of a cyber attack on its electronic filing PIN application. Thieves infiltrated it with malware in an attempt to claim other people’s refunds as their own. Over 450,000 SSNs were involved, and over 100,000 of them enabled the hackers to access an E-file PIN.

Endless scams are directed towards SSNs, like the classic phishing attack. A phishing attack basically goes as follows:

• An e-mail arrives with an alluring or threatening subject line, which may actually be a warning to protect your SSN.
• The e-mail looks legitimate, complete with logos and privacy information at the bottom.
• The hacker’s goal is to get you to fill out a form that includes typing in your SSN.
• The FTC warns of a “Get Protected” subject line for the latest scam. This scam e-mail mentions the “S.A.F.E. Act 2015” that protects against fraudulent use of SSNs.
• Like many phishing e-mails, the “Get Protected” one contains fake information.
• These e-mails include a link that, when clicked, will release a virus, or take you to a website that will download a virus or lure you into revealing sensitive information.

Three Ways to Get Scammed

Most people make important decisions based on emotion. Cyber thieves know this, and they prey on fear, greed and generosity.

• People aren’t thinking straight when emotions are ruling. Logic gets swept under the rug. There’s pressure to act quickly, such as helping the scammer (who pretends to be a grandchild of the victim) who was in an accident: wire money asap. Natural disaster scams prey on the desire to give. The emotion of greed is manipulated in “You’ve Won!” and inheritance scams.
• Of course, before the fraudster plays with emotions like a cat playing with a mouse, he first gains your trust, pretending to like the same things you do, whatever it takes so that you don’t question him.
• Scammers are adept at appearing credible, such as tricking your caller ID into showing “IRS” or the name of your bank in the ID field. They may have a snazzy website up, a “badge number,” noise in the background to simulate a call center, even a fake accent.
• Remember, scammers are pros. It’s going to seem legitimate.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Your account passwords should be as unique as your fingerprint—to make them less hackable by crooks using password-guessing software that can run through millions of possible combinations in just minutes. And if you have an easy password, there may be a hit within 10 seconds.

Think this software can figure out your password of “password1” or “monkey”? These are among the most used passwords. Needless to say, so is “1password” and just “password.” And “login.” What are people thinking?

Every year, millions of passwords are stolen. These are made public by researchers, in order of popularity. Hackers see this list. If you don’t want to get hacked, then avoid using the following passwords (this list is very incomplete):

• 123456 (avoid ANY numerical sequence)
• qwerty (avoid ANY letter sequence)
• 123456789 (long sequences are just as bad as shorter ones)
• Football (hackers know that tons of passwords are a name of a popular sport)
• abc123 (combining different keyboard sequences doesn’t toughen up the password)
• 111111 (how lazy can you be?)
• 1qaz2wsx (vertical sequences are vulnerable too)
• master, princess, starwars (give me a break)
• passw0rd (wow, so creative!)

Don’t even bother with names of animals, countries, cities, famous music bands or people names. Even combining these won’t help, such as EmilyParis. If any component of the password can be found in a dictionary, change it.

Using a unique, different and strong password for all of your accounts goes a very long way in protecting yourself from hackers—and that means a different password for every account/site, not just a strong and original one. A hacker’s software will take millions of years to crack a password like 8guEF$#gG2#&4H.

Now suppose you have 15 passwords like this (for 15 accounts). How do you remember them all, being that they’re a crazy jumble of all sorts of characters?

Use a Password Manager

• Solves the problem of having to remember (and type in) many different whacky combinations of characters.
• Creates complex, hard-to-crack passwords.
• Stores all the passwords and allows you to use one master password.
• Eliminates having to reset passwords.

But feel free to make some of your passwords up. So if your favorite movie is the original “Star Wars,” your different passwords might be:

• iLVth1st*wrz!FB (FB being for Facebook)
• iLVth1st*wrz!A2Z (A2Z being for Amazon)
• iLVth1st*wrz!$$ ($$ being for your bank)
• Passwords should be at least eight characters.

Robert Siciliano is an identity theft expert to TheBestCompanys.com discussing  identity theft prevention.

Most people have heard of storing information in “the cloud,” but do you know what this means, and if it is even safe?

A cloud is basically a network of servers that offer different functions. Some of these servers allow you to store data while others provide various services. The cloud is made of millions of servers across the globe and most are owned by private or public corporations. Many of those corporations are diligent about security, and you are likely using the cloud whether you know it or not.

Most customers using cloud services have faith that their information will remain safe. But there are some precautions you need to take. Here are some questions to ask any cloud service provider before relying on them to store your business data:

• How often do you clean out dormant accounts?
• What type of authentication is used?
• Who can access and see my data?
• Where is the data physically kept?
• What level of encryption is in place?
• How is the data backed up?
• What’s in place for physical security?
• Are private keys shared between others if data encryption is being used?

Keeping your company data safe

Over time, a company surely will accumulate data that seems irrelevant, but you shouldn’t be so quick to dispose of this data, especially if it is sensitive. This might include data such as customer or client information, employee information, product information or even old employee records.

The truth is, you just never know when you may or may not need this information, so it is best that you keep it. Digital data should be backed up in the cloud. If it’s paper, convert it to digital and store it offsite. Here are some things to remember when doing this:

• All data, even if old or irrelevant, should be backed up.
• Data retention policies should always include an “expiration date” for when this data is no longer useful to you.
• Companies that want to delete old data should understand that deleting files and emptying the recycle bin, or reformatting a drive may not enough to get files off of your computer. Hackers may still be able to access this data.

If you actually want to remove all of the data on a disk, literally break or smash it. To truly delete a file, you must physically destroy the hard drive.