Every year at the Siciliano household, we have a holiday tradition based on the Italian Feast of the Seven Fishes, which is, as you probably guessed, a meal consisting entirely of fish. There’s lobster, mussels, clams, scallops, shrimp, smelt, and cod, all either fried or cooked in red sauce, spicy sauce, or white sauce. This year we’re dedicating our feast to “Miles for Miracles,” a fundraiser for Children’s Hospital Boston. I’ll be running the Boston Marathon this coming April in support of the cause.

Another of my holiday traditions is to expose the year’s phishing scams. The following examples come straight from my inbox or spam filter, and have been abbreviated to demonstrate the nature of the scam and specific hook being used.

1. This first phishing email appears to have been sent from LinkedIn, but the link that supposedly leads to the FDIC’s website is in fact a virus.

“From: LinkedIn linkedXXX@em.linkedin.com   (more…)

Fresh off the most successful Cyber Monday, which turned into a Cyber Week or even a Cyber Month, spanning from mid-November into December, marketers and advertisers are now positioning themselves for a 2012 Mobile Tuesday.

Forbes reports, “Consumers are going mobile in large numbers, and the 2011 holiday season proved it. IBM Coremetrics recently reported that consumers increased shopping on smartphones and tablets on Black Friday. Purchases made on mobile devices accounted for 9.8% of online sales, which is up 3.2% from last year. GSI announced a 254% increase in US mobile sales on Black Friday. PayPal Mobile announced a 516% increase in global mobile payment volume over last year, and eBay Mobile reported US purchases were nearly two and a half times what they were last year.” (more…)

The Washington Post reports that this holiday season, Cyber Monday expanded into an entire week of record-breaking online shopping. From Sunday, November 27 through Saturday, December 3, consumers spent nearly $6 billion over the Internet, a 15% increase over the same week in 2010. During the first 32 days of the November-December holiday season, online spending had already reached $18.7 billion, also a 15% increase from last year.

Which begs the question: when the dust settles, how much of this uptick in online sales will equate to online fraud? It is inevitable that some consumers will detect unauthorized charges on their credit and bank accounts, and many retailers will suffer high chargebacks.

Consumers should seek out and patronize businesses that implement a comprehensive, in-depth approach to protecting customers from identity theft and financial fraud. They should also check credit and banking statements carefully, scrutinize each and every charge, and call their bank or credit card company immediately to refute any unauthorized transactions.

Retailers should consider adding device identification technology to prevent more crime upfront before product ships and stolen credit cards are charged. This emerging technology examines the PC, smartphone, or tablet being used to conduct an online transaction in order to determine whether the device’s characteristics, behavior, and history indicate a high level of risk. The leading provider of device identification and device reputation services is iovation Inc. Take a look at iovation’s stats from Black Friday and Cyber Monday.

Fraud analysts from online retailers around the world interact with iovation’s database of device intelligence daily, and through sharing information and running real-time risk assessments, they block millions of online fraudulent attempts each year.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discussesCyber Monday on Fox Boston. Disclosures

Auction fraud refers to fraudulent transactions that take place through auction and classifieds websites.  Either a product advertised may be misrepresented by the seller or the items sold are never delivered at all.

This holiday season, as you seek out hard-to-find gifts and look for the best prices, keep in mind that not everyone out there on the wild, wild web has good intentions.

Auction sites are ground zero for scammers. It’s very easy to set up a free auction page from anywhere in the world, collect people’s money, and run.

Here are four tips to keep you safe when shopping through auction websites.

1. Use strong passwords: Use complex passwords that are hard to crack but easy to remember. Passwords should include upper and lowercase letters as well as numbers, and, if possible, other characters.
2. Look out for phishing emails: Any email that appears to have been sent from an auction site should be considered suspect. Certainly there are legitimate communications being sent by eBay and similar sites, but none of them should require a direct email response. To confirm that a communication is legitimate, always go to the website directly via your favorites menu, log into your account normally, and check your “My Messages” folder, rather than clicking any links within the email.

(more…)

My goal is to not enter a single mall this holiday season. If I can do the majority of my holiday shopping at trusted online retailers, and the rest at Costco, then I’ve done well. To me, malls seem to be places for people with lots of time on their hands to drive around looking for parking spots and then stand in line with other people who apparently all enjoy being annoyed by each other’s pushiness. But maybe that’s just me.

Keep safe and sane this holiday season:

1. Look for indications of online security. Depending on your browser, there may be an icon of a yellow lock at the top of the window, near the address bar, or at the bottom, near the taskbar. If the website is secure, the yellow lock should be closed. Some browsers use a color coding system, displaying red to indicate that a website is not secure and may potentially be infected, or green to indicate that it’s okay.  (more…)

Bad guys know perfectly well that when the online bargains begin after Thanksgiving, specifically, on the Monday after Thanksgiving, you will be providing your credit card number to retailers all over the world.

1. Go big. Do your online business with major retailers, or those you already know, like, and trust. The chances of a major online retailer stiffing you, or of their database being compromised, are slimmer than those of an unknown.

2. Do your homework. If you search for a particular product and wind up at an unfamiliar website, do some research on the retailer before putting down your credit card number. Search for the company’s name and web address to see if there have been complaints. (more…)

Black Friday, the day after Thanksgiving, kicks off the holiday shopping season. Retailers advertise Black Friday bargains in order to lure you through their doors.

As far back as I can remember, police have been warning of thieves who target cars in parking lots, smashing windows to steal shopping bags left in plain sight. Then, we’d be warned that as the Christmas lights went up, thieves would target the wrapped gifts underneath the tree. I thought, “It can’t get worse than this?”

Then Cyber Monday came along. It was born as a marketing opportunity that has taken on a life of its own over the past five or six years. Online retailers promote their Cyber Monday offers throughout the fall, creating hype that whips shoppers into a frenzy. It’s become as essential to the retail community as Black Friday. (more…)

Gearing up for the holidays, consumers are getting ready to pull a Wilma Flintstone and, “Charge it!” Many don’t realize that you cannot protect your credit card number. Every time you use a credit card, you increase the chances of that card number being used fraudulently.

1. When handing your card to a clerk or cashier, pay close attention. The card should be swiped through a point of sale terminal or keyboard card reader once, maybe twice. If your card is swiped through an additional reader, the card number may have been stolen.

2. Shop only at trusted sites. Phantom websites appear online all year round. They look legitimate, resembling well-known online retailers. But only do business those you recognize. Established online merchants are best.

3. Unsolicited emails that request sensitive data such as credit card numbers or lead you to a too-good-to-be-true offer are most likely phishing emails. Don’t disclose your information, and don’t click unknown links.

4. Check your credit card statements daily, if possible. Once a week is sufficient. Refute any unauthorized withdrawals or transactions within the time limit stipulated by your bank. For most credit cards, it’s 60 days, and for debit cards the limit can be 30 days or less. (more…)

Online dating websites are aware that scammers use their platforms to defraud men and women looking for love. With the holidays around the corner, many unsuspecting people will be used and abused by scammers, who will break their hearts, their bank accounts, or both.

Many of the stories of heartbreak and fraud look like this:

“After chatting via email, they arranged to meet, but their plans ‘collapsed’ when he told her that he had been held by tax authorities over an issue while he was attempting to fly out on business.

The so-called ‘Mr. Fields’ then asked the nurse for financial help, using emails from his fake solicitor to convince the nurse that this was merely an oversight and that his client would pay her back.”

No matter who someone is, what they say, or how they look, don’t automatically trust them.

Discussion of money or loans in any capacity is a red flag.

Don’t let your heart get in the way of basic common sense.

Sometimes loneliness trumps our ability to see the truth. Keep your head up and be attentive to people’s intentions. In context of the “Color Code of Mental Awareness” this would mean operating in the yellow zone (not in the white zone) while interacting with others on dating and social networking sites. (more…)

“Carders” are the people who test and sell credit card details (most likely phished) to other individuals who carry out the actual credit card fraud. Carders are the most visible of criminals who distribute and sell stolen data to whoever is willing to take it and burn it onto a white card or make purchases over the internet. “Dumps” is a term for the batches stolen credit card data they buy and sell.

Computerworld reports:

“Tony Perez III, of Hammond, Indiana, pleaded guilty to the charges on April 4. In his plea, Perez said he sold counterfeit credit cards encoded with stolen account information. Perez found customers through criminal ‘carding forums,’ Internet discussion groups set up to aid in the buying and selling of stolen financial account information and related services.”

“During a June 2010 search of Perez’s residence, Secret Service agents found 20,987 stolen credit card accounts on his computers, in his email messages, in an online account and on counterfeit credit cards he was in the process of manufacturing, according to court documents. Credit card companies have reported more than US$3.1 million in fraudulent charges associated with those accounts, court documents said.”

Carding is a full time profession for thousands of hackers worldwide. Retailers’, banks’, credit card processors’, and many other corporations’ databases often contain millions of credit card numbers, and are targeted in “advanced persistent threats.” Any entity that accepts credit cards online or in the physical world is a ripe target for fraud. (more…)

In what is considered “the largest identity theft takedown in U.S. history,” 111 individuals were indicted for “stealing the personal credit information of thousands of unwitting American and European consumers and costing individuals, financial institutions and retail businesses more than $13 million in losses over a 16-month period.”

The five different identity theft and forgery rings involved in these crimes targeted banks using a variety of techniques. From inside jobs to robberies and credit card fraud, this criminal network, based in Queens, New York but with ties to Europe, Asia, Africa, and the Middle East, was organized and profitable.

The criminals’ primary focus was on credit cards. Many of the defendants are accused of using stolen credit card numbers to purchase “tens of thousands of dollars worth of high-end electronics and expensive handbags and jewelry,” not to mention staying at five-star hotels. Even after the culprits are caught and prosecuted, their victims are still faced with the difficult task of having to repair their credit ratings and financial reputations. In some cases, that process can take years.” (more…)

The PCI Security Standards Council is an open global forum, launched in 2006, that is responsible for the development, management, education, and awareness of the PCI Security Standards, including the Data Security Standard (PCI DSS), Payment Application Data Security Standard (PA-DSS), and PIN Transaction Security (PTS) requirements.

Now, after five years of pushing standards out to merchants and retailers, a Verizon study has found that 79% of retailers are noncompliant. That means your credit card data is at risk in 8 out of 10 transactions.

InformationWeek reports numerous reasons why credit and debit card data is at risk. The first is that the burden posed by PCI causes businesses to view PCI as a nuisance, rather than a standard. Instead of working towards better security, they shun it. (more…)

Over the past 15 years, we have watched hackers’ evolution from “phreaking” phone systems, to hacking government agencies like NASA, and eventually creating viruses that take down networks. In the beginning, their primary motivations were fun, fame, and amusement. Over the past ten years, the game changed dramatically, from fun and fame to financial gain. Hackers targeted government agencies, then colleges, banks, retailers, credit card processors, hotels, and eventually, major multinational corporations.

Who are they hacking now? Well, everyone. And as journalist Brian Krebs has pointed out on his blog, Krebs On Security, they are targeting auto dealerships in a big way. Why? Because auto dealerships’ records include lots of Social Security numbers, which identity thieves can use to apply for credit cards in their victims’ names. (more…)

Consumers, businesses, retailers, and even the media are becoming numb to news about data breaches. Not a week goes by when we don’t hear of another major breach affecting thousands or even millions of customer accounts.

Criminal hackers are getting smarter and savvier all the time, and they often have better technology than the banks and retailers tasked with protecting your data.

Time reported on a recent Javelin Strategy and Research survey in which Javelin analyzed 23 of the biggest credit card issuers’ online security practices. When companies were graded on a 100-point scale, the average result was just 59. Javelin head of security and risk analyst Phil Blank, who authored the study, explained, “The good news is issuers are doing a better job overall of resolution, but that’s the easiest thing to do. Prevention is the hardest to do but it’s got the biggest payback.” (more…)

Consumers enjoy a certain level of protection that business bank accounts do not, and it’s called “Regulation E.”

Here is Regulation E in black and white:

ELECTRONIC FUND TRANSFERS (REGULATION E)

Limitations on amount of liability. A consumer’s liability for an unauthorized electronic fund transfer or a series of related unauthorized transfers shall be determined as follows:

1. Timely notice given. If the consumer notifies the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $50 or the amount of unauthorized transfers that occur before notice to the financial institution.

2. Timely notice not given. If the consumer fails to notify the financial institution within two business days after learning of the loss or theft of the access device, the consumer’s liability shall not exceed the lesser of $500 or the sum of:

(i) $50 or the amount of unauthorized transfers that occur within the two business days, whichever is less.” (more…)