MyCRA Specialist Credit Repair Lawyers

Tag: hackers

Bloggers and small business sites a target for cyber-criminals

Press Release MyCRA

Bloggers and small business sites a target for cyber-criminals.

23 May 2013

There’s a gaping hole in cyber-security, and once again, the ‘little guy’ is at risk.

Experts warn Australians using WordPress or similar sites about the risks of being hacked by cyber criminals unless they bump up their safety measures.

“Small businesses and bloggers often don’t have the money to invest in online safety – and also believe their small site or blog is ineffectual, when in fact its resources make it a prime target for hackers,” Online expert Daniel Smith says.

These warnings come as part of Cyber-security Awareness Week 2013, and follow the world’s biggest ever WordPress and Joomla attack last month.

Mr Smith says the event demonstrates the ease with which small sites can be easily infiltrated and used to make a big impact as part of a systematic attack.

WordPress currently powers over 60 million websites and is read by over a quarter of a billion users every month. WordPress and Joomla were recently attacked by a botnet of tens of thousands of individual computers. The botnet targeted users with the login “admin”, trying thousands of possible pass words.[fusion_builder_container hundred_percent=”yes” overflow=”visible”][fusion_builder_row][fusion_builder_column type=”1_1″ background_position=”left top” background_color=”” border_size=”” border_color=”” border_style=”solid” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”no” center_content=”no” min_height=”none”][i]

Mr Smith says accessing sites can be easy if pass-phrase security is lax, particularly when the user ‘admin’ is used.

“I liken it to a locksmith with a whole set of generic keys – he can turn the keys in many doors until he finds one that fits. Hackers have common pass word ‘keys’, and they roll trials of these words until one unlocks the computer, and enables them to use the resources that power the site which are far more than could be gained by a singular desktop computer,” he explains.

He says the ramifications for individuals and businesses who become part of a botnet are loss of data, loss of secure personal information and break-down of the site.

“I know victims of who have had to close their business down because they have lost so much information without having any backups,” he says.

But he warns, hackers don’t always delete the information, but may leave it intact, putting in files in back doors so that they can go undetected – making use of these resources again and again.

“Hackers can on-sell information to fraudsters, cyber-terrorists or spammers, and can also on-sell the entire botnet to be used in a distributed denial of service (DDOS) event,” he cautions.

A national credit expert warns fraudsters can use the information to commit identity theft – the fastest growing crime in Australia.[ii]

CEO of MyCRA Credit Rating Repair, Graham Doessel says information like dates of birth, account numbers, full names and other personal information can be used to steal your identity and take credit out in your name.

“Fraudsters have been known to go so far as to take out personal loans, credit cards and even finance homes in their victim’s name,” Mr Doessel says.

“Unfortunately fraudsters are never so kind as to pay this credit back – which leads to defaults on your credit rating. Most victims are unaware of this until they apply for credit in their own right and are flat out refused.”

Defaults remain on the credit file of individuals for between 5 and 7 years.

“In the past it has not been easy for identity theft victims to prove they didn’t initiate the credit, particularly if they have no idea how they were duped in the first place. Often not much of a trail is left and prosecutions don’t come easily,” he says.

Both Smith and Doessel say prevention is key, and recommend you make some simple but important changes to the way you log in to your WordPress or other sites:

1. Use secure pass phrases. Come up with a unique scheme that is a minimum of 8 characters long – for example every 3rd vowel could be a number or symbol and you should always add some uppercase letters, numbers and any character that requires the shift key to type. Use multiple words in a pass phrase. You could use two unrelated words which are memorable to you.

2. Use a different pass phrase and user for each account.

3. Use a unique user name – not the default setting. Never use ‘admin’ as a user name.

4. Minimise login attempts. Restrict the number of attempts to access the site before the user is ‘locked out’.

5. Include a 2-step verification plug-in. You can download a plug-in which requires 2-step authentification similar to bank requirements when logging in to the site. This is harder to infiltrate by hackers, but Mr Smith says many don’t use 2-step verifications because they seem inconvenient.

“We may need to get a little inconvenienced to prevent what could be a personal or business disaster, or in worst case scenario, a future global disaster,” he says.

MyCRA is a partner for Cyber Security Awareness Week 2013 – an Australian Government initiative through Stay Smart Online, to help Australians using the internet – whether at home, the workplace or school – understand the simple steps they can take to protect their personal and financial information online.[iii]

To stay one step ahead of fraudsters, you can subscribe to Stay Smart Online Alerts at no charge – which lets you know about cyber issues as soon as they unfold http://www.staysmartonline.gov.au/alert_service.

/ENDS.

Please Contact:

Graham Doessel – Founder and CEO MyCRA Ph 3124 7133

Lisa Brewster – Media Relations MyCRA & for comment from Daniel Smith Web analyst media@mycra.com.au

http://www.mycra.com.au/ www.mycra.com.au/blog

246 Stafford Rd, STAFFORD Qld

MyCRA Credit Rating Repairs is Australia’s number one in credit rating repairs. We permanently remove defaults from credit files.

Stuart Miles/ www.FreeDigitalPhotos.net[/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

23/05/2013
Lax cyber-security makes us all vulnerable: Cyber Security Awareness Week 2013

If your password is one of the most 1,000 common passwords, it could be hacked in literally seconds…

Are you one of the millions of Australians who have a pretty basic password? We show you how important strong passwords and other security measures are to keep you, your credit file, your business and perhaps your country safe from cyber-attack. This week is Cyber Security Awareness Week 2013, hosted by Stay Smart Online. This is an Australian Government initiative, held annually in partnership with industry, community and consumer groups and state and territory governments. As part of this week we have been fortunate to speak with online expert Daniel Smith about cyber-security. He gives us a unique insight into the importance of cyber-security awareness for every ordinary Australian.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

You may have heard last month about the biggest ever global brute-force attack. You may have heard about it, but like many it may have gone straight over your head. But the ramifications of an attack like this are pretty important.

The attack was on WordPress sites, which currently powers over 60 million websites and is read by over a quarter of a billion users every month. WordPress was attacked by a botnet of tens of thousands of individual computers. The botnet targeted WordPress users with the username “admin”, trying thousands of possible passwords.

But online expert Daniel Smith warns this attack is definitely only a small taste of things to come.

“Last month’s attack was orchestrated on a large scale, but this happens continuously on an individual basis on sites like WordPress, Joomla, Drupal or similar,” Daniel says.

“I liken it to a locksmith with a whole set of generic keys – he can turn the keys in many doors until he finds one that fits. Hackers have common password ‘keys’, and they roll trials of these passwords until one unlocks the computer, and enables them to use the resources powered by the site which are far more than could be gained by a singular desktop computer,” he says.

The ramifications for individuals and businesses who become part of a botnet are loss of data, loss of secure personal information and break-down of the site.

“I know victims who have had to close their business down because they have lost so much information,” he says.

But he warns, hackers don’t always delete the information on these sites, but may leave it intact, putting in files in back doors so that they can go undetected – making use of these resources again and again.

“Hackers can on-sell information to cyber-terrorists or spammers, and can also on-sell the entire bot-net to be used in a brute-force attack that is capable of crashing a country’s economy,” he cautions.

He says individuals with a WordPress or similar blog, and small companies could be at risk.

“They don’t have the money to spend on security protection that a larger business would – and they are the ones that think their small site or blog is ineffectual, when in fact its resources make it a prime target for hackers,” he says.

So just how easy is it to find these passwords?

“I did a quick 5 minute search on the internet yesterday, and found a list of 6 million usernames and passwords that are out there. If I went searching for more in depth, there would be more there,” he says.

Daniel says what’s gone wrong, is that the way we’ve been taught to create usernames and passwords is in fact broken. He says we need to make these changes to the way we run sites like WordPress:

1. Use secure pass phrases. Come up with a unique scheme that is a minimum of 8 characters long – for example every 3rd vowel could be a number or symbol and you should always add some uppercase letters, numbers and any character that requires the shift key to type. Use multiple words in a pass phrase. You could use two unrelated words which are memorable to you.

2. Use a different password for each account.

3. Use a unique username – not the default setting. Never use ‘admin’ as a username.

4. Minimise password login attempts. Restrict the number of attempts allowed to access the site, before the user is ‘locked out’, which prevents multiple attempts to crack the password.

5. Include a 2-step verification plug-in. You can download a plug-in which requires 2-step authentification similar to bank requirements when logging in to the site. This is harder to infiltrate by hackers, but Mr Smith says many don’t use 2-step verifications because they seem inconvenient.

“We may need to get a little inconvenienced to prevent what could be a business disaster, or in worst case scenario, a future global disaster,” he says.

So where do we as credit repairers come in to cyber-security?

Stealing passwords or personal information through these channels can lead to identity theft and potentially fraud. Hackers can on-sell your personal information to fraudsters who have identity theft as part of their repertoire.

Information like dates of birth, account numbers, full names etc can be warehoused and used to steal your identity and take credit out in your name. Fraudsters have been known to go so far as to take out personal loans, credit cards and even mortgage homes in their victim’s name.

Unfortunately fraudsters are never so kind as to pay this credit back – which leads to defaults on your credit rating. Most victims are unaware of this until they apply for credit in their own right and are flat out refused.

For between 5 and 7 years you can be locked out of credit while your credit rating shows up someone else’s defaults.

Unfortunately in the past it has not been easy for identity theft victims to prove they did not initiate the credit, particularly if they have no idea how they were duped in the first place. Often this sophisticated type of fraud is instigated by overseas crime syndicates who don’t leave much of a trail, or even if they do, can’t be prosecuted easily.

Prevention really is key to protecting your credit file from this fraud – so spend some time and make sure the passwords on your site, or others that you use, are as secure as possible.

To stay one step ahead of fraudsters, you can subscribe to Stay Smart Online Alerts – which let you know about security issues as soon as they unfold.

Image 1: digitalart/ www.FreeDigitalPhotos.net

Image 2: courtesy Stay Smart Online.

21/05/2013
Cybercrime goes all the way to RBA but do our laws protect us?

[fusion_builder_container type=”flex” hundred_percent=”no” equal_height_columns=”no” menu_anchor=”” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” class=”” id=”” background_color=”” background_image=”” background_position=”center center” background_repeat=”no-repeat” fade=”no” background_parallax=”none” parallax_speed=”0.3″ video_mp4=”” video_webm=”” video_ogv=”” video_url=”” video_aspect_ratio=”16:9″ video_loop=”yes” video_mute=”yes” overlay_color=”” video_preview_image=”” border_color=”” border_style=”solid” padding_top=”” padding_bottom=”” padding_left=”” padding_right=””][fusion_builder_row][fusion_builder_column type=”1_1″ layout=”1_1″ background_position=”left top” background_color=”” border_color=”” border_style=”solid” border_position=”all” spacing=”yes” background_image=”” background_repeat=”no-repeat” padding_top=”” padding_right=”” padding_bottom=”” padding_left=”” margin_top=”0px” margin_bottom=”0px” class=”” id=”” animation_type=”” animation_speed=”0.3″ animation_direction=”left” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” center_content=”no” last=”true” min_height=”” hover_type=”none” link=”” border_sizes_top=”” border_sizes_bottom=”” border_sizes_left=”” border_sizes_right=”” first=”true”][fusion_separator style_type=”default” hide_on_mobile=”small-visibility,medium-visibility,large-visibility” sticky_display=”normal,sticky” class=”” id=”” flex_grow=”0″ top_margin=”” bottom_margin=”” width=”” alignment=”center” border_size=”” sep_color=”” icon=”” icon_size=”” icon_color=”” icon_circle=”” icon_circle_color=”” /][fusion_text]

It seems no Australian business is immune to cyber-attack, including the Reserve Bank of Australia which it was recently revealed has been hacked. A prominent cyber security specialist says cover ups happen all the time and that we must push for mandatory data breach notification laws to protect against the threat of identity theft and subsequent credit fraud. We look at the reality of these cyber-attacks, and the position SME’s find themselves in moving forward in issues of privacy.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repair and www.fixmybadcredit.com.au.

How real is the threat of a major cyber-attack leading to mass money loss and credit fraud, or even cyber terrorism on our shores? As a recent story in the Australian Financial Review titled Attacks ‘highlight need for data breach notification law’ reveals, pretty real and it seems our lack of mandatory data breach notification laws is not only down-playing the threats Australians face, but could be helping these criminals.

“Not a day goes by when someone is not attempting to hack into any of the banks around Australia.”

This was a statement made by the outgoing technology chief of the National Australia Bank, Gavin Slater at a recent talk to investors.

He also revealed that just a few weeks ago:

“11 United States banks were targeted by terrorist organisations in response to something that happened in the Middle East.”

So if our banks are constant targets, why aren’t we informed?

It was recently uncovered that the Reserve Bank of Australia’s systems had been compromised by China-based hackers. In response, technology security experts, including the former head of investigations at the Federal Police’s Australian High Tech Crime Centre, Nigel Phair called for the passing of long planned mandatory data breach notification laws.

Mr Phair, who is now Director of the Centre for Internet Safety at the University of Canberra says the breach highlights the need for these laws to be passed.

“The RBA story was hugely important, because the attack happened some time ago, and we only found out about it because of a freedom of information request,” Mr Phair said.

“We desperately need data breach legislation; we are quite behind in global terms on that, to force businesses to disclose when sensitive data is breached. I don’t know what is holding it up, and I would like to think it is achievable. It will help other government agencies and businesses, to be aware that it is not just them being targeted, that the threats are pretty wide ranging,” he told the Fin Review.

Mr Phair said many businesses wanted to avoid bad publicity and that it was understandable they would try to keep news of the loss of any intellectual property and customer details quiet. He said for listed companies, the fear that investors would be spooked was a big factor. But he said the current code of silence was only making it easier for cyber criminals.

The Fin Review revealed these statistics on data breaches:

KPMG estimates that 75 per cent of the 1000 largest Australian companies have had a material data breach, reported to cost Australian companies an estimated $2.16 million per company per year, according to a 2011 study by the Ponemon Institute. The Australian Bankers Association has defended the strength of IT security processes in Australia’s banking system.

ABA chief executive Steven Münchenberg recently told The Australian Financial Review that there were no reports of similar attacks on other local banks, and that effective processes were already in place to co-ordinate fraud investigations with federal and state police.

“The Australian Bankers Association is not aware of any successful hacking attempts on Australian banks,” Mr Münchenberg said. “Banks have systems in place to protect customer information and accounts – such as employee training, employee accountability, strict privacy policies, rigorous security standards, encryption and fraud detection software.”

“The nature of these discussions needs to remain confidential as any details may be misused by criminals,” Mr Münchenberg said.

But Mr Phair elaborates in the Fin Review how easily cyber-attacks play out in business situations:

Mr Phair warned that a significant number of Australian businesses and government agencies were ill-prepared for the kind of social engineering attacks which penetrated the RBA. In the attack it just required internal staff to be tricked into clicking on a fake email purporting to be from management.

“Lots of organisations like the RBA have great perimeter and other security mechanisms in place, but this was basically just a phishing, social engineering attack. If I was a decent cyber criminal, that is what I would be doing,” he said.

“People are the most susceptible and the weakest link, so you target them with what looks like a bona fide email, with an executable file in an attachment, and that is how you gain a weakness.”

Mr Phair said the RBA’s subsequent claims that the attacks had been contained and that no sensitive information had been stolen were largely a public relations move to calm fears in the market.

He said it was not really possible to tell exactly what people do once they have had access to networks.

He also believed the problem was much wider spread than is ever reported, because a large number of hacking victims remain ignorant of the fact.

“The RBA was right to come out with its public response.

“The average person out there reading your pages would like to know that the RBA is protected,” Mr Phair said.

Last October, the federal government was considering requiring companies to notify customers and the public of serious data breaches. However, the Fin Review reports it is over four years since a similar recommendation was made by the Australian Law Reform Commission.

The then attorney-general, Nicola Roxon, published a discussion paper on potential implementation of plans, which could require companies and public-sector agencies to notify the Office of the Australian Privacy Commissioner when names, addresses and financial data are leaked or obtained by someone else.

A spokeswoman for Attorney-General Mark Dreyfus said there were voluntary guidelines on how Australian companies and organisations should report a security breach, but increasing risks meant tougher laws could be on the way.

“The Attorney-General is considering proposals that would require companies to report to consumers and the Commonwealth Privacy Commissioner when a data breach occurs, to improve privacy, bolster the security culture within organisations and bring Australia into line with international jurisdictions.”

SME’s and Data breach notification.

Data breach notification is a complicated issue. Yes, by sharing how threats have occurred we could be inviting copy-cat attacks. But Australians need to be made aware of what could threaten them.

There has been much criticism after past data breaches such as the well-publicised Sony data breach, that companies who have in the past “held out” on their customers following a data breach, waiting days or up to a week or so to notify customers were putting the consumer’s personal information may be at risk.

And rightly so. During the time, of ‘silence’ it can be argued that hackers have free access to this personal information without the consumer being able to do anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.

For small to medium businesses, we need to make plans and take precautions to prevent future attacks and protect our consumers – and without the requirement out there to disclose data breaches SME’s are missing a big opportunity to be guided by the example of big business in how to handle (or not to handle) cyber-attack.

That wider issue is what Australian SME’s face today – we are in the firing line for cyber-attacks simply by having a website, and staff with email addresses – but we rarely have the same security capabilities, the same profit margin and in many cases the same ‘publicity’ power that large entities would have. I can’t help imagining that as data breach laws begin to be enhanced, that SME’s could become the section of business most concerned with privacy issues, and the application of privacy law and indeed lawsuits against SME’s could be just as big a threat as the data breaches themselves.

That is another reason why big business needs to set the example. Until the law requires them to do so, it would be ideal for them to voluntarily disclose data breaches as they occur, with a view to educating the whole community on the nature of cyber-attack, and showing examples of the correct process for both preventing occurrences and dealing with them when they happen.

Currently, the best place to go for up to date information on cyber-security and your rights and obligations is the Office of the Australian Information Commissioner (OAIC). The OAIC’s article A Guide To Handling Personal Information Security Breaches is really essential reading for SME’s and includes information on obligations under the Privacy Act 1988, and advice on both handling a data breach, and preventing future data breaches in your company.

As consumers.

If you suspect your credit accounts may have been affected by identity theft – either through a cyber-attack or any form of credit fraud, you should do three things:

1. Contact Police to report it.

2. Notify your banks and Creditors.

3. Notify the credit reporting agencies which hold your credit file.

Act quickly. The faster you are able to take these actions the better you will be able to protect your credit file from impairment. Catching identity theft early could prevent defaults and other credit listings.T

This is why mandatory data breach notification is so important from the perspective of the consumer. Recovering your clean credit file following identity theft which has led to credit fraud can be difficult for individuals to do, as you have to prove you didn’t initiate the credit in your name.

For further help or advice contact a MyCRA Credit Repair Advisor on 1300 667 218.

Image 1: renjith krishnan/ www.FreeDigitalPhotos.net

Image 2: AscensionDigital/ www.FreeDigitalPhotos.net

[/fusion_text][/fusion_builder_column][/fusion_builder_row][/fusion_builder_container]

27/03/2013
Mandatory data breach notification finally on the table in Australia

Should organisations be required by law to make data breach notifications when they occur? The Australian government has finally put this topic to the Australian public following the release of their discussion paper. This is long overdue so that customers who have their personal information unsecured in some way through a company data breach are notified and are able to take swift steps to secure their own records and personal information from identity crime. We look at why these laws are so important and how a data breach can impact a person’s credit file.

By Graham Doessel, Founder and CEO of MyCRA Credit Rating Repairs and www.fixmybadcredit.com.au.

Yesterday the Australian Government released a statement to the media seeking views on the introduction of mandatory data breach notification laws, which aims to bolster privacy protections for Australians’ personal information in digital databases.

Attorney-General Nicola Roxon said that it was timely for a public discussion on how legislation might deal with data breaches, such as when private records are obtained by hackers.

“Australians who transact online rightfully expect their personal information will be protected,” Ms Roxon said.

“More personal information about Australians than ever before is held online, and several high profile data breaches have shown that this information can be susceptible to hackers.

Those high profile data breaches include the Sony data breach in 2011, First State Super scandal in the same year; this year the Zappos data breach and the Telstra data breach to name but a few instances where the personal information of Australians was exposed to hackers. What these incidents did is highlight the gaping hole in Australia’s privacy legislation which needed to be filled to protect consumers.

Whilst organisations are encouraged to disclose data breaches to the Commonwealth Privacy Commissioner, it has not been mandatory to do so. There has been much criticism over companies “holding out” on their customers following a data breach, and waiting days or up to a week or so to notify customers that their personal information may be at risk.

During this time, it has been argued that hackers have had free access to this personal information without the customer doing anything to minimise their own risk, such as cancelling accounts, changing passwords and flagging their credit accounts and credit file.

The Australian Privacy Commissioner, Mr Timothy Pilgrim has had little recourse within legislation to deal with lack of notification following a data breach.

In his statement to the media, Mr Pilgrim said in 2011–12, the Office of the Australian Information Commissioner (OAIC) received 46 data breach notifications, an 18% decrease from the number of DBNs received in 2010–11.

‘This decrease in notifications is difficult to explain but I have seen reports that suggest we are only being notified of a small percentage of data breaches that are occurring. It is very concerning that many of incidents may be going unreported and customers are unaware that their personal information may be compromised,’ Mr Pilgrim said.

He has officially supported the release of the discussion paper.

‘…Privacy breach notification is an important issue that needs community debate, and I’m sure there will be a wide range of views expressed on whether this notification should be mandatory.’ Mr Pilgrim said.

‘Currently there is no legal requirement in Australia for organisations to notify individuals when a privacy breach occurs. However, I believe that where personal information has been compromised, notification can be essential in helping individuals to regain control of that information. For example, an individual can take steps to regain control of their identity and personal information by changing passwords or account numbers if they know that a data breach has occurred,’ Mr Pilgrim said.

We agree this is an area which is overdue for going under the legislative spotlight. We can’t take lightly the possibility that any company that keeps data on its customers could be exposed to data breaches. Identity theft is becoming more prevalent, and personal information is lucrative for fraudsters.

Unfortunately it seems everywhere people turn some company has been hacked – and it seems every entity with a computer is vulnerable. It is still extremely scary the level of risk peoples’ personal information undergoes these days when it is stored online.

Personal information in the wrong hands can lead not only to identity fraud, but the misuse of the victim’s credit file, which can have significant long term consequences.

A lot of identity fraud is committed by piecing together enough personal information from different sources in order for criminals to take out credit in the victim’s name. Often victims don’t know about it right away – and that’s where their credit file can be compromised.

Once the victim’s credit rating is damaged due to defaults from this ‘stolen’ credit, they are facing some difficult times repairing their credit rating in order to get their life back on track.

These victims often can’t even get a mobile phone in their name. It need not be large-scale fraud to be a massive blow to their financial future – defaults for as little as $100 will stop someone from getting a home loan.

Once an unpaid account goes to default stage, the account may be listed by the creditor as a default on a person’s credit file. Under current legislation, defaults remain on the credit file for a 5 year period.

What is not widely known is how difficult removing credit listings which shouldn’t be there can be – even if the individual has been the victim of identity theft. There is no guarantee that the identity theft victim will have the defaults removed from their credit file. The onus is on them to prove their case and provide copious amounts of documentary evidence.

This is where often victims who need to recover their credit rating can benefit from third party assistance, such as a credit repair company, to assist with proving the victim did not intitate the credit, help with a case for removal and negotiate on the victim’s behalf.

But the best method is prevention – and this can be difficult for victims to have any control over. They leave their personal information with a company, and must trust that their systems are working and that their information is safe.

The only ways people can ensure their details are safe or dealt with safely are to:

a) Demand that the companies they deal with are protective over their customers’ personal information. They should demand companies have strong IT systems.

b) Adopt a need-to-know basis for disclosing their personal information. They should always question the need for their details to be handed over. If it is not essential, they shouldn’t do it; and

b) Demand our country adopt mandatory data breach notification laws so we can, as Mr Pilgrim describes, have our organisations “embed a culture that values and respects privacy.”

Image: phanlop88/ www.FreeDigitalPhotos.net

18/10/2012
Personal information…the gateway to identity theft

Hackers access databases searching for personal information that can be extracted and misused or traded to fraudsters for purposes of identity theft. We look at how your identity and ultimately your clean credit file can be put at risk. By GRAHAM DOESSEL.

It’s Saturday night in Las Vegas. Thousands of pairs of shoes sit neatly in boxes on warehouse shelves in the dark. The store’s customers and staff are at home enjoying their evening. In the credit information office, the lights are off, the filing has been done. But in the dark, thousands of the store’s computers are being remotely accessed by hackers.

The personal information of the shoe store’s customers is likely being transferred. It is likely this information will now be sold on the black market to fraudsters. This information could now be used to further attack those unsuspecting customers. Those customers could now be a target for identity theft and receive phishing emails in order to get further information from victims, including the credit card number.

This may have been how the saga transpired for shoe company, Zappo.com on the weekend. In a story from the Sydney Morning Herald this morning it was reported that on Sunday Amazon.com owned shoe retailer Zappos.com announced it was hacked. Hackers broke into the credit card database. Up to 24 million of its customers’ personal information may have been accessed. The company said customers’ credit card information was not stolen, but names, phone numbers, email addresses, billing and shipping addresses, along with the last four digits from credit cards and more may have been accessed in the attack.

Here is an excerpt from that story, titled ‘Zappo’s customers details walk out the door’:

It is not yet known how hackers gained access to the database or if a zero day exploit was used, but a security expert said it is likely customer data will now be sold in the cyber underground.

Robert Siciliano, a McAfee consultant and identity theft expert, told Mashable he expects whoever hacked Zappos’s site to now sell the data to people who run phishing scams.

“They’ll sell it 10,000 accounts at a time, short money, like $100,” he said adding there is enough information for a hacker to approach affected users as either Zappos or the credit card company and then ask them for more data — the classic phishing scam — which might be supplemented with a voicemail “vishing” attack as well, Mashable reported.

Zappos said it was contacting customers by email and urging them to change their passwords.

Las Vegas-based Zappos said the hackers gained access to its internal network and systems through one of the company’s servers in Kentucky.

And in the news last week, we get an insight in to the type of crime ring that hackers may sell this information to. AFP report titled ’50 held in Puerto-Rico based identity ring’.

The U.S. Justice Department announced late last week it has charged 50 people with conspiracy in a scheme to acquire personal identification information on US citizens in Puerto Rico and then sell it through fraudulent documents.

Typically, the documents consisted of forged Social Security cards and birth certificates. They were sold for prices ranging between $700 and $2,500.
The documents were sold from April 2009 until December 2011 to buyers throughout the United States.

“The alleged conspiracy stretched across the United States and Puerto Rico, using suppliers, identity brokers and mail and money runners to fill and deliver orders for the personal identifying information and government-issued identity documents of Puerto Rican US citizens,” said Assistant Attorney General Lanny Breuer in a statement.
The indictment alleges that identity brokers ordered the forged documents for their customers from Puerto Rican suppliers by making coded telephone calls.
They would refer to “shirts,” “uniforms” or “clothes” as codes for various kinds of identity documents.
“Skirts” meant female customers and “pants” meant male customers who needed documents in various “sizes,” which referred to the ages of the identities sought by the customers.

Payment was made through money transfers while the documents were sent by mail.

Some of the persons receiving the forged documents used them to obtain drivers licenses, US passports and visas, the Justice Department reported. Others are accused of using the documents to commit financial fraud.

Sure this crime went on in the U.S. but it couldn’t happen here – could it?

Well, to begin with – how many Australians have credit card details registered with Amazon, for example? We might live on an island, but U.S. crime can always reach our shores via the internet. Just look at the Sony PlayStation saga as a specific incident of how our details are not immune to theft on overseas shores.

With identity theft being the fastest growing crime in Australia – it seems criminals here will be hot on the heels of the U.S. with newer, better, more sophisticated ways to get something for nothing.

Interestingly, many hacks are actually not instigated to commit identity theft, but are statements to different industry bodies. For example the recent Robin Hood-style hacking of Texas security analysis company, Stratfor on Christmas Eve. Hackers obtained thousands of credit card numbers and other personal information from the firm’s clients and started making payments to several charities.

“The assault was believed to have been orchestrated by a branch of the loosely affiliated hacker group called Anti-Sec and appeared to be inspired by anger at the imprisonment of Bradley Manning, the US army private accused of leaking US government files to WikiLeaks. An online statement from the group said the attack would stop if Manning was given ”a holiday feast … at a fancy restaurant of his choosing”,” the Brisbane Times reports.

MP Malcolm Turnball and billionare businessman David Smorgon were amongst the victims who had relatively small amounts extracted from their credit card and donated to charities such as Save the Children, Red Cross and CARE.

But for those hackers whose main aim is to extract details from databases and onsell them to fraudsters – we should all be very wary. And unfortunately, there is always that element of doubt about the security of our personal information in company databases.

A leading fraud expert made this suggestion for online credit card use:

In a story the Courier Mail featured in October last year, titled ‘Queensland Police Fraud chief Brian Hay calls for banks to bring in credit cards that can only be used in Australia to stop cyber-crime’, Det. Supt. Hay made some valid suggestions about how Australians can protect themselves from this type of fraud. One included for shoppers to have a credit card specifically for online purchases with a small credit limit. This is good advice to follow to prevent having large amounts extracted from credit cards if the companies with those details are ever hacked.

Unfortuanately, it doesn’t stop identity thieves ‘phishing’ for further information on their victim for purposes of full-blown identity theft.

If credit is taken out by fraudsters in the victim’s name, they can end up with defaults on their credit file – and this is not easy to recover from. First the victim has to prove they didn’t initiate the credit themselves. This would require documentary evidence and Police reports. But the identity theft victim would be virtually banned from obtaining credit until they are able to wade through the mess that has been created for them on their credit report, and clear their good name.
For help with credit repair following identity theft, contact MyCRA Credit Repairs on 1300 667 218 or visit our main website www.mycra.com.au.

Image: Danilo Rizzuti / FreeDigitalphotos.net

17/01/2012
Top 25 worst internet passwords 2011 – is yours on the list?

Here is the list you need to read – the top 25 worst internet passwords for 2011. That’s the 25 most frequently used passwords which are most commonly successful in gaining entry into other people’s internet accounts.

If you would like to prevent identity theft and credit file misuse, scan this list, and if your password is on it, please invent a stronger one.

‘Splashdata’, a Californian company which sells security services and password software has created these rankings based on millions of stolen passwords posted online by hackers.

1. password
2. 123456
3.12345678
4. qwerty
5. abc123
6. monkey
7. 1234567
8. letmein
9. trustno1
10. dragon
11. baseball
12. 111111
13. iloveyou
14. master
15. sunshine
16. ashley
17. bailey
18. passw0rd
19. shadow
20. 123123
21. 654321
22. superman
23. qazwsx
24. michael
25. football

The Brisbane Times reported today SplashData CEO Morgan Slain urges businesses and consumers using any password on the list to change them immediately.

“Hackers can easily break into many accounts just by repeatedly trying common passwords,” Slain says. “Even though people are encouraged to select secure, strong passwords, many people continue to choose weak, easy-to-guess ones, placing themselves at risk from fraud and identity theft,” he says.

There are a number of ways hacking internet passwords can be lucrative for identity thieves beyond simply gaining access to bank accounts:

1. Scammers who hack in to your Facebook or Twitter accounts can send messages to your friends pretending to be you, and ask for money from them. Recently a Gold Coast woman had her Facebook and Hotmail accounts hacked, and her friends were continually asked for money in her name. She is still attempting to recover her accounts.

2. Fraudsters can also be after personal information from your online accounts, with the view to setting up fake identities. The personal information posted in Facebook could be enough to request replacement copies of identification, and then take out credit in your name, which can easily lead to a damaged credit rating, often without your knowledge.

3. Passwords for one account may be the same passwords used for other accounts and services. What would happen if the fraudster could gain access to your ebay account or your gmail?

4. Gaining access to a person’s personal hotmal or gmail account could certainly give the hackers enough information over time to commit identity fraud or at the very least a chance to send fake emails to contacts in your address book.

5. Weak staff passwords can put businesses at risk of fraud and also credit file misuse.

The Government’s Stay Smart Online website says attacks using stolen passwords occur more than people realise.

“A password on your computer is like a lock on your front door—it prevents strangers walking into your house and stealing your possessions,” the website says.

Stay Smart Online’s Top tips for passwords:

• Set strong passwords, particularly for important online accounts and change them regularly—consider making a diary entry to remind yourself.
• Never share your password with anyone. A password is meant to be a secret known only to you.
• Memorise your password if you can. To make a password easy to remember, think of a phrase and then change some of the characters to make it a strong password. If you need to write it down in order to remember it, hide it somewhere safe.
• Use different passwords for different accounts—otherwise if one is compromised it may give an attacker access to your other online accounts. For example, use a password for online banking that is different to the ones you would use for email or social networking.
• Don’t save passwords for important accounts in your web browser—otherwise anyone using your computer could access these accounts.
• Be careful using your password on a public internet terminal (such as an airport or internet cafe).
• Never send your password via email or store your passwords in plain text on your computer.

If you suspect your password has been stolen, you may be extremely vulnerable to identity theft. You should contact Police immediately, even if nothing appears to have been tampered with yet. You should also get a copy of your credit file and check for any suspicious new enquiries or changes in contact details. If there seems to be any discrepancies notify creditors straight away to prevent fraudsters ruining your credit rating. If there are defaults or other negative listings on your account that you didn’t initiate, you would find it helpful to use a credit repairer to help recover your good name. Contact MyCRA Credit Repairs tollfree on 1300 667 218 or visit our main website www.mycra.com.au.

Image: Salvatore Vuono/ FreeDigitalPhotos.net

21/11/2011
Insight into the ‘dark market’ of the cyber-crime underworld

Identity theft is on the lips of many concerned Australians. It is also discussed in length amongst Governments, business and the Police who attempt to not only unravel the workings of cyber-crime, but in turn are (albeit often unsuccessfully) attempting to stay one step ahead of it.

On Wednesday, British newspaper The Guardian, featured organised crime expert Misha Glenny in an article, titled Cybercrime: is it out of control? Anyone who is even slightly curious about the cyber-underworld should at the very least read this article.

It features Glenny’s new book, titled ‘DarkMarket: CyberThieves, CyberCops and You’. This book follows Glenny’s international bestseller ‘McMafia’.

The book’s promo says:

“DarkMarket explores the three fundamental threats facing us in the 21st century: cyber crime, cyber warfare and cyber industrial espionage. The Governments and the private sector are losing billions of dollars each year, fighting an ever-morphing, often invisible, often super-smart new breed of criminal: the hacker.”

The workings of the underworld will astound any reader interested in how internet scams are perpetrated, and how we as individuals can fit in as pieces of the cyber-crime puzzle at many levels.

Glenny gives an example of how criminals can hack into computer systems of companies, and use people power of ‘mules’ on the ground, to steal millions of dollars. Here’s how they did it in Canada:

“The scam was impressive in its simplicity and effectiveness. The gang bought a number of pre-paid debit cards in different locations and placed $15 on each card. Once they had broken into the computer system of the company that issued them, they found the network area that dealt with the limits placed on each card. They sought out the cards they had purchased and, using the control they had established over the company’s networked system, they electronically raised the spending limit on the cards from $15 to tens of thousands of dollars. Over one weekend, they extracted around $1m (£640,000) using the affected cards in ATM machines around the world,” the article says.

U.S. company, Fidelity National Information Services, which is one of the biggest providers of technology and card services to the banking industry worldwide recently had US$13million stolen in the same way.

“Traditional bank robbers must be absolutely gobsmacked when they hear sums like this being hoovered up by cyber criminals week in, week out… The Mr Big who orchestrated the whole operation, I was told, kept 70% of those profits for himself – only 30% went to the hackers and the so-called “cash-out” team – that is, the people who have somewhat laboriously to go from ATM to ATM and extract up to $500 each time (before, of course, transferring 70% back to Mr Big),” Glenny says.

Glenny says that while there are no precise figures out there, the White House suggested in 2009 that cybercime and industrial espionage inflicts damage of around U.S.$1tn per year, which is almost 1.75% of the worlds GDP.

He says that Britain, the US, Canada, Western Europe, Australia and New Zealand are top targets for cyber criminals from across the world. He says in today’s world any business that is computer-based is vulnerable to attack.

Glenny describes in great detail the nature of the cyber-crime underworld. He says up until recently criminals could shop at “carder” sites, designed for hackers to deal in credit card or card details – effectively a department store for criminals.

“The first and the most celebrated among thieves was CarderPlanet. Members would come to this website, run out of Odessa in Ukraine, to buy and sell stolen credit card details, to purchase viruses, trojans and worms with which they could compromise victims’ computers, to take tutorials in how to deploy the latest cyber weapons, or to hire a botnet – a network comprising thousands of zombie computers – to use in an attack against your enemies,” the article says.

Glenny says these sites set up ‘Escrow’, which is similar to PayPal, using legitimate channels such as Western Union, and allowed criminals to trade with one another – without being ripped off by each other.

“Carder” sites such as DarkMarket have slipped out of fashion because they were too easily infiltrated by law enforcement agencies such as the FBI and the Serious Organised Crime Agency here in Britain. Instead, the lone wolves have started to form packs with trusted friends and these look more like traditional organised crime groups with a clear hierarchy and division of labour,” Glenny says.

He gives one example of the new cyber-criminals and the infiltration of malicious software called “scareware”, which played on the fear of virus infection. The company, ‘Innovative Marketing’ made so much money selling fake virus software they established three call centres in England, Germany and France.

“The structure acts as a mask that obscures the real money-makers: the people who assemble the zombie networks and the Mr Bigs who use their services. The mules are easy to catch but they are very small cogs in a more ruthless machine. The next challenge for law enforcement is not unlike that facing the Untouchables in Al Capone’s Chicago. Capone, of course, was eventually busted for tax evasion. But how can you track down a digital Al Capone when you don’t know who he is or where he is?” he says.

This illustrates the importance for people to report any instance of identity theft to the Police, no matter how small we may think the matter is. It could be a drop in the ocean to big amounts like the $13m stolen from FIS, but who knows – it could all be drops in the ocean from the same source.

Cyber-crime with the purpose of idenitty theft can take many forms. It can be perpetrated by stealing the personal information of individuals, generally through obtaining it via virus software known as ‘malware’ or by phishing scams which appear to be genuine companies asking for personal details which can then be used to generate fake identification. Then the fraudster will go about taking out credit in the victim’s name.

If the theft goes undetected, the fraudster can be racking up thousands of dollars in debt in the person’s name. This is when identity fraud affects the victim’s credit file. When this happens, it is not only the victim’s bank accounts that can be affected, but more importantly their ability to obtain credit in the future.

In Australia, if a credit file holder fails to make repayments on credit past 60 days, then a default can be placed on their credit file by the creditor. This default shows on the credit rating for 5 years, and can severely hinder their chances of getting credit once it is placed. For the identity theft victim, this can leave them severely disadvantaged for 5 years, and unable to take out legitimate credit. The only way they may be able to restore their good name is through lots of hard work proving to creditors they did not initiate the credit.

For information on preventing identity theft, and help with repairing a credit rating following fraud, contact MyCRA Credit Repairs, or call tollfree 1300 667 218.

Image: Salvatore Vuono / FreeDigitalPhotos.net

22/09/2011