Understanding Recent Security Threats

I spend a great deal of time monitoring the ebbs and flows of security events that go on in the wild.  The recent spike in global activities makes it a great time to cover some of the recent security threats or issues you may run into.

The 3 most common events I am currently seeing:

  •         Global Hacks that expose a large number of users data
  •         Ransom mail (Emails)
  •         Official Looking Fishing Emails

Global Hacks that expose a large number of users data. Data breaches in 2015 have been some of the largest to date.  These attacks have focused on banks, health care companies, security companies and even a company that writes an application to protect your passwords.

What’s typically been taken?

First Name/Last Name

Social Security

Credit Card Data

Decrypted Password information

Personal Data (Phone Numbers, Where you Live..ect)

Some of this year’s breaches have impacted as many as 150 million users.  As you know from the information above, that’s enough to build a whole new you.

These types of events will continue to happen more and more often.  What is important is knowing how to best protect yourself.

Use a unique password for each website you visit.

While a complex password is useful, some of the best expert advice being given these days is to use longer passwords.  Taking a line from a favorite song, and stringing it together can make a long password that is hard to hack.  You can also add a number and a special character into this to make it even harder for someone to get.

You might find using something like:

Lyrics to “Lady” song by LIONEL RICHIE: Lady, I’m your knight in shining armor and I love you.

Could be turned into the password of: Imyourknightinshinningarmorandiloveyou9$

Yes, its long and you may not enjoy typing it (Note: There are programs that can help remember your passwords and feed them into sites, but do recall, one of the sites hacked this year was a company just like that).

Credit Monitoring Services

Many times when there is a breach like TJ Max, the company will provide you with 1 year of free credit monitoring.   Recent reports from the FBI have noted that most often, data from a breach is stored for up to 5 years before it’s sold or used.   So that 1 year of credit monitoring may do nothing for you.

You can get one free credit report from each of the three major credit bureaus (TransUnion, Equifax, and Experian) once every 12 months from annualcreditreport.com. However, this site doesn’t provide credit scores, or more specifically FICO® Scores.

Experts suggest that you check your credit at every three months, and would prefer that you go ahead and have alerts set for any new credit line that is opened under your name.  While they can be a cost (Normally between 12.99 to 29.95 a month) a number of nationwide credit monitoring services can provide this for you.  Many will offer you a free month, and when (if you call in to cancel, will offer you a reduced monthly fee if you agree to say a member, or you reference another site that has a lower cost).

Some companies to consider:

Privacy Guard



Life Lock

Identity Guard

Defining a credit monitoring service is pretty straightforward‚ as these programs literally keep a watchful eye over your credit report for you; but pinning down the myriad benefits of a credit monitoring service is a little more complicated. Some can only alert you to potential fraud taking place in your name‚ while others offer assistance in helping you resolve problems resulting from identity theft should it happen.

o   A good Identify Monitoring company should be watching thousands of sources of both legal and non-legal sources for your Identity, in addition to watching your credit reports.

  •         Address Monitoring

o   Watching those same sources as mentioned above, they look for documents and information that include data about your home.  This information could be from sources such as public legal filings.

  •         Lost Wallet Protection

o   If you have a number of cards and memberships, losing your wallet can mean going to a number of places to report your cards missing/stolen.   Some services will let you pre-add all of your cards and help in the process to cancel those cards.  Others will (from your credit reports) populate all the information that would be needed to help report these cards as missing.  It can take an all-night task, and make it 10 minutes.

  •         3 Credit Scores* with (At least) Quarterly Updates – my preference is for monthly

o   This is a primary source for finding out what’s going on with your credit health, so the more often its checked, the better.

o   If your identity is lost, there can be costs such as lawyers, document requests, court filings and other events that costs you money out of your pocket.  Most companies will offer between 25K and 1M in USD as “insurance” to help you in this process.  From recent reports posted online its often suggested to take between 500 hours and 3,000 dollars to recover, however I consider this amount to be much less then what “Could” be required.   I would suggest getting at least 50k in insurance (check to see what the company offers as part of their basic package).

Ransom Mail

Recently there was a company that prompted people cheating on their significant others.  That site was hacked and nearly 50 million unique users were identified.   A number of emails are now being sent out to people (many who were not part of that site or never even heard of it) claiming they were found to be on there, and all their friends and family would be told about their misdeeds.

The people claim they can let all your friends and family members know about this via facebook.  All you have to do is send 1 Bitcoin  (a nearly untraceable electronic currency used on the internet with a currently value of around 231USD per coin).

What they are really hoping is that someone, guilty or not thinks it’s just easier to pay the person them have the possible reputation hit based on the traffic.

How wide spread is this and other forms of Ransom Mail?   I operate 10 email accounts that are not connected to a real user (known as Honey Pot Mail Accounts), a real Facebook identity and on a number of different mail hosts (Gmail, Comcast, yahoo…ect).  Across these various accounts I have seen it occur on all but one, and in many cases seen it occur between 2 and 5 times in a single day.

What should use do if this happens to you?  In most cases, you can ignore them.  They are simply spamming millions of people hoping a few people decide to go ahead and send them the money.

In the State of Illinois, you can also report these issues (Should you be concerned about them or should they escalate) to:

Office of the Attorney General

Hon. Lisa Madigan

Phone: 312-814-3000


Another useful resource would be:


Official Looking Phishing Emails

Phishing is the attempt to acquire sensitive information such as usernames, passwords, and credit card details (and sometimes, indirectly, money), often for malicious reasons, by masquerading as a trustworthy entity in an electronic communication. The word is a neologism created as a homophone of fishing due to the similarity of using fake bait in an attempt to catch a victim.

Recently there have been a large volumes of emails coming from Banks, IRS, Homeland Security and other organizations talking about problems/issues that may be occurring with your account/personal data/tax returns.  They normally want you to go to a website and enter your personal information and/or need some data about you that seems harmless (Often to later ask you for more detailed data).

In almost all cases, organizations like this, would contact you via mail or certified mail to let you know that information is needed.  If you are still concerned, do not use the phone number or email address provide as part of the email, but instead go to the agency website and lookup a number to call and verify the email.

Michael S. Wherry, CISSP, MCSE, TOGAF 8/9, DCT, MCNE

Director of Compliance, 1to1 Card

Smoke Detectors, Credit Reports, and Money Stuff

Alright, smoke detectors have little to do with scams, but changing your batteries now will prevent that random screeching that always seems to occur in the middle of a nap. First things first…

Protecting Your Money and Data

I am no computer expert, although a few things jump out if you want to avoid hassles that come with protecting your money and data. Consider having a computer used only for money stuff, only on a safe network. Use a reputable security suite and anti malware program. This computer is never for cute kitty photos from your Facebook friends, unless it is an emergency.

PaZZwurd$!!!! Make them long and difficult to guess, I use a unique one for each account. How do I remember them? I write them down and keep them near my computer like any other dummy. There are some password generation programs that store numbers for you, I can not in good faith venture which are the best. Two-Step authentication has become popular with many firms, if someone (or you) tries to log into your account from a new browser the company will text a code required to enter the site.

Protecting Your Credit and Your Tax Returns

Around the first of every year I get copies of my three credit reports to make sure no one is pretending to be me. They are free at AnnualCreditReport.com.  I request them all at once, shred last years and move on as long as things look normal. Some writers suggest getting one every four months throughout the year just in case something pops up. Seems like a hassle to me, considering a few other things now available. If there are any significant errors, best to send proof correcting the errors certified mail to each of the three reporting agencies. If necessary, involve state and federal attorney generals if errors are not being fixed by the agencies.

The credit freeze makes the most sense of everything out there. If you freeze your credit then at least in theory people can’t open new credit in your name. As a plus your level of junk mail should decrease. On top of the credit freeze a permanent opt out never hurts.

Protecting your tax return from fraudulent filing should be a consideration if you have been a victim of identity theft. Applying for a filing code will offer a layer of protection. This is a unique code the IRS will mail every year that must be included on your tax return. This should prevent a thief from claiming in a refund using your name and Social Security Number.


Some credit card companies and credit unions are now offering a FREE FICO score as part of their service. I would not be paying any shysters for FICO, don’t fall for those scams. Your FICO score should not fluctuate too much from month to month making it a good way to eyeball your credit. A sudden plunge would likely come from lots of new debt and/or unpaid bills being reported on your credit file. If that happens, time to investigate, otherwise one less worry for the month.

Credit Monitoring services seem an expensive overkill if you have taken the steps previously mentioned. I am just some hack banging away on a keyboard, do what you want. What I added for about $30 was a rider on my homeowners policy that provides some coverage for legal fees in the event of ID theft. Still overkill IMO, but it seems every retailer in the world lost a zillion credit files last year so…

One other thought on this front is credit card versus debit card for everyday purchases. Liability is limited either way, but having your bank account drained from fraudulent debit card purchases could suck a lot until the money part of the theft gets sorted out. If you want to use a debit card consider a separate account that is not linked to your bill paying money. Fraudulent purchases are a when, not if, plan accordingly.

Moving on….

Money, it gets stuff done.

Many times elsewhere I mentioned, I do not like people near family money. Being ripped off on a part, for a thing that may be broken, while a bummer will in most cases not wreck your life. Not so when it comes to a life savings. Many people who don’t track scams for sport might be shocked to learn a $100,000,000 ponzi scheme is commonplace these days. A few this year were multiples of that, and don’t kid yourself judgements are meaningless money lost is gone forever.

Check your professionals at both the state and federal level each year. There have been a number of articles recently where broker infractions were not properly communicated between agencies. A broker could be clean at one agency, and dirty as an ashtray at another. This needs to be done every year, people change. When schemes implode there are any number that were run by folks with many years in the money business. Lump attorneys, trust companies and accountants in this process if they have access to your funds. Any whiff of the adviser having money problems or complaints should be all the prompting one needs to move their money rapidly to safety.

Duties must be segregated to keep your nest egg safe. If you are in a situation where the person managing your money controls the reporting, the deposits, and the withdrawals a problem could be brewing. If someone is managing money for you that money needs to be held in a segregated account, preferably with a major firm where you can verify without going through the adviser. When you need to take money out, an entity other than the adviser should be writing the checks.

Its not a bad time to look for unclaimed property because you never know.

Try and avoid confusion about money by having a list everything you own on one sheet of paper. This includes bank accounts, brokerage accounts, retirement plans, and insurance policies. Listed beside each is the beneficiary and contact information necessary if something should happen. Most banks and brokerage accounts allow for TOD beneficiaries. Don’t in my opinion add someone as a joint account holder unless that is really what you want. Like a husband/wife situation where the funds are truly shared. The obvious problems of fraud, lawsuits, and the possible loss of step up in basis are why I would avoid this.

While probate is not a scam, it certainly is not cheap or fast. Nor is a situation where someone becomes incapacitated and needs their affairs handled. Why I feel it important to spell out your wants in detail before something happens. The less people have to do when you can’t, the less likely they are to muck it up. Or the less likely your beneficiaries are to be taken for a ride.

That’s it for now, put the sheet someplace safe and enjoy your year.

How Much Is Your Identity Worth?

Todays crims may not be after the families silver or the DVR and Telly in the corner, long gone are the days of some guy coming up to you in a pub and saying, ‘Hey mate I got a load of DVR’s you after one’?

It would be more like, “I have some fresh credit cards tested, if your quick you could get a couple of grand with buying some on line kit straight away.

This is big business, and I mean BIG business, so lets get some perspective.

In the USA alone in 2011 over 11 million adults fell victims to Identity theft, A massive increase by over 12% on the previous year and growing and growing.

Don’t think the UK is safe either, because it is on the increase here as well.

The postman drops a letter on your door mat, you see it is the water rates, a couple of days later, yep you guessed it, the telephone bill. OK we all hate bills its a fact of life, but the burglar is starting to love these bills. Nope, there not going to pay them for you, but the information, like account numbers, middle names, date of birth are all things that are personal to you and therefore, in the right/wrong hands which ever way you look at it, used correctly can request credit and can get things from others that probably are not that clued up.

Then guess what? yep thats right, all these bills are kept in a drawer in the kitchen along with the gas bill, electricity bill, spare key for the car, a probably the details of the car as well. So you can now imagine that before it was the TV etc, now a quick look around and a burglar could be out of your house in less that five minutes with the most important piece thing you hold dear and until now did not put a value on it. Your Identity !!!

To compound it if you are as sorted as my good lady is, then all these documents are listed in some sort of easy to sift through order in a filling cabinet. Giving the crim an index to see what is best to take and what he can do without.

Being in the security industry, we listen to peoples pains and anguish every day as they are phoning us up after the horse has bolted so to speak, so this is real and we, to keep our filing cabinet locked, and all our important documents in a safe, Passports, National Insurance numbers, and lots more are kept safely in a fire rated safe in a location that Im not telling :-)

We all need to wise up to ID theft it is very real, and if you have been a victim you may find credit reference agencies, could black list your name and address for years to come, getting a loan from a bank, buying on credit, all may come back saying thanks but no thanks, even Credit cards that you have, now could be calling saying when are we going to get paid for money that you did not spend.

For the Criminal it is easy to do, in and out in a flash, carrying paper is even easier than the TV!

Get decent locks, get a decent alarm and finally a decent safe. These should be considered as the bare minimum. Maintain a healthy security envelope around you, your home and your identity.

Hope this helps.

Written by Darrel Walters, Head of the tech department @Locks_Online
Managing Director and head of The Walters Group and have been for over 23 years
TRUST Security – Trust LocksOnline