Archives For ID Theft

John SileoIdentity Theft is Misunderstood By Many Of Your Clients

Last Friday I had the opportunity to interview John Sileo, one of our nation’s foremost experts on Identity Theft.  This was part of the SVLC Insider’s Circle online events…if you’re an active member you have access to the entire interview posted on the membership site.

We gained some great insights through this interview. John gave us actionable information – ideas to take to small business owners, as well as those responsible for security in the larger accounts. ID theft is still the biggest problem. There’s lots of intellectual capital being taken, but ID Theft is bigger in terms of volume and likelihood for most of your accounts.

John Sileo revealed some issues you need to know…in summary:

1. Small businesses are liable for their bank accounts. If someone steals money out of your personal account, chances are your bank is going to cover that. They’ll take the hit! But of course we’ll all pay for it in banking fees. There are no free lunches.  But if a small business account gets drained, that small business owner is on his own!  Most small business owners have no idea…

2. It’s going to take over a year for the business owner to discover he’s been hacked. Most of them are waiting to see if something will go wrong. If they don’t see it, the assumption is everything’s okay. They need someone to show them. It’s stealth, and they won’t see it.

3. The assessment process is broken. John shared a story from his recent visit to Starbucks. While sipping on a latte he watched as a man left his system to visit the restroom.  John was able to film the entire thing, including the guy’s screen – which was open for everyone to see. He was a government contractor accessing confidential information through a secure VPN. That VPN session was open and accessible while he was powdering in nose in the men’s room! Assessments don’t find this kind of stuff, yet it’s happening every day.

4. John personally experienced the loss of his own business years ago. He shared how his technology reseller business was compromised when someone ravaged through a trash can outside his office. Using unshredded documents, perpetrators were able to convince the banks that they were  “John”. They took out loans and bought stuff using John’s identity. It took about three years to recover his name – but he still lost just about everything he owned, including his business.

5. In our interview he revealed that 60% of the ID Theft going on happens at the small business level.  50% of these companies will go out of business once they disclose the breach (which is something they most likely will have to do.)  If they don’t disclose it and the media gets word – the damage multiplies.

ID Theft is big. If you’re in the managed services business, you need to be in the security managed services business. This week, Aegify, a provider of security managed cloud offerings is hosting a session on Growing the Managed Services Business. I’ll be addressing how to add security, what security to add, and how to take it to the market to address the issues mentioned above.  Register here and join us:

Yes, I want to learn about selling MSSP services  << Get your seat here!

If you would like a copy of John’s session, I did record it. Anyone who joins the SVLC Insider’s Circle will get this program, plus my latest book on selling security…and several other bonuses worth over $500, free.  You can sign up right here:  Learn more about the SVLC Insider’s Circle  << CLICK.

© 2015, David Stelzl

I’ve commented before on computing- how secure is it?  Well, it turns out that the provider of cloud service you’re using is not the only security consideration; what about the internet service provider?  Check this out…two woman on Facebook reported being redirected to other peoples pages while trying to access their own.  No passwords other than their own were required, and their access completely unintentional.

Of course this is not a hack; however, what if someone is redirected to something highly sensitive including your personal finances, intellectual capital, or military secrets?  And  what if that person thinks it’s funny and posts it on the web or is connected with something harmful such as a terrorist organization?  This could have major effects on a business brand, homeland security or personal reputation!  Once again, I hear IT calling out, “We’ve got it covered”.  You can read the details in the FOX link below:

Wall Street writer Ben Worthen, in an article dated March 10, 09 recounts some of the growing risks of identity theft, validating many of the statistics I’ve given over the past two years.  Here’s a short excerpt:

“The number of reported data breaches of all kinds in the U.S. climbed to 656 last year from 446 in 2007, according to the Identity Theft Resource Center, a nonprofit organization based in San Diego that helps identity-theft victims. These breaches affected some 36 million records — including Social Security numbers, credit-card accounts and other personal data.

Overall, more than 250 million records containing personal information have been lost or stolen since 2005, according to the Privacy Rights Clearinghouse — and that’s driving more consumers to companies that say they can prevent theft.”

656 companies reporting ID theft

Over 250 Million identities expose

36 Million records exposed in 2008

Also noted in the article, Heartland processes over 11 Million Transactions per day, but a total number of exposed numbers has not been published.

Sound bites build credibility with asset owners and overcome technologist’s attempts to make their security sound solid.  Wall Street is a solid source to quote from given that most decision makers read it (or at least pretend to).

Monster Hit

January 28, 2009 — Leave a comment

Targeted attacks are growing as companies build storehouses of data – something every company seems to be doing these days.  If you’re working with larger accounts, find the assets.  Where are these storehouses, what do they contain, and who controls access – can they detect and respond to a breach? 

Just another example in today’s USA Today – – with Monster’s job search site.  Britain alone reports 4.5 million British citizens exposed (no mention of other nations on this hit). This site, along with other resume posting sites contains all kinds of great information that can be used to compromise one’s identity.  Note, these sites also contain all of the data needed to understand a company’s computing environment, as well as providing contact information to an insider that isn’t necessarily loyal to the company; i.e. a potential partner in crime.

How can the data be used?  Well, the hacker now has access to information associated with both job seekers and potential employers.  As I’ve mentioned in previous posts, storehouse type data is being gobbled up all over the world by hackers who are exploring new ways to correlate data to be used in schemes yet to be devised.  This may include access to bank accounts, corporate accounts, and various forms of fraud and ID Theft.

What company can afford this type of press in a down economy?  Use these sound bites to grab the attention of asset owners.  Asset owners are liable, care about the company’s reputation, and either approve, or greatly influence company spending.

From USA Today this week: “A staggering 4.07 million health-care records have been breached so far this year — about four times the amount in 2007, according to researcher DataLoss DB.”  In other words, this is a big growth area for cybercrime!

“Hospitals keep records of patients for everything: financial, Social Security, credit, medical records,” says Reed Henry, senior vice president of marketing at security firm ArcSight, which helped collect the data.

Medical information is worth money!  Often taken by internal workers who may or may not be cooperating with outside organizations – a recent report points to a former employee at the UCLA Medical Center who pleaded guilty after trying to sell Britney Spears medical records to the National Enquirer.

These are great sound bite for those working with medical organizations.  Especially smaller organizations who may not have made the investments needed to secure this type of data.  While HIPAA regulations require various levels of protection, passing the audit does not ensure data security.  Notice once again, hacking through the firewall was not an issue for this guy from UCLA, he simply accessed tapes from inside the facility.

As you know, USA today is one of my favorite sources of news.  Check out today’s article on Cybercrime and how the focus of cyberthieves is changing: – an excellent source of attention gripping sound bites for your prospects.

Three years ago we had the Iceman – the market leader in ID Theft with total world-wide revenues totaling $67.2 Billion.  This year earnings have topped One Trillion; right in line with predictions I cited three years ago.  Sound Bite:  ID Theft is commoditizing!  That doesn’t mean it’s going away – it’s become so easy that the serious criminals are turning to more profitable cybercrime activities, while amateurs continue the ID harvest.  Prices have come down from $100/ID number to somewhere in the $10 range.  Here are some important Sound bites:

  • 1. What is the new focus? Intellectual Capital; Data thieves are harvesting corporate data in anticipation of rising demand.
  • 2. Copycat ID thieves have saturated the market driving ID prices down – it’s so easy, almost anyone can do it.
  • 3. Primary targets are corporate users using free web tools such as instant messaging, web-based email, and social networking – Especially AOL, Yahoo, MSN, and social sites including MySpace and FaceBook.
  • 4. Most valued data includes; e-mail address books, instant-messaging buddy lists, PowerPoint slides, engineering drawings, partnership agreements, price lists, bid proposals, supply contracts, etc. Intellectual property!
  • 5. Who are the buyers? This always comes up as a question…in one case cited in the above linked article; a Chinese entrepreneur was able to take stolen information to build an entire business based on stolen intellectual capital. Duplicating a business that took over ten years to build and millions in R&D, he created a counterfeit business for a fraction of the price. Law enforcement was unsuccessful in stopping him.
  • 6. This is a nine month old trend; Take as much data as possible and then sort through it. Figure out what’s worth money, and then find a buyer.

The fact is most customized applications are built for functionality; they contain little to no security in their design.  This is a giant hole in the security of digital assets.