Virtual Reality: Real-World Security Concerns

By | December 1st, 2016|Industry News|

CSIDRecent advancements in virtual reality (VR) have ushered in one of the most exciting times in technology, with consumers and businesses alike realizing VR’s potential for transforming and enhancing experiences. VR has proven to be so much more than a vehicle for gaming. We’re still in the early stages of understanding the full implications of VR, but exciting progress has already been made in verticals spanning from entertainment to education, and even the medical field. Early studies have shown it has helped paraplegics regain body functions, treat PTSD and anxiety attacks, test car safety, and so much more.

With VR picking up steam and quickly making its way from research labs to consumers’ living rooms, it’s more important than ever for consumers to be aware of the unique threats that may be associated with VR.

Physical Risk: Blended Realities
Virtual reality simulated experiences can create a degree of realism that may cause a user to become so deeply immersed in that experience that they become less aware of their surroundings. The nature of current VR headsets is such that users cannot see anything around them. VR experiences that require movement – like simulating the motion of swinging a tennis racket for example – could cause danger or harm to the user if they are not in an open space, clear of other individuals or structures.

Digital Risks: Privacy and Identity Theft
Like any technology that collects user information, including payment, account, and personal details, VR will continue to be a valuable target for cyber criminals. Pressures to bring the technology to market quickly may also cause developers to overlook critical security and privacy considerations. Other security risks may emerge when the devices are in use, as users may unknowingly express information related to their location or identity which may be recorded by a third party and used for marketing or if it falls into the wrong hands, identity theft.

Many predict that hackers will use tried and true hacks in new ways, leveraging VR to have users, “unwittingly deploy a Trojan” or “leak their password with just a wave of a hand,” for example. Phishing could also be executed via “fake virtual objects,” a duping method believed to already be in use by hackers.

Securing VR will take collaboration from the public and private sectors and a commitment from technology developers to create more secure devices. However, users should be aware of their own responsibility in protecting themselves. Be careful to use long, strong and unique passwords for VR-associated accounts, vet third party vendors, and ensure all of your devices have the latest software.

Have other VR security considerations to share? Weigh in with us on Facebook, Twitter and LinkedIn.

Good News for Consumers: Identity Theft Protection is Now a Non-Taxable Benefit

By | January 15th, 2016|Industry News|

Tax SeasonIt may seem like April is far away, but tax season in fact launches next Tuesday, January 19. And whether you’re a business or an individual, you’ll want to know if you’re eligible for any tax benefits. Thanks to a recent announcement from the Internal Revenue Service (IRS), identity theft protection will now be considered a non-taxable benefit – a nod to the rising importance of the service for all consumers in today’s security landscape.

The IRS will treat identity theft protection as a non-taxable, non-reportable benefit—for any employee or company, regardless of whether they’ve experienced a data breach, or whether the identity theft protection is provided by an employer to employees or by a business to its customers.

Previously, only employees or customers who were in the aftermath of a data breach could treat identity theft monitoring as a non-taxable event. But after that announcement just four months ago, several businesses suggested a data breach was not a remote risk, but rather, “inevitable.”

What does this mean for companies? They can now deduct any cost of offering identity theft protection to their employees or customers. The IRS defines identity theft protection services as:

  • Credit report and monitoring services
  • Identity theft insurance policies
  • Identity restoration services
  • Other similar services

It’s important to note that these don’t need to be reported on either W-2 or 1099-MISC forms. However, this new policy won’t apply to cash given to employees or customers in place of identity protection services.

Perhaps the change in defining what qualifies was spurred by the IRS’s need to provide identity theft protection last summer, as its online database of past-filed returns and other documents was hacked. That breach affected over 300,000 individuals.

Whatever the reason, the announcement means this is a perfect time to sign up for identity theft monitoring services. You can do so through an employer or directly with a retailer. Particularly for individuals, the ability to receive tax benefits while knowing your personally identifiable information is safe and secure is a great feeling. For existing subscribers, upgrading to premium services may now be a more viable option.

Does your company offer identity theft protection and monitoring as an employee benefit? If not, would this announcement change their minds? We’d love to hear what you think. Weigh in with us on Facebook, Twitter or LinkedIn.

Five More Tips To Keep You Secure While Traveling

By | July 23rd, 2015|Uncategorized|

TravelSummer vacation is a time to unwind. But remember, just because you’re taking a break from work, it doesn’t mean identity thieves are. In fact, cyber criminals and identity thieves are always looking for opportunities to strike while the iron is hot. These five rules will help you stay safe this summer (or whatever time of year you are traveling)!

Avoid using public computers.
Using a public computer may seem convenient, but it creates unnecessary risk. You never know what types of malicious software might be installed on a device. A report in the Chicago Tribune says risks include “key-logging software that saves your login details, security updates that are not installed, and no or out-of-date antivirus software.” Just like when using an unsecured Wi-Fi hotspot, never access sensitive websites (like your bank account) while using a public computer.

Alert your card issuer about your travel plans.
This is a proactive step to safeguard your identity. Most card services have great systems in place to alert you to fraudulent purchases. Letting your provider know about your travel plans makes it easier to stop fraud if your wallet is lost or stolen.

Stay on top of your travel budget.
Typically, your spending increases during vacation. And, many find it harder to keep track of spending while they are traveling, where it can be easy to miss suspicious charges. Watch what you spend. Consumer Reports advises, “Check your statements frequently when you return from your trip and report any suspicious charges quickly.”

Be smart about ATM use.
Skimmers, or malicious card reader devices, are becoming more and more advanced. Whenever possible, skip ATMs in tourist zones and visit a bank branch to make cash withdrawals. For more about what skimmers look like, check out the series on Krebs on Security.

Password protect your phone.
When your phone is lost or stolen, it’s more than just a huge inconvenience. Smartphones provide access to sensitive PII and account information. A strong password will protect your data until it can be remotely wiped.

For more tips, check out our blog from last summer on this topic. Have any questions, or want to add to the discussion? Let us know on FacebookTwitter or LinkedIn!

Overview of 2015 Verizon Data Breach Investigations Report

By | April 21st, 2015|Breach, Uncategorized|

Every year Verizon takes a thorough look at the global breach landscape in the company’s annual Data Breach Investigations Report. This year’s report offers a wealth of information on the threats, vulnerabilities and actions that plagued businesses in 2014. The report is long, but interesting and worth a read. To make it easier for you, we pulled what we feel are some of the most interesting findings below:

Compromised credentials remain the largest threat in 2014.
If this graph doesn’t encourage you to pick a good password, we don’t know what will. Credentials are like keys to your business. Passwords should never be reused and two-factor authentication should be used whenever possible.

Humans are the weakest link.
This year’s survey found that 23 percent of phishing email recipients open phishing messages and 11 percent click on attachments. When you consider that one employee clicking on the wrong link can compromise your entire business’ system, this is an alarming statistic. Verizon also conducted a test to see how quickly phishing links are clicked on. They found that nearly 50 percent of victims opened emails and clicked on phishing links within the first hour. Teaching employees about security best practices and how to identify suspicious links has never been more important.

According to the Verizon report, mobile malware is not a big deal… but it really is.
They found that only .03 percent of the tens of millions of mobile devices they looked at were infected with malicious malware. We don’t agree with this finding. Mobile malware is a huge problem. Over a 12-month period Kaspersky Lab found more than 3.4 million malware detections on devices of 1 billion users. As mentioned above, employees are the weakest link. All it takes is one employee downloading a malware-infected app on his or her phone to put a business at risk.

If you are concerned about your business and the security risks outlined in Verizon’s Data Breach Investigations Report, we recommend you check out our Resources Page. We have a lot of great information for businesses and consumers on how to mitigate the risk and impact of a breach.

As always, let us know what you think on Facebook, Twitter and LinkedIn.

March Recap: SXSW Comes to a Close, CSID Employees Give Back

By | April 8th, 2015|Uncategorized|

Cyber SecurityIt was a busy month for CSID! After months of prepping for SXSW, we were excited to see the fruits of our labor come together. Between all of the SX madness, we were also happy to spend some time unwinding and giving back to the community. Check out our March recap below.

Wellness Week: Unwinding and Recharging
We kicked off March with Wellness Week: an opportunity for our employees to participate in everything from meditation classes to presentations on sleep and boosting your health with music. We rounded out the week with Fun Friday, where employees battled it out to create the healthiest dishes at our potluck and showed their skills at Giant Jenga.

Another Successful SXSW For the Books
It’s hard to believe another SXSW has come and gone. We enjoyed participating this year, (joining 50,000 of our closest friends), and speaking on panels including “Wi-Fi Privacy: When Sniffing Becomes Snooping,” and “Hacker to InfoSec Pro: New Rock Star Generation.” We were also loco for Jomoco in our session, “Follow the Money: Cyber Crime and the Black Market.” CSID CIO Adam Tyler also participated in the Christian Science Monitor-organized event, “Steak, Eggs and Cybersecurity: A Passcode Conversation.”

For all the details on CSID at SXSW, check out this blog post.

CSID Talks Women in Tech
We were proud to be featured in the March issue of Velma magazine last month. Our own HR recruiters, Melissa Smith and Loren Zeid, shared insights with the magazine on how we hire and retain talented women in tech and what perks and benefits we offer as an organization to attract female talent, including our promotion of a strong work-life balance, regardless of gender. Be sure to check out the issue, where we are featured beginning on page 15.

In addition, our own CFO, Amanda Nevins, represented CSID in the Austin Business Journal’s Bizwomen Mentoring Monday event.

CSID’s Joel Lang Speaks at IAPP KnowledgeNet
CSID’s Joel Lang enjoyed participating in the IAPP KnowledgeNet event in Austin. Joel shared insights on the session, “Setting the Table: An Information Security Incident Response Demo,” alongside Christopher Field, CIPM, CIPP/US, Corporate Privacy Director, Harte-Hanks.

Digging In And Giving Back
At CSID, we believe in the importance of taking time to give back to the community. We closed out March by volunteering for the Sustainable Food Center’s Grow Local Program, which offers central Texas residents the knowledge and resources necessary to grow their own food. We had a blast getting our hands dirty and spending time together as a team outside of the office.

Check out what else we were up to in March on Facebook, Twitter and LinkedIn.

5 Steps to Remedy Taxpayer Identity Theft

By | April 2nd, 2015|Uncategorized|

Cyber SecurityAs we approach the 2014 tax filing deadline, many taxpayers gearing up to file their taxes may find that someone else has already fraudulently filed for them – and have cashed in their refund check. During the 2013 tax filing period, $5.8 billion was paid in identity theft refund costs, according to the U.S. Accountability Office “Identity Theft and Tax Fraud” 2015 report.

While the IRS has developed new measures to protect against taxpayer identity theft, including adding new pre-fund filters and limiting the way people direct deposit refunds, there are still taxpayers who will find themselves a victim this season. Last year in the first six months alone, 1.6 million taxpayers were affected by identity theft. This year, folks who are affected will spend hours on the phone tracking down where their return was sent, spend additional money in fees to access accounts that have been locked out by cyber criminals, and may still end up with empty pockets.

Cybersecurity reporter Brian Krebs recently investigated a taxpayer identity theft case in which the taxpayer had his tax return request rejected because it had already been fraudulently filed and direct deposited into a bank account. The victim spent countless hours on the phone trying to access his IRS account, which had been claimed by a cyber criminal using an unknown email address. He spent $50 in fees to have the fraudulent tax return filed in his name sent to his home address and countless hours tracking down the financial institutions where the money was deposited and talking with different government departments to track down his tax return money.

Did the cyber criminals beat you to your own tax return this year? Was more than one tax return fraudulently filed in your name? Here are some ways you can remedy the problem:

  • Report the problem to the IRS. File an Identity Theft Affidavit with the IRS as soon as you can. This marks your account and lets the IRS know they should keep an eye out for questionable activity during tax season.
  • Place a complaint with the FTC. Sharing a complaint with the FTC helps the commission detect patterns of fraud and abuse.
  • Place a fraud alert on your credit records. This is completely free and you can begin the process by contacting a credit reporting company. The FTC has a helpful step-by-step process online to help you place a fraud alert.
  • Check your credit report and set up credit alerts. Find out if your financial accounts are being further abused by cyber criminals by setting up credit alerts with a major credit reporting bureau.
  • Understand that these cases take time. According to The Washington Post, a typical identity theft case with the IRS takes 120 days to resolve. Be patient, as it unfortunately takes a while to resolve identity theft cases.

There are many ways to help prevent tax identity theft from happening to you in the future. Next year, remember to file your taxes early. Get ahead of cyber criminals’ fraudulent activities by filing as early as possible. When you do file taxes, be sure to do so digitally, instead of via mail. Use credit monitoring to notify you of any unusual activity. Last but not least, be aware of phishing attempts during tax season time. There have been phishing scams in which emails are sent from the IRS asking taxpayers for personal information. Never send sensitive information via email to any organization and be sure to research the correct phone number of the IRS or any organization you need to call to ensure your conversations are secure.

You can find more tips on how to avoid taxpayer identity theft by checking out our blog post on the topic. Do you have any additional tips to abide by during tax filing season? Be sure to share with us on Facebook, Twitter and LinkedIn.

January Recap: Ramping Up For The New Year

By | February 6th, 2015|Uncategorized|

Cyber Security Took Center Stage in the State of the Union Address
On January 20, President Obama delivered his annual State of the Union Address and this year cyber security was a major focus. President Obama detailed his plans for increasing online security, electronic privacy and the prevention of identity theft for the American people. Check out our blog post on the topic.

Data Privacy Day
On January 28, companies and organizations around the world celebrated the eighth annual Data Privacy Day – an initiative to help spread best practices from the National Cyber Security Alliance and StaySafeOnline.org. The day was filled with engaging Twitter chats, webinars and live events that dove into the biggest trends and challenges in cyber security today, providing interesting online conversations throughout the entire week.

Identity Theft Awareness Week
The last week of January was a busy one with Identity Theft Awareness Week, sponsored by the FTC. During the week, we joined in on the #IDTheftChat, where users shared tips on how to safeguard their information from some of the most common forms of identity theft.

Countdown to SXSW Interactive
It’s hard to believe SXSW is just around the corner! And, we have been busy ramping up for our three sessions. Below you will find more information on where you can find each of CSID’s sessions at SXSW:

SXSWiHacker to InfoSec Pro: New Rock Star Generation
Sunday, March 15
11:00am – 12:00pm
JW Marriot
Salon 8
110 E 2nd St

Follow the Money: Cyber Crime and the Black Market
Tuesday, March 17
12:30pm – 1:30pm
JW Marriot
Salon 4
110 E 2nd St

Wi-Fi Privacy: When Sniffing Becomes Snooping
Friday, March 13
5:30pm – 5:45pm
Austin Convention Center
Ballroom C
500 E Cesar Chavez St.

Joe Ross’s column on Huffington Post
Massive point-of-sale breaches seemed to dominate the news in 2014. CSID’s president Joe Ross weighed in with his insights on what new EMV legislation may mean for the security of merchants and consumers in his latest article on the Huffington Post: “POS Breaches in 2015: The Good, the Bad and the Ugly.”

With so many exciting initiatives this past month on increasing cyber security awareness and education, we look forward to what the rest of 2015 will bring. What do you think will be the biggest areas of focus this year? Share your answers with us on Facebook, Twitter and LinkedIn.

Safe Password Practices

By | January 26th, 2015|Uncategorized|

Password SecurityWe talk a lot about safe password practices on this blog. We cannot stress enough the importance of using secure and unique passwords in your day-to-day life, especially for high-value sites like Amazon or Gmail.

For the past four years, password manager company SplashData has compiled a list of the top 10 worst passwords. This year, 123456, password, and 12345 topped their list. In 2011, password, 123456, and 12345678 topped the list. Not much has changed. There will always be bad passwords, but the good news is that fewer people are using them.

Mark Burnett, a reporter with Ars Technica, has run the analytics on SplashData’s Top Worst passwords list for the past four years. Mark reports that in 2014 only 0.6 percent of users in the data set he analyzed used the word “password” or “123456.” This is down from 8.5 percent in 2011. As Mark states in his article explaining how he analyzes that data, “this is huge.”

It is huge. This means that consumers are starting to become more aware of how bad passwords impact their vulnerability in the event of a breach. In 2013 another Ars Technica reporter, Nate Anderson, downloaded a list of 16,000 cryptographically hashed passwords. He deciphered nearly half of them within a few hours. Nate had ZERO experience cracking passwords prior to this experiment.

So what makes a good password? Whoishostingthis.com looked in to this question and published an infographic on how to create the perfect password. To summarize:

  • Use a combination of upper and lowercase letters, numbers, and symbols.
  • Create a password that is at least eight characters long. The longer, the better. To put this in perspective, a 10-character password can be cracked in a week. A hacker using “brute-force” tactics will need 1.49 million centuries to crack a 15-character password.
  • Don’t use dictionary words, slang, names or email addresses. You can have the longest password in the world, but if it’s an easily recognizable phrase, it won’t do you much good.
  • For those that don’t want to keep track of long, complex passwords, a password manager is a good solution.

This won’t be the last time we talk about passwords on this blog. It really is one of the easiest ways to avoid identity theft and fraud in the event of a breach. If you use one of SplashData’s worst passwords, please take the time to change it.

Do you have any tips for creating and remembering secure passwords? Let us know what you think on Facebook, Twitter or LinkedIn, and be sure to keep up with our Tumblr for up-to-date security news stories.

Loyalty Rewards Programs: A New Cybercrime?

By | November 13th, 2014|Uncategorized|

Rewards PointsCyber criminals are getting creative. We constantly hear about hackers stealing credit card numbers and even Twitter handles. Now, they have also added your loyalty rewards points to their list.

Brian Krebs wrote an excellent article highlighting a few of interesting cases where victims had rewards points stolen.

One victim reported that he had about 250,000 Hilton Honors points stolen from his account. These points were used to reserve a number of Hilton hotel rooms, and then the criminals continued to purchase additional points with the corporate credit card associated with the account.

Experts are also starting to see rewards points being sold in the online black market for a fraction of their worth. For instance, a hacker might sell points worth $1,200 in hotel reservations for $12.

So what does this mean for you? It is unlikely that stolen rewards points are going to overtake trends like mobile malware or medical identity theft as the “next big thing” to worry about. That said, we always recommend keeping up-to-date with the latest security trends and being proactive about protecting your identity and online accounts.

Some proactive actions you can take now:

  • Keep an eye on your bank accounts and credit reports as usual. Stolen rewards points may actually be one small piece of a larger puzzle when it comes to identity theft.
  • Avoid saving credit card information on websites with rewards programs, such as your favorite hotel, airline or retail site.
  • Use a secure, unique password for loyalty program sites. Don’t reuse passwords.
  • As a retailer or company that offers reward points, institute a CAPTCHA system to protect against hacking bots and scripts.

What are your thoughts on stolen rewards points? Is this something that concerns you? As always, join the conversation on Twitter, Facebook or LinkedIn.

A Look Inside Electronic Medical Records

By | October 16th, 2014|Uncategorized|

EMRMedical identity theft is not a new topic; however the rise of the amount of cases in the healthcare industry is starting to cast a shadow on the healthcare industry. According to the Identity Theft Resource Center, medical identity theft accounted for 43 percent of all identity theft cases in 2013. Additionally, the FBI recently warned that cyber criminals are targeting the healthcare industry due to lax systems in place.

As the date for healthcare facilities to implement electronic medical records quickly approaches, we wanted to dive into the topic and explore what electronic records means for the healthcare industry.

In 2009, the American Recovery and Reinvestment Act granted financial incentives for healthcare providers who put EMR into “meaningful use,” i.e. using electronic filing systems, medical billing systems and transcription services for example. As of January 1, 2014, healthcare facilities have one year to abide to the Federal Mandate for Electric Medical Records (EMRs). Since the start of the 2014, private healthcare providers had to adopt EMR to maintain their Medicaid and Medicare reimbursement levels, according to the University of South Florida’s College of Medicine.

According to the Office of the National Coordinator for Health Information Technology, “nearly six in ten (59 percent) hospitals have adopted at least a basic electronic health records system… [representing] a five-fold increase since 2008.” As more medical facilities adopt electronic health records, the entry point for cyber crime increases, putting consumers and facilities at risk.

How to safely implement EMR:

  1. Educate all staff – not just the IT department – on the use of EMR. It’s important for all employees to understand the sensitivity of the data they are dealing with on a daily basis. Put policies in place to protect EMR and enforce those policies.
  2. Evaluate your BYOD policy. There are already many entry points for cyber criminals to access sensitive patient information. Make sure your employees’ personal devices are not one.
  3. Treat EMR as a facility-wide adoption. The IT department has a heavy role in protecting EMR, but the medical facility is only as strong as its weakest link. Help create a culture of security at the facility.

What are some additional best practices for medical facilities to consider as they implement EMR? Let us know on Twitter, Facebook or LinkedIn.

Load More Posts