Technology

So you received a data breach notification in the mail… no big deal, right? Not according to Javelin Strategy & Research’s latest report. In fact, Javelin’s latest research reveals you are four times more likely to suffer identity fraud if you’ve received a data breach notification within the past year.

The average fraud victim will spend 30 hours and $496 out-of-pocket costs to restore their affairs, merchants and financial providers will spend billions to protect systems and brands, and law enforcement will work hard to chase the bad guys.

Many states around the country are enacting laws requiring entities that have experienced data security breaches to notify affected individuals whose personal information may be at risk. However, there seems to be a disconnect between breach notifications and consumer awareness of the risk they bring.

Why You Should Take Notice

• During each of the past three years, an average of 11% of consumers received a breach notification.
• Of these consumer breach victims, more than 33% experienced exposure of their Social Security numbers and 15% had their ATM PINs compromised.
• Despite 19.5% of breach victims suffering some kind of fraud in the past year, only 2% attribute their fraud to the breach.

Come On, Do I Really Need To Worry About This?

It might be a good idea considering the Identity Theft Resource Center has already tracked 356 data breaches so far this year. Forty-six of those breaches have involved financial institutions, and when they or their third-party service providers are breached, it’s nasty.

Take for example the Heartland Payment Systems breach earlier this year. The result of this breach was a staggering compromise of 130 million credit and debit cards. Now that’s a lot of Visa cards…yikes!

What You Can Do?

There is very little we can do to avoid data breaches, however there are steps that we can take to better prepare ourselves for the next time that breach notification shows up in the mailbox:

• If you get a data breach notification, don’t dismiss it. "Data breach notifications are intended to help consumers take protective action," said Mary Monahan, Javelin Managing Partner & Research Director.
• Obtain credit monitoring services. Most companies will provide this free of charge in the event of a security breach, so take them up on it. You may also consider employing a more complete credit monitoring service or even initiating a credit freeze.
• Limit the amount of sensitive data you give out online or over the telephone. If the requested information has nothing to do with the transaction you’re making, don’t provide it. For more on this, read our article about becoming a "privacy grouch."
• Avoid or be cautious using wireless devices, “convenience cards”, credit cards or unfamiliar online transaction sites.

Lastly, remember the words of the orator, Robert Green Ingersoll when he said:

“It is a thousand times better to have common sense without education than to have education without common sense.”

July 2009 not only brought the hopes of fun summer activities, but it also brought the new vicious Trojan virus called Clampi. Clampi is a newly sophisticated virus designed to attack online banking systems. And unlike most Trojan viruses this virus can be picked up from trusted sites like blogs, online magazines, search engines and mainstream news websites, not just gambling and pornography sites. It also is only designed to attack computers running the Microsoft Windows operating system. So Mac users are safe from Clampi, for now.

Currently, Clampi is tracking over 4,500 financial websites. Most Trojan viruses usually track 30-40 sites at a time. Clampi is designed to watch: banks, credit card companies, e-mails, retail sites, utilities, online casinos, wire transfer services, share brokerages, government sites and mortgage lenders. Clampi is also not just limited to the United States. It has been found attacking in the United States, Britain and other English speaking countries.

How Clampi Operates

Once Clampi has been picked up it settles into your computer and waits.  What does it wait for? It waits for the user to log on to a bank account, credit card or some other financial website. Once the login information is entered, Clampi grabs it and shoots it to the cyber criminal's computer. From there the criminal uses the information to fulfill their desires. Whether it is taking money from a bank account, using a credit card to make purchases or reek whatever havoc they may. 

What Clampi Can Do

Maybe you're thinking that this can't happen to you and maybe it won't. But it has been reported that through the use of Clampi criminals have stolen $75k from a car parts company in Georgia, $30k from a non-profit childcare organization in Seattle, $480k from an online city bank account, $150k from a public school district in Oklahoma, $350k from a Chicago-are school district and $700k from the Western Beaver School District in Pennsylvania. There have also been reports of companies losing anywhere from $10k to $500k because of this one virus. There is really no telling how many people have been victims of the Clampi virus.

What You Can Do

The most important thing you can do is to be proactive about protecting yourself from getting Clampi. Here are some ways to be proactive:

• Protect your computer with security software. It should be a natural part of being online. Make sure that you have the most current version of your anitvirus software and download any necessary patches to keep it current.
• Avoid clicking on suspicious links on blogs, e-mails and social networking sites. If you are not sure that it can be trusted, then don't go there.
• Don't use e-commerce sites that you are not familiar with and use a credit card instead of a debit card when making online purchases.
• Use caution when using a wi-fi network - especially one outside your home, like at an airport or coffe shop. Don't access financial web sites when using wifi in these kinds of locations. Make sure that your connection is password protected so that others cannot hack into your connection. Use WPA2 (or stronger) encryption and strong passwords when setting up your wireless network at home.

Do You or Your Friends Take Facebook Quizzes?

Have you ever taken one of those ridiculous and inane quizzes on Facebook that tell you which color you are ("I'm Orange! Now what do I do?"), which Harry Potter character you are (see above), or which superhero your dog resembles?

Maybe you hate these quizzes and avoid them completely, but do your friends on Facebook take them? If so, all your private info is likely being shared with the quiz developers - whoever they may be. This access to your personal information has alarmed many groups, including the ACLU. Here is a warning from the ACLU of Northern California:

Even if your Facebook profile is “private,” when you take a quiz, an unknown quiz developer could be accessing almost everything in your profile: your religion, sexual orientation, political affiliation, pictures, and groups. Facebook quizzes also have access to most of the info on your friends’ profiles. This means that if your friend takes a quiz, they could be giving away your personal information too.

The ACLU of Northern California has heard from thousands of concerned internet consumers using the popular social networking software, Facebook, about privacy issues. The ACLU went digging and found there is good reason for concern: as it stands, quiz developers have access to just about everything in your profile and postings and those of your Facebook Friends.

Here are a series of screenshots where we show exactly what happens when you take a quiz or run other applications on Facebook:

Asking for Permission - For You and Your Friends

As you can see, Facebook tells you specifically that it will let the application developer "... pull your profile information, photos, your friends' info, and other content that it requires to work.

This is the privacy problem. Your friends are agreeing to share your information without your knowledge or consent. Not good.

Exactly What is Shared?

These, I believe, are the default privacy settings for applications. As you can see, you or your friend are agreeing to share a lot of personal information with a completely unknown party.

The ACLU Creates Its Own Quiz

Even if you are careful about your privacy settings in Facebook, quiz developers probably will be able to access your profile and your postings through the accounts of your Facebook Friends. To drive the point home the ACLU created their own short, instructional Facebook quiz. (And no, according to their privacy policy, the ACLU will not collect or sell your information from their Facebook quiz.) Even though I was expecting some kind of revelation it was a bit creepy to suddenly see my Facebook profile information and photos start scrolling on the screen.

What You Can Do

• Be aware that fraudsters dig through Facebook and other social networking sites looking for information to about you. Creating quizzes - any lame quiz appears to spread rapidly across Facebook - are one of the simplest methods they have to collect data.
• Adjust your Facebook privacy settings to project yourself. From the Facebook menu bar choose Settings > Privacy Settings > Applications > Settings. You should see a screen similar to the screenshot earlier in the article. Deselect anything you don't want shared without your permission (I'd suggest deselecting everything).
• Choose your Friends wisely. Many people are excited at the possibility of gathering hundreds if not thousands of Facebook Friends—many of whom are friends of friends instead of people they actually know. Anyone you accept as a Facebook Friend will be able to view your profile and postings unless you say otherwise.
• Sign the ACLU’s petition urging Facebook to tighten up their privacy policies.
• Say ‘no’ to those playful/stupid Facebook quizzes - and any Facebook applications.

More on this story from the San Jose Mercury News.

From a recent UC Berkeley report:

More than half of the internet’s top web sites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies.

Under the direction of Chris Hoofnagle of the Information Privacy Programs at the Berkeley Center for Law and Technology, the researchers discovered that most web users aren’t familiar with Flash cookies and that Flash web cookies can’t be controlled through the cookie privacy controls in a browser. Even more interesting was the use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies that had been deleted on customer computers. In the study even several federal government web sites were found to contain Flash cookie ID information. The federal government has a policy of banning the use of traditional browser cookies.

What’s all the fuss about? Internet web sites often attach browser ‘cookies’—small strings of identifying text and numbers—to your computer to help them keep track of you and your preferences when you visit their sites. In theory this is a useful connection between you and the web sites you visit. For instance, an online book vendor could store your customer preferences information to better help you find what you want and make it easier to make your purchases.

However, like many useful, good things on the web, browser cookies have turned out to be an avenue for identity thieves to find us and our personal information. A cookie that no one knows about and that is not controllable through our web browsers, and can be used to re-spawn traditional browser cookies—could be a useful avenue for identity thieves indeed.

Changing Flash Preferences

Removing Current Site Cookies

Turns out, Adobe has a Settings Manager on its site where you can control how Flash cookies are stored along with other things. If you right-click on a piece of Flash code in your browser you can select "Settings" and get to this special place. Or you can just click our handy link: Adobe Website Storage Settings Panel.

What you should be seeing is something like this:

Here you can see which cookies have been written to your computer along with the ability to DELETE all of them. That's something I would strongly consider. Remember, however, that there are some benefits with these cookies. If you frequent sites that use this technology (and many do) you will be deleting some of your settings with those sites and you may have to re-enter text each time you visit.

There is risk/reward with every choice you make in life...

Even if you decide to push the Delete all Sites button, you still have some work left.

Stopping New Sites from Writing Cookies

Even if you deleted the cookies that have already been written to your computer, you'll need to keep new cookies from being written as well. Luckily, Adobe has created a way to do that:

Adobe Global Storage Settings Panel

If everything goes according to plan, you should be seeing something that looks like this:

Here you can tell Flash not to store any cookies in the future. Just drag the slider over to "None" and select "Never Ask Again." That's it!

Flash Cookie Removal Tools

Here are some other tools if you want 3rd party help with managing or controlling Flash cookies:

Windows:

• Better Privacy extension for Firefox -
  https://addons.mozilla.org/en-US/firefox/addon/6623
• Ccleaner - http://www.ccleaner.com

Mac OS X:

• FlushApp - http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/

Flash Cookie Storage Locations

You can always go to the directory where the cookies are stored and remove them manually. It's not a permanent solution - new cookies will get created in the future - but it works.

Windows:

LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.

Mac OS X:

For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys

GNU-Linux:

LSO files are stored in ~/.macromedia.

Wrap Up

Now you know about the mysterious and curiously difficult to remove Flash cookies. They are pervasive - even on government web sites - and won't be going away anytime soon.

Please post any follow-up questions or concerns below...