Fight Identity Theft Blog

From a recent UC Berkeley report:

More than half of the internet’s top web sites use a little known capability of Adobe’s Flash plug-in to track users and store information about them, but only four of them mention the so-called Flash Cookies in their privacy policies.

Under the direction of Chris Hoofnagle of the Information Privacy Programs at the Berkeley Center for Law and Technology, the researchers discovered that most web users aren’t familiar with Flash cookies and that Flash web cookies can’t be controlled through the cookie privacy controls in a browser. Even more interesting was the use of Flash cookies to ‘re-spawn’ or bring back to life traditional browser cookies that had been deleted on customer computers. In the study even several federal government web sites were found to contain Flash cookie ID information. The federal government has a policy of banning the use of traditional browser cookies.

What’s all the fuss about? Internet web sites often attach browser ‘cookies’—small strings of identifying text and numbers—to your computer to help them keep track of you and your preferences when you visit their sites. In theory this is a useful connection between you and the web sites you visit. For instance, an online book vendor could store your customer preferences information to better help you find what you want and make it easier to make your purchases.

However, like many useful, good things on the web, browser cookies have turned out to be an avenue for identity thieves to find us and our personal information. A cookie that no one knows about and that is not controllable through our web browsers, and can be used to re-spawn traditional browser cookies—could be a useful avenue for identity thieves indeed.

Changing Flash Preferences

Removing Current Site Cookies

Turns out, Adobe has a Settings Manager on its site where you can control how Flash cookies are stored along with other things. If you right-click on a piece of Flash code in your browser you can select "Settings" and get to this special place. Or you can just click our handy link: Adobe Website Storage Settings Panel.

What you should be seeing is something like this:

Here you can see which cookies have been written to your computer along with the ability to DELETE all of them. That's something I would strongly consider. Remember, however, that there are some benefits with these cookies. If you frequent sites that use this technology (and many do) you will be deleting some of your settings with those sites and you may have to re-enter text each time you visit.

There is risk/reward with every choice you make in life...

Even if you decide to push the Delete all Sites button, you still have some work left.

Stopping New Sites from Writing Cookies

Even if you deleted the cookies that have already been written to your computer, you'll need to keep new cookies from being written as well. Luckily, Adobe has created a way to do that:

Adobe Global Storage Settings Panel

If everything goes according to plan, you should be seeing something that looks like this:

Here you can tell Flash not to store any cookies in the future. Just drag the slider over to "None" and select "Never Ask Again." That's it!

Flash Cookie Removal Tools

Here are some other tools if you want 3rd party help with managing or controlling Flash cookies:

Windows:

• Better Privacy extension for Firefox -
  https://addons.mozilla.org/en-US/firefox/addon/6623
• Ccleaner - http://www.ccleaner.com

Mac OS X:

• FlushApp - http://machacks.tv/2009/01/27/flushapp-flash-cookie-removal-tool-for-os-x/

Flash Cookie Storage Locations

You can always go to the directory where the cookies are stored and remove them manually. It's not a permanent solution - new cookies will get created in the future - but it works.

Windows:

LSO files are stored typically with a “.SOL” extension, within each user’s Application Data directory, under Macromedia\FlashPlayer\#SharedObjects.

Mac OS X:

For Web sites, ~/Library/Preferences/Macromedia/FlashPlayer. For AIR Applications, ~/Library/Preferences/[package name (ID)of your app] and ~/Library/Preferences/Macromedia/FlashPlayer/macromedia.com/Support/flashplayer/sys

GNU-Linux:

LSO files are stored in ~/.macromedia.

Wrap Up

Now you know about the mysterious and curiously difficult to remove Flash cookies. They are pervasive - even on government web sites - and won't be going away anytime soon.

Please post any follow-up questions or concerns below...

Lately I've received several "smishing" text messages on my phone and I finally captured the audio of a full phone interaction with their voice response system.

Audio of Smishing Call

Here is the audio from a smishing phone call I recorded. Listen closely to see how they use fear to manipulate the victim into providing information.

What is Smishing?

Well, someone somewhere comes up with these cute names for things and "smishing" is no different. It's a play on the term "phishing", and the "Sm" part comes from SMS, which is the technical name for text messages on cell phones (Short Message Service). Did that make sense? If not, here's a description from the fount of all knowledge - Wikipedia:

Similar to phishing, smishing uses cell phone text messages to deliver the "bait" to get you to divulge your personal information. The "hook" (the method used to actually "capture" your information) in the text message may be a web site URL, however it has become more common to see a phone number that connects to automated voice response system.

Scam Tactics 101

As you listened to the call, you should have noticed a few tactics scammers use to get your information:

• Sound Official - The call starts with "You have reached Credit Union's National Association online banking center." That doesn't even make sense, but it sounds good. Scammers will imitate real brands or sometimes use something pretty generic like this, but they're always going to try to look and sound official.
• Create Fear and a Sense of Urgency - It doesn't take long before they start to scare you with "Compromised accounts may ruin your credit, place you in debt with us or other financial institutions." They add "Failure to run this process will result in account suspension or financial penalties." My favorite attempt to scare you is when they threaten you with prosecution if you give inaccurate information - unbelievable.

What Do They Ask For?

In this call, they are trying to capture a credit card number, expiration date, PIN, and card security code. With this information they will attempt to make purchases online with your card, pull money from your account with an ATM, or possibly create a fake card containing your information.

How to Protect Yourself

It should be obvious to most people that these messages are scams. Unfortunately, the scammers just have to get a small percentage of people to fall for these messages to make it worth their time. Just like spam email, if a few people respond it will continue to be financially viable.

What complicates things a bit is some banks are now using text messages as a communication method for alerts or other information. In these alerts they'll often ask you to phone in to confirm a transaction or to alert you to a problem with your account.

If you're concerned at all about the origin of an alert, always call your bank directly using the phone number from a bank statement or official web site. Never call using the number provided in a text message.

Read more about about smishing tactics in this recent Yahoo article.

When Barack Obama famously refused to relinquish his treasured BlackBerry, he became the first president in American history to use email while in office. He will also be the first to have to worry about personal internet security.

The president's new BlackBerry is a special modified variation with top-notch encryption features—further details are not being shared with the media. Vice President Joe Biden and other key officials have also been given this most limited of limited edition devices.

But is it Really Hacker-Proof?

But famed hacker Kevin Mitnick says that despite its special security features, no BlackBerry is impossible to compromise. In an interview with Fox News, Mitnick said "It's a long shot, but it's possible. You'd probably need to be pretty sophisticated, but there's people out there who are."

According to Mitnick, who is credited with hacking Motorola, Nokia, Sun Microsystems, FBI, and Pentagon networks (among many others,) the best course of action for a hacker would probably be to infiltrate the personal computer of somebody close to Obama. Then, the hacker would have to use that person's identity to divert Obama to a compromised website that would upload malicious code onto the BlackBerry.

The Most Exclusive List in Washington

That's precisely why the president's security team is keeping his email address such a closely guarded secret. Obama will also have to frequently change his email address.

Who exactly has this address is unknown, but the number is believed to be considerably less than 50, with Biden, advisers David Axelrod and Valerie Jarrett, press secretary Robert Gibbs, and chief of staff Rahm Emanuel almost certainly at the top of the list. Beyond that, one can only guess: top supporter Oprah Winfrey, secretary of state Hillary Clinton, celebrity email buddy Scarlet Johanson, DNC chair Tim Kaine? One can only speculate.

If any of our readers are on the list, please let us know so we can send him our suggestions on the economy...

It May Be "Salami Slicing." It May Be Petty Theft.

The latest identity theft scheme doesn't aim to empty your debit account or charge you to the credit limit—not yet anyway. According to The Boston Globe, at least 800 credit and debit cardholders have reported finding tiny fraudulent charges on their statements in recent weeks.

The charges range from 21 to 48 cents, and are billed under at two phony business names: "Adele Services" and "GFDL."

The mysterious charges have lead to a range of speculation over the nature of the scam. Some think that the small charges are meant to test the validity of a registry of stolen credit card numbers which may have been resold by the original thieves. If the theory is correct, those whose cards have already been charged can probably expect to be targeted for much larger amounts down the line.

A Slice of Salami

A less likely theory parallels the scam attempted by the main characters in the movie "Office Space," which featured three disgruntled computer programmers who attempt to slowly embezzle money from their company, pennies at a time. The scheme is sometimes referred to as "salami slicing", but usually targets businesses or customers rather than an unconnected group of individuals.

If this theory holds, those who fail to notice that their accounts have been compromised will continue to be targeted for small amounts of money indefinitely. Most likely, the thieves would have to create new false companies with each wave of thefts.

Plan of Action

Regardless of the intent of the perpetrators, the course of action for those who notice small, unexpected charges on their debit and credit card statements is the same:

1. Report the charges to your bank or other financial institution.
2. Report your card stolen so that you can be issued a new credit card and credit card number.

As always, it's important for everyone to pick carefully through their statements each month (if not more frequently,) looking for charges they don't recognize. Whether a questionable charge is 1 cent, $1, or $100, it should always be treated as a potentially serious problem.