Archive for May, 2018

What are The Most Common Identity Theft Techniques

According to the FTC, the most common identity theft techniques normally relate to the fraudulent use of credit cards, and the opening of bank accounts or other types of financial accounts in someone else’s name.

These types of account of venues to obtain fraudulent loans or credits which are credited to the person whose identity has been stolen.

There are obviously other types of identity theft, but it is a relatively new form of crime, and is evolving in different ways, depending upon how people access information.

Credit Card Theft

Most credit card companies will now automatically reimburse anyone whose card has been used fraudulently, normally without any question or challenge.

This is not about them being mister nice guy, it has been part of a calculated attempt to increase the growth and use of credit cards over the last 20 or 30 years.

Credit card fraud is not new, it has been going on since credit cards were first used. What is new is the scale of it, or the potential scale. Giving someone your credit card number, either of the phone or online has become as commonplace as giving people your telephone number.

In addition, many companies who stole your credit card are at risk of being hacked, or of using your information in some other way to an individual who should have it.

Either way, many years ago credit card companies realised that in order to encourage people to use them they had to have almost a blanket policy of giving their customers total trust in them, and a big part of that was why kill off any charges that were deemed to be fraudulent.

In addition, credit card companies go to extraordinary lengths to try and prevent credit card fraud, often through monitoring patterns of use and either blocking use of a card if they deem it to be fraudulent, or contacting the cardholder to check that their use of it is genuine.

Fraudulent Bank Accounts

Many people think of identity theft in this context, where someone’s identity has been stolen and a bank account or other type of financial account opened in their name. This certainly happens, but the scale of it is difficult to judge.

What is clear is that when it does happen it can be incredibly difficult to sort out. It can involve a huge amount of detailed  forensic activity, in order to create an audit trail that can prove fraud has taken place.

Whilst many banks and financial institutions are  often notoriously cautious when it comes to opening accounts and lending money, there are many who are not,  particularly online.

In order to facilitate identity theft of this type, the criminal must have access to certain amount of personal and financial information of the individual, and in truth the easier it is for someone to obtain this information, either online or in real life, the more at risk any individual is having their identity stolen and used in criminal activity.

How do You Fix Identity Theft?

The very idea of identity theft either really scares people, or is dismissed as being a bit of a project fear campaign. This is often because of a misunderstanding of what the term identity theft can mean. It can either mean wholesale theft of someone’s identity, credit card fraud, tax fraud, child benefit fraud etc.

The first step in fixing identity theft is to stop any more fraud occurring once you have discovered that it has taken place. This is in part about damage limitation, but also making sure that you put a block on a continuing and recurring crime.

Fixing identity theft first of all depends upon identifying where the theft has occurred. This means clarifying which companies have been involved in terms of where your personal or financial details have been held, and notifying them some type of fraud has occurred.

This means that once you have notified these companies they should be able to put a stop on your account, meaning that no new fraud activity should be allowed, and if it is you should not be held liable for it. This may also mean closing your accounts completely and opening new ones with new account numbers and names.

Fraud Alerts on Credit Reports

It is important to notify one of the three major credit bureaus, Experian, Equifax and Transunion. Which ever one you contact, they will notify the other two. They can put a fraud alert on your credit report, which makes it much harder for anyone to open any type of account in your name.

FTC

If living in the US, notify the FTC who have a specially dedicated website where identity theft can be notified and help sort and given. If living in Canada or any other country, check to see if the government has a national or federal system for registering cases of identity theft.

Most countries recognise that identity theft is quite often a national issue, and quite often an international issue, and have taken steps to make sure that as broad a range of help as possible is available.

Police

Many people will notify the local police department or law enforcement agency, that a crime has been committed.

Some people do not bother as they think there is little that the police can do about it. However, as with any crime, notifying the relevant law enforcement agency is always a good idea. They have experience of all types of crime and may be able to offer practical advice, as well as being involved in helping to solve it in different ways.

The above steps are in many ways about trying to prevent further criminal activity once the case of an identity theft has been realised and recognised. The next step is to try and limit the damage that has already been done, and try to claim back compensation for crimes committed in the individual’s name.

New Accounts

Quite often identity theft is about someone’s identity having been stolen, and new bank or financial accounts opened in their name. These accounts are then used to obtain loans or credit on a fraudulent basis. The first step for is to get these accounts closed. Identifying where these accounts are can sometimes be quite tricky, but it is important that this is done quickly.

Stress to the bank financial institution that an identity theft has taken place, and that these accounts need to be frozen and closed. Obtain written confirmation by post or email the bank institution has complied with your request.

Removing Fraudulent Charges

Once the account has been identified as fraudulent, the next step is to  have all charges on that account removed from your name. This means  making sure the bank financial institution has complied with your request as above close account, and in so doing all charges from your name.

This may sometimes be quite difficult to achieve.  Depending upon whether it is a bank or credit card company or other type of financial institution they may have committed a significant amount of money to this bogus account, and may be reluctant to simply write it off on the basis that you are saying it is a fraudulent account.

This is where identity theft can get complicated, as sometimes banks or credit card companies will take the attitude that it is possible you are simply trying to get out of repaying a loan or credit card by claiming identity theft. It can sometimes be quite a tortuous process to prove it.

Identity Theft Insurance

Many companies offer some type of identity theft insurance, either as a stand-alone policy, as part of a home insurance policy or as part of a crime prevention policy. The coverage under all these types of policy is normally fairly similar, and although clear as to what it is, is in many ways not that helpful.

The main type of insurance cover normally helps people by providing assistance in the areas mentioned above. This can be about contacting banks and financial institutions where fraud has occurred, notifying the main credit bureaus and liaising with various regulatory bodies and agencies where appropriate.

There is also quite often some type of credit monitoring service available, or made available for a certain period of time.

There is normally some type of financial indemnity that can relate to attorney fees with regard to legally unpicking some of the above areas

 

 

 

 

Does Identity Theft Protection Work?

A number of companies offer identity theft protection services, some of them quite costly, and in truth offering protection that has some value but is fairly limited in reality if your identity has been stolen.

Firstly it is important to look at how much of a risk people people are at in terms of having their identity stolen. Bureau of Justice statistics for 2014 estimate that some 7% of US residents were victims of identity theft in that year. By some measures that is quite a high estimate, but it is important to break it down into what it really means.

What is Identity Theft?

Many people have a view of identity theft is quite dramatic, a view often fuelled by companies providing identity theft protection services. The reality is that for most people identity theft is a real possibility, and is more likely to be around theft of credit card numbers etc, as well as the risk of people opening bank accounts in someone else’s name.

There are a number of things people can do to protect themselves, especially in these two areas. It is also important to make a distinction between what people can do to protect themselves against identity theft happening, and the identity theft protection that some companies offer, which is more about dealing with the problem once it has happened.

The cover that these companies offer is normally to do with some type of credit monitoring after the theft has actually happened.

There are also offer some type of power of attorney process that allows them to try and deal with the damage of identity theft in your name. Whilst this may in theory be of some benefit, mentally and emotionally and in your identity over to someone else again what has been stolen may seem quite weird some people.

Preventing Identity Theft

That you can protect whilst no one can guarantee that you can protect yourself against identity theft that are a number of things you can do that can help.

Firstly make sure that your credit card company covers you for an authorised use the card.

Most credit card companies do nowadays. It has fuelled the use of credit cards both online and off-line for people to use for everyday purchases. What it means in reality is that if anyone uses your credit card number however they have got it when it got company will automatically write off the loss and remove the charge from your account.

Most of the major credit card companies are pretty good in this area, and realise that it benefits consumer confidence hugely to know that they are automatically covered without dispute. It is worth checking however with your credit card company that this is their policy.

The other significant area of identity theft is people opening bank accounts and be able to obtain loans  in someone else’s name. There are certain categories of people terms of age and income seem to be more at risk, and it is worth doing some research to see where current identity theft statistics are heading in that direction.

The most important area of prevention and protection lies in good old common sense. In order for someone to steal your identity they really need to have some unique information about you, such as your Social Security number, National Insurance number, passport number and photograph,  driving licence number etc.

The best way you can protect this information is not to share it with anyone online, and make sure that all correspondence involving any sensitive information  is sent and received by normal mail.

There is continual pressure to do everything online nowadays, especially by organisations such as banks which set as a way of cutting costs considerably. Make sure that you keep the option of corresponding and doing business by normal mail, including things such as bank statements.

Whilst paper information can be accessed and hacked by criminals, that to some extent has always been the case. The best way to protect yourself is to make sure that information is not shared online, and make sure that all paper versions of it is shredded prior to disposal.

Home owners insurance

A number of homeowners insurance policies offer some type of identity theft protection either as an add-on or as an integral part of the policy. This to an extent can be a bit of window dressing, but can also include road to useful features.

One of the most common is access to some type of free credit monitoring service which can alert you if they suspicious activity regarding your account, or if something like a bank account is opened in your name.

What these policies offer should be seen in the context of what you yourself can do as well. For example,  virtually everyone has a legal right to see their credit report at least once a year, in order to check it is accurate and have any mistakes rectified. This is a good way of seeing what information is held on you and by whom.

Some insurance policies also provide a degree of financial indemnity cover to help you pursue actions to recover your identity in the event of theft, including monies spent on attorney fees etc.

 

Rise Of Cyber Crime – Virtual Kidnapping

A Chinese student fled her Vancouver home in fear after online scammers threatened to harm her parents in China if she did not comply with their demands. Police say she’s one of three in the last month who have fallen prey to the extortion scheme.

All three victims and their families suffered financial loss in the so-called virtual kidnapping scheme, and the one who fled was eventually found in China.

Full Story

Top Cyber Insurance Companies – Hiscox

Hiscox have managed to establish themselves relatively quickly as probably the market leader in cyber liability insurance, in part based on the policies they provide, in part on the resources and risk modelling they help with, and in part on the existing customer base which has a high focus on small business and various types of liability insurance.

All these areas are hugely important regarding cyber insurance. The scale of cyber security and related risks is almost  so big that it is virtually impossible to comprehend. As such, as Warren Buffett recently pointed out, many insurance companies do not want to enter the market because it is so difficult to determine levels and cost of risk.

What Hiscox have done is essentially to build on that existing customer base, and the reputation they already have, to advance what is both an insurance policy in terms of financial indemnity, but also to provide a risk management process that actually deals with the realities of any data breach of cybercrime.

Hiscox Customer Base

While Hiscox may be active in many areas of insurance, one of their main areas of focus is on small businesses and related liability insurance. This focus brings together a significant number of what could be termed niche areas of business, but which all share common liability threats.

These liability threats could be around general business liability, public liability insurance, e and o insurance,  product liability insurance,  employers liability insurance etc. Whilst every business is different, they have a thread of similar needs that means these types of liability insurance can be both general and specific the same time.

What this has allowed Hiscox to do is to develop specialist insurance policies that in fact can be targeted at very specific industries and professions.

This has given them a fairly unique access to understanding the needs of a variety of different trades and businesses, which they have been able to very successfully build on in understanding the needs that relate to cyber insurance, for every type and size of business and organisation.

Hiscox Cyber Insurance Policies

Cyber insurance policies can vary quite widely in terms of the level of coverage and the cost of accessing them. What Hiscox have done  in terms of coverage is to provide what is pretty much a gold standard as to how a data breach claim should be dealt with.

This means that aside from any financial indemnity that the policy provides, the policy also provides a working incident response team, which can help manage both the immediate and longer term realities of what a data breach involves.

In practice this means that a Hiscox insurance policy will provide access to a team of selected individuals and companies who can manage a number of areas of the claim. This can include IT specialists, lawyers, PR companies, financial analysts  etc.

The work of this team will revolve around dealing with and paying any ransom that may be demanded, restoring  the integrity of an IT system, dealing with any reputational damage that the company or business may suffer and notifying and dealing with any registry bodies may need to be notified of the breach.

The team should also include specialists who can forensic examine and come to understand the reasons for the data breach, and put in place systems to make sure it does not occur again once the integrity of the IT system has been restored.

The insurance policy should also provide some type of business interruption insurance until the IT system and the business itself is up and running again as per its normal practice.

In addition, the policy is likely to provide help for individuals with information has been accessed unlawfully, such as providing access to credit monitoring systems in relation to identity theft.

Cyber Security and Risk Management

Hiscox offer a significant number of tools and resources to both potential customers, and signed up clients, which give them a significant amount of advice regarding risk management of cyber security. There are two particular reasons this is done.

One is simply that everything a company can do to reduce its risk exposure to a cyber security threat reduces the likelihood of a claim under its either insurance policy. This should be good news for everyone in terms of reduced levels of claims exposure for the insurer, and hopefully reduced costs by way of premiums and deductibles for the company or business being insured.

The other reason is that it creates a level of trust around the insurers ability to understand the security risks at how best to deal with them.

Cyber insurance is a fairly new type of specific insurance policy, and part of its growth and appeal is the fact that insurers like Hiscox  are very active in taking the lead to help companies understand the nature of cyber security risks, and how best they can be managed.

Many companies and businesses of all sizes are still to an extent in the dark on the reality of cyber security risks, either through complacency or lack of resources.

Providing risk management assistance allows Hiscox to gain a foothold on virtually any companies radar, and to be able to build on it by way of providing cyber insurance policies if and when needed. It becomes a self-fulfilling loop that should in theory benefit both sides of the industry.

Cyber Insurance Cost Examples – Equifax

The data breach at Equifax sent shockwaves throughout the Internet, and throughout the financial community generally. This is in large part is because of the huge amount of sensitive data that all credit rating agencies hold on individuals, and the fairly natural assumption that data is kept safe.

According to CNN, the breach involved the theft of personal data of approximately 145,000,000 people, and the theft was only revealed two months after it happened.

Whilst the delay in revealing the theft was not as long as that of Yahoo or some other companies, two months is still a huge time in terms of the risk of identity theft. With the breach of Equi the risk of identity theft is probably as strong as it possibly could be, and any delay is potentially hugely important.

Equifax Data

All the main credit rating agencies potentially hold a huge amount of personal and financial information on  millions of people worldwide.  Their role is to provide an accurate assessment of an individual’s creditworthiness, that can give a value to document to any bank or financial student looking to lend them money or any type of credit.

Anyone applying for any type of credit or loan  will have had their application assessed and determined on the basis of a credit score/credit report which will have been prepared by a company such as Equifax

In preparing such a report, Equifax would collect a significant amount of data on an individual. Such information would normally include their name, the date of birth, address, their telephone number, that Social Security number or their social insurance number, their drivers license details, their passport and their current and previous employers.

They would also look at the individuals credit history. This would include information relating to payment history of any credit loan or arrangement, the use of current available credit to them, the length of their credit history, the number of enquiries they have made regarding obtaining credit, and the type of credit they use this frequently.

Their financial history would also be looked at. This would involve obtaining information from public records regarding things such as bankruptcy. Also look at their banking history regarding overdrafts, bounced checks and any closed accounts.

They will also look at things such as loans, mortgages, lines of credit, store cards and credit cards and worst of all payday loans.

Anyone looking at this type of report would realise pretty quickly that the amount of information held on an individual by a credit bureau is massive.

Not only in the size and scale of it, but in the scope that it provides for identity theft. The fact that there could be a breach to the extent that there was highlights the enormity of the type of centralisation of this information.

Equifax Breach Causes

According to CNN, Equifax blamed the breach on one single individual, advising Congress that this individual had subsequently been fired !   It is perhaps more scary that a breach of this size and scale could have been effected by one individual.

Any cyber security policy that is meant to protect this type and scale of data has surely got to have some type of safeguards built in,  so that any individual doesn’t have either this type of responsibility for this type of power on their own

Cyber Insurance Cost Examples – Yahoo Data Breach

Yahoo provides one of the best examples of the enormity and severity of what can happen with a data breach. Although a few years old, Yahoo suffered three data breaches which were only reported two or three years after they happened.

Estimates of accounts breached ranged from 500 million through to every single one of the accounts. The information that was lost or accessed included names, email addresses, telephone numbers, dates of birth, passwords and sometimes encrypted security questions and answers.

Someone at Yahoo tried to make the point that at least no credit cards or credit card numbers were accessed, but that is in many ways fairly irrelevant.

The importance of the Yahoo breach focuses on several certain areas.

Firstly is the issue of when and how Yahoo reported the breach.

Any delay in letting people know that the information has been accessed by someone who should not have a right to it increases the chance of that information being used for any criminal purpose such as identity theft.

Tracing and reporting and trying to undertake identity theft is a hugely complex process. Anyone who has suffered it will tell of the enormous difficulties they face in trying to prove that they are not the person that someone else has said they are.

Identity Theft

Anyone trying to prove identity theft will find it difficult to prove where the other person got the information from, especially if it was two or three years previous.

Any company who experiences a data breach has a moral as well as normally a regulatory duty to disclose information to whoever has been affected by the breach as soon as possible. The danger is that any company is going to be afraid of the reputational damage at acknowledging such a breach is likely to cause.

This is one reason why most cyber insurance policies include some provision to pay for a PR company some description to help manage the fallout and restore some type of reputational credibility.

Even if a company such as Yahoo is taken to task by any regulatory authority for not disclosing a breach earlier,  in many ways the damage has already been done.

The other main issue that a data breach at companies such as Yahoo highlights, or perhaps the question it raises, is anyone safe. This question is almost the most important one that can be asked.

It is not about Yahoo’s technology systems or their cyber governance policies. It is about the fact that Yahoo is one of the oldest and was one of the most respected technology companies since the foundation of the Internet, and if they can be breached and hacked to this extent then presumably anyone can.

The breach at Yahoo is not about whether they have the most secure IT systems almost. It is almost more about the credibility of the Internet, and a sense of whether or not a technology company of its stature should be able to be breached, and if they are probably dealt with it.

What does Cyber Insurance Cost ?

For many people, the cost of cyber insurance is about two distinct issues.

Firstly is the actual cost of insurance in cash terms, relative to the coverage provided and secondly is the question of whether it is worth having cyber insurance at all.

Any business or organisation needs to break the cost issue down into three specific areas.

Firstly is to decide what level of risk they believe that business is at. Secondly what they can do by way of cyber governance to reduce any risk and thirdly whether or not they need cyber insurance at all depending  on what other types of business insurance they already have.

This is one area of insurance where it is well worth considering using an insurance broker, which will not increase a businesse’s cost at all, but can provide invaluable information both about cyber risk modelling, as well as cyber insurance policies and their costs.

In terms of  cost in cash terms, like any type of insurance, it is very difficult to generalise. However reports by Reuters and others seems to suggest that rates have increased by anything from 30 to 50% over the last two or three years, that the size of deductibles has also increased and the amount of coverage has been significantly reduced.

Cost of a Data Breach

What can be more easily quantified is what a data breach can cost a company.

Reuters recently reported the cost to MERCK of a data breach costing its insurers around US $ 275 million.  The cost to Target, the well-known retailer, of a data breach in 2013 was estimated to have been US $ 264 million.

Research by the Journal of Cyber Security in 2016 estimates the total cost of cyber events at approximately US$8.5 billion annually. They go on to suggest that the most common type of  data breach is where customers credit card numbers and healthcare information have been compromised.

Any company or organisation holding this type of information is therefore more likely to be at risk, and be charged higher premiums.  Their research also  points to certain industries being most at risk, namely retail, information, manufacturing, finance and insurance.

Insurance premiums  for these sectors of business are likely to be higher than others.

Cyber Liability Insurance Cost

Any insurance policy is about risk. An insurance company offering cyber insurance will look at a business or organisation, and try to assess the level of risk and then decide how much to charge for the coverage they are offering.

As Warren Buffett recently said,  trying to assess the risks of cyber security is almost impossible, partially because it is such a relatively new area of insurance, and partially because it is  inherently difficult to assess the level of risk.

There are however a number of major insurers are offering cyber insurance, such as Hiscox, AIG, Travelers etc. Their assessment of risk will be focused on a number of areas including type of business, revenue, number of employees, cyber security governance etc.

Premiums do vary widely, and anecdotal evidence available suggests premiums can vary from US$ 500 / 6oo  a year up to US$100,00 a year and more. The insurance rates charged for the policy will largely be determined by the coverage limit of the policy, and what deductible is applied.

Cyber Attack Cost to Business

The second question is in a way that easier to address, as it is normally focused either on the question of whether or not there is any risk, and if so if that risk is already covered by some type of e and o insurance, or a general business or liability insurance policy that the company or organisation already has.

Any business or organisation of any size is potentially open to a cyber attack or data breach. What they need to work out is what it would cost them if they had one, and below are some of the areas that would incur most of the cost.

Unsurprisingly, these are the areas of coverage that most cyber insurance policies provide, and in a way to make it easier for a business to assess whether or not it needs to pay for a specific cyber insurance policy.

  • having to restore lost data
  • having to fix or replace any network system or software, including hardware, that has been damaged
  • dealing with the fallout in terms of reputational damage, and having to hire some type of PR company to help fix
  • offering  to pay for any customers to have some type of credit monitoring system as a result of a breach
  • the cost of bringing in any outside experts necessary to investigate and possibly fix  what caused the breach
  • potentially massive costs of lawsuits from customers/clients etc
  • any regulatory fines or penalties that may be imposed
  • loss of business due to inability to trade whilst network systems are being restored and investigated

Cyber Governance

Cyber Governance is a phrase given to the structure, policies and procedures that any business or organisation has in place (or does not) that reflects its understanding of and approach to dealing with cyber security.

The level of cyber governance will to a large extent  be reflected in the cost of any cyber insurance policy, or any restrictions that the insurance company puts in place on such a policy.

A really good tip for any business or organisation is to get hold of a cyber insurance proposal form, such as that from Hiscox, which asks numerous very detailed and specific questions about a company’s approach to cyber security.

This tells you their thinking more than anything else. Their thinking reflects both the experience of cyber security, and their understanding of the best way to prevent any cyber attack.

Using any proposal form as a template for a companies cyber governance plan  is a good way to structure such an approach, and also a good way to realistically reduce the cost of any cyber insurance policy that may be taken out,  either with Hiscox or any other insurance company.

How Smart Bandages could Change Healthcare

A wound dressing that detects the first signs of infection is more than just a Band-Aid solution for the University of Victoria researchers who developed it.

University of Victoria bioengineer Mohsen Akbari believes the “smart bandage” could transform wound care and help reduce chronic and deadly infections.

Akbari was lead investigator for a study on the “smart bandage” and associated app that was published Sept. 25 in the journal Advanced Healthcare Materials.

The study concluded that the combined pH-sensitive GelDerm wound dressing, which changes colour in the presence of bacteria was as effective as comparable commercially available systems for detecting bacterial infections.

full story

Taking back your Online Privacy

There’s a strong chance you’ve recently seen an email or pop-up box offering “some important updates” about the way a social media company or website plans to use your data. Are we about to regain control of our personal information?

In our increasingly connected world, data has come to be seen as something to buy and sell.

Businesses offer personalised goods and services to consumers, raising the possibility of data driving economic growth and even improving wellbeing.

full story

Hacking Las Vegas ……..

In what could have been the plot of a Hollywood heist movie, the hackers took great interest in the vast aquarium that a Las Vegas casino had installed in its lobby.

The casino’s owners thought that the huge fish tank was an impressive sight that helped create a classy ambience as people arrived.

What they failed to realise was that the aquarium was an easy way to break into the casino’s computer system, and the hackers pounced.

full story