Business Security Information

The use of smartphones has led to a whole new set of security issues. Since there is no standard definition of a smartphone, for the purpose of this article and for future reference, I will refer to them as a mobile phone which provides advanced capabilities similar to those found on a personal computer.  These capabilities can include internet access, e-mail, downloadable applications and even e-book reading capabilities.  As time goes by, as with all technology, the capabilities of smartphones will increase and change just as they do for computers.

Well, we have had a good Thanksgiving meal, and most everyone has headed off to bed so it is now time for me to get down to writing this article.  Yesterday I received an e-mail from a friend stating she was out of the country visiting a friend that was ill.  Her friend was in need of surgery, and they were trying to recruit a surgeon from Israel and were in need of $2800 to pay for this necessary surgery.  First, I was suspicious that this was a fraudulent e-mail because I had just seen the person and knew that she had no plans of heading out of the country.  Secondly, the e-mail requested $2800 dollars which is a very small amount for a surgery, especially since the e-mail had an urgency about it leading the reader to believe that it may be a matter of life and death.  The return e-mail was also suspicious because the return address was a generic Yahoo e-mail address.

Crimeware is a form of of malware (malicious software) that is  used to attack your computer and/or network.  Crimeware is designed for one purpose which is to facilitate illegal or criminal activity.

This type of software is often used to commit identity theft.  Also, crimeware allows attackers to capture and export sensitive information which they can sell or use to exploit for some other type of financial gain.  Another common type of crimeware includes phishing kits that allow an attacker with little or no technical skill to launch a phishing attack.  This type of crimeware may include website development software, content for the site, and spamming software that will allow the attacker to send out mass e-mails to their phishing targets.

If you have not heard yet, the FTC (Federal Trade Commission) is changing the date they will start enforcing the Red Flags Rule.  The enforcement for this rule was to start last week on November 1, 2009, but has been delayed by the FTC until June 1, 2010.  This was announced by the FTC on Friday, October 30, 2009.

The Red Flags Rule is part of the Fair and Accurate Credit Transaction Act of 2003.  As discussed in my last article, “Complying with the Red Flags Rule”, businesses that are financial institutions or creditors must comply with the rule.  So, how do you know if this applies to you?  The definition of a financial institution is pretty straight forward and includes state or national banks, savings and loan associations, credit unions and any other institution that directly or indirectly holds a transaction account belonging to a consumer.  This transaction account is a deposit account or an account from which a consumer can make payments or transfers to third parties.  The definition of a creditor is a little more obscure.

When I was at my dentist’s the other day for my scheduled appointment, the receptionist asked me for my driver’s license and then made a copy of it.  Curious about why they did that and concerned about protecting my personal information, I asked them why they needed a copy of my driver’s license.  The lady explained that they were getting copies of all patient’s drivers’ licenses to comply with the FTC (Federal Trade Commission) Red Flags rule.  Now I knew some about the Red Flags rule, and it just did not seem necessary to make and store a copy of all your patients drivers’ licenses.  I discussed this issue with the dentist, who is also the owner of the practice, during my appointment, and I found out they were just going by information they had received as a member of the ADA (American Dental Association).  The dentist really did not know much about the Red Flags rule but was just following what he had received from the ADA because he was worried about getting in trouble from the FTC if they ever investigated his business.

Well, here is a new one on me.  I have to credit Tom Slovenski from www.cellularforensics.com with bringing this one to my attention.  The term Smishing was a term I had not heard used before.  Smishing is basically a phishing attack using cell phone text messages.  The term is derived from SMS technology used in text messaging and the term phishing.

What are Insiders?

I have read a number of articles related to the security issue of insider threats over the past month or two and thought it would be a good idea to cover that issue in one of my posts.  First, what is an insider–just an employee or more than that?  Insiders are more than just employees or staff and can include consultants, vendors, contractors, service providers and other that you deal with on a regular basis.  Insiders are dangerous because in your dealings with them, you have  probably given them access to your company’s network and/or business facilities.  This opens you up to all kinds of threats.

Vishing

Basically a form of social engineering where the criminal uses the telephone network to scam people.  The criminal uses this technique to get information or money from those they contact by pretending to be a legitimate business, usually using a technique called “Caller ID Spoofing.”  The term vishing comes from the two words voice and phishing.  You can read more about phishing in a previous article I wrote.

Vishing attacks are currently being used to steal credit card numbers, personal information or to sell bogus products.  Vishing attacks are also being combined with phishing, which is an e-mailed type scam.

I have another life story today to make a point about the use of Social Security Numbers as personal identifiers. Over the past two weeks, my wife and I have had the need to talk to our mortgage company, a dentist, a doctor for one of our kids, our phone company and, of course, our health insurance company.  When talking to each one of them, they either asked for my social security number or wanted to have the last four digits of my social security number.  Some asked to verify my identity, and others asked because they said it was necessary for insurance purposes.  These situations got me thinking about why businesses are using social security numbers as personal identifiers.  Then, it got me thinking about why all these different types of business have or want my social security number.