In the meantime, the FBI recommends that you use the “wiggle test” at ATMs and gas pumps. ATM skimmers are glued onto the front of the existing machine. If something looks even slightly out of place or sticks up from the face of the machine, give it a good yank. If it feels loose (or worse, something comes off), immediately report it to the merchant. And if it just looks suspicious, well, take your business somewhere else.

A quick refresher: An ATM skimmer is a device glued on the front of an ATM machine or gas station card reader that records the magnetic information off your card as it passes the card through to the real reader. Some of these devices are quite thin and can look just like the original equipment. Many are also rigged with hidden cameras which record your fingers as you key in your PIN. Snopes has a good set of pictures, as does CSOonline.

Look carefully at the machine before swiping your debit card. If you see any signs of tampering, loose components, mismatched colors or anything else that makes you suspicious, go to a different machine.

And as always, leave your debit card at home whenever possible. Credit cards carry better legal protections if/when they get exploited.

One version of the scare article can be found here. The story goes that digital copiers contain hard-drives and the hard-drives store copies of all the documents being copied. When the copier is sold or thrown away, all the documents copied on it are visible to any hacker and the information on it can be used for identity theft.

Like any good urban legend, there is a kernel of truth to the story but the dangers are overstated. Let’s take the elements in turn:

• Digital copiers contain hard-drives – True.
• The hard-drive keeps a copy of the documents being copied – True.
• The hard-drive keeps copies of all the documents copied – False. The scanned images are big and the copier hard-drives are as small as the manufacturer can feasibly make them. They have to be to control costs. So, yes there are images on the hard-drive but they get overwritten on a regular basis. A high-use copier might have documents a few days old but not much older.
• The images remain visible to the new owner of the copier – Maybe. If your company’s IT department is even half-way on the ball, they keep track of copiers so they can keep the operating system patched. They will also have a decommissioning process that wipes the hard-drive before selling, donating or throwing it away.

So the lessons from this story are:

1. If your company does not keep copiers on their IT asset list, they should. (Though they should primarily because of the risk of an unpatched OS.)
2. If you don’t have an IT shop, run a few dozen pages of non-sensitive garbage through your copier before you sell it or throw it away. Pages from the phone book or pictures of your cat would do. Anything to fill up the drive and overwrite the older files.

Unless you are protecting DoD nuclear secrets, I wouldn’t worry more than that about copiers.

Update: This post got picked up by CFO Magazine as part of their Risk Management series. You can read their article here.

Note: For best results with the “poor man’s disk wipe”, set your copier to it’s highest resolution, in color, and run a stack of stuff through as fast as the copier will take it. It still won’t stop a hacker with a forensics lab but it will frustrate the 13 year old who pulls the drive out of the trash.

Unfortunately, the statistics still show that we do fall for these scams at an appalling rate. Ironically, this one will probably do better than average because it alleges to offer compensation for being the victim of a prior scam. Clearly, the scammers are thinking that if you fell for the earlier scam (and with a massive spam blast, they’re sure to get some), you might be emotionally vested enough to want revenge and won’t look at the details in this “offer”.

Never reply to a spammer. And please do everything you can to help teach your co-workers, family members and friends how to avoid these scams. If it sounds too good to be true, it is.

In this Candid Camera Prank attack, someone posts fake video message on your profile page showing a woman on a bicycle in a short skirt. Clicking the movie thumbnail does not display the video but instead takes you to a Facebook application that tries to get you to download a “video player” which is really the old Hotbar adware. If you do fall for it, not only are you flooded with spam and other junk but your Facebook account is now used to spread the infection to your friends.

The interesting thing about putting the two articles together is that the hackers are no longer just trying to attack your computer directly. Sure, many still use old-fashioned scripts and viruses that try to directly attack your computer. But more and more have largely moved their attacks to social media. Their attacks depend more on you to fall for a trick, giving them an inlet to your network. Facebook, MySpace and other social media sites are very powerful and important tools but the same things that make them valuable to you also make them easy avenues to use for attacks against you.

Having a good anti-virus program and keeping it up to date is still vitally important. Even though the ratio is down, there are still hundreds of attacks against the average computer every day. But for the new attacks, vigilence and paranoia are the word of the day. No matter how good your technical defenses are, you can not rely on them alone.

If something looks too good to be true, it probably is. Trust your suspicions.

Sadly the answer is “yes”, these scams do still work. The FBI continues to report hundreds of millions of dollars in losses to these frauds each year. Some are this blatant but some are quite a bit more subtle. Variant scams target non-profits. One recent wave alleged that the charity was the beneficiary in an unnamed donor’s will. A surprising number of charities let blind hope get in the way of common sense. Wikipedia has an extensive list of the variants.

So what can you do about it? Some people retaliate. There are whole organizations dedicated to wasting the scammers’ time. They respond with equally false stories about how they are “excited to be notified about the windfall” but because of a religious tenet, need a picture of you (the scammer) “in white robes balancing a loaf of bread on your head while holding a fish under each arm” before they can send the money. Here is one group that collects and publishes the ‘trophy’ pictures of scammed scammers.

While it’s emotionally satisfying to think about retaliation, I strongly recommend that you just delete them. I also encourage you to think about friends and family who might not be as aware of these scams as you are. Do you have a dependent elder who is more trusting than he/she should be? Do you have a friend or co-worker who is a great person but a bit gullible? Send them copies of these scams so they learn what to look for. Help them to set up the spam filters and other computer protections. These scams are amazingly profitiable. They will continue as long as we continue to fall for them.

Some background: The broader name for this kind of scam is the “advance-fee fraud”. Following the collapse of Nigerian economy in the 1980s, a large portion of the educated and computer-savvy population were unable to find gainful employment and turned their skills to crime in order to feed their families. The preponderance of such scam emails coming from Nigeria’s 419 area code led to the current name even though the same scam has also been found originating from England, Spain, Ireland, USA, Canada, The Netherlands, Australia, etc. An older version of this scam was carried out by regular mail in the early 1900s under the Spanish Prisoner name.

Why are they doing it? Because it works. Hacking, phishing and identity theft make money and lots of it. Don’t let yourself become a victim.

At the same time, the quality of the scams is dramatically better than in years past. Fraudulent “advertising” sites look just like the real sites. They pepper their pages with trusted financial, TV and/or newspaper brands to give the impression of legitimacy. Some even include encryption to give a greater appearance of legitimacy.

There is also a new trend to use social media to find and con victims. Just because it looks like a blog, if the author is bragging about how much money they got and has a link to a “home business kit”, it’s still a scam. Beware of any offer that asks you for personal information up front.

MarkMonitor also reports a huge increase in suspicious domain registrations, especially domains including the keywords “foreclosure”, “mortgage”, “refinance” and “unemployed”. These keywords are being combined with legitimate company names or domains to create fraudulent clone sites. And while most phishes are still targetted against large companies, an ever-increasing number are exploiting the trust and brand of small businesses. (This is especially true if your legitimate site accepts payments over the web. Payment services frauds are up 285 percent over last year.)

Be on the the watch for scams. And help your customers watch, too. In this economy, you have a right to be a little bit paranoid about offers that look too good to be true.

To read more, download MarkMonitor’s whitepaper on “brandjacking” at markmonitor.com.

That’s not to say that our employees are malicious – most are basically good people. But you didn’t hire them to be security experts. The care and justifiable suspicion needed to detect and deflect data breaches do not come naturally to most people. They need constant reminding of the importance of security and of the tactics to protect your customers’ data.

According to the Ponemon report, here are the top risks your staff take with your data.

Not protecting personal equipment. Stolen laptops and other portable media accounted 20% of all reported breaches. Make sure that your team understands that they are personally responsible for the device and the data on it.
You can also reduce your exposure to lost equipment through whole-harddrive encryption or by restricting or segmenting the data on the laptop such that customer names can not be tied to identifiers such as SSN or credit card number.

Trusting insiders too much. While most people are basically good, every company has it’s share of disgruntled staff. Insider theft is relatively rare but tends to be very severe when it happens. Pay attention to changes in behavior or attitude. Most insiders showed clear signs of their dissatisfaction well before beginning their crimes. Watch for unusually heavy uses of your databases or other information systems.
Minimize your exposure by setting role-based permissions for your team members based on their business need to the application or data. If they need it for their job, great – if not, take it away. That’s less risk for both of you.

Bypassing your security controls in the name of efficiency. The next largest category of breaches are the result of well-meaning insiders who are trying to improve the company but who don’t understand the implications of the change they are making. The store manager at TJ Maxx who installed his own wireless router is a classic example. He thought he was increasing the flexibility of his operations. His poor security configuration, however, exposed the company’s entire network to any hacker with a wireless laptop in the parking lot.
Never let anyone but your designated IT staff install equipment or make changes to your systems. And have their changes regularly tested.

Bypassing your security controls in the mistaken belief that it’s their computer. It’s not. It’s the company’s computer. Have a firm policy that they can not install peer-to-peer or other high risk software on the computer. Incidental personal use may be okay. Installing software is not.

Not watching your vendors as closely as you watch yourselves. According to the study, you should be watching your vendors far more closely. Breaches by outsourcers, contractors, consultants and business partners accounted for 44% of all breaches reported in 2008. Statistically, they were also more expensive, costing the company 35% more in direct and indirect costs than an equivalent breach of the company’s own systems. Vet your vendors carefully and set clear expectations on your security needs. Then follow up and check on their security practices. Conduct your own audits and ensure their compliance.

There’s a lot more in the Ponemon study worth reading. This is their fourth annual study of the costs of a data breach and the trends are enlightening. You can download a copy at encryptionreports.com.

That didn’t stop the lawsuits, though. Five groups alleging to represent the affected veterans filed suit asking for $1000 per person.

After three years in court, the VA agreed to pay $20 million into a fund which will pay out $75 to $1500 to any veteran who can “show harm from the data theft”. Any money left over will go to “veterans’ charities agreed to by the parties”. The judge still has to approve the settlement at this point that appears to be a formality.

The kicker here is that the veteran must show harm. Since the laptop was recovered intact and no data was compromised, I don’t see how anyone can make that claim in good faith. Maybe some people overreacted and canceled credit cards or paid for unnecessary monitoring services but I don’t see how that counts as harm. I didn’t cancel my credit cards when I got my notice from the VA. I don’t see why my tax dollars should pay for their overreaction. The payout is also available to anyone who “found themselves in extreme emotional distress” as a result of the breach. Again, this is a claim that I don’t see how anyone can make in good faith.

The only people who I see making money from this are the lawyers. I haven’t seen anything definitive yet on their take but one unofficial report estimates it at $5.5 million. Regardless of the amount, it’s going to come from your tax dollars.

This breach should never have occurred. But it did and the people responsible have already been fired. So were lots of other people at the VA. Congress held intrusive hearings and policies have been rewritten. For a non-breach, this breach has already been expensive enough. The settlement closes out the VA’s legal liability and admittedly, $20 million is less than the $25 billion that the suit originally sought but I just can’t convince myself that this outcome will be best for society.