Image via Wikipedia
Post from Sophosh by Graham Cluley.
A number of Facebook users have reported to us receiving mysterious messages, seemingly from Facebook’s security team, telling them that their accounts have been suspended.
The spam messages, however, are not legitimate.
In reality they have been sent out by fraudsters posing as Facebook’s real security team, with the intention of phishing credentials from unsuspecting users.
Image via Wikipedia
Have you received an email from Twitter saying that your account has been suspended? Did they ask you to re-verify your account by giving your details to a business partner?
Well, stop right there – and don’t do what the email says, because it’s a scam designed to steal your personal information and make money for fraudsters.
Naked Security reader Bayani was the first of our readers to send us a tip and tell us that they had been on the receiving-end of this particular spam campaign – but it looks as though it has been distributed quite widely via email.
Image via Wikipedia
Computer hackers have an ability to cause chaos by using personal data that they have stolen. But the theft can be prevented if people are careful with their information.
Personal finance expert Carmen Wong Ulrich shared advice during a talk on ‘The Early Show on Saturday Morning’ on how to protect personal information and what to do when hackers get their hands on it.
“The first line of defense is always your passwords, and the information on your computer,” CBS News quoted Ulrich as telling co-anchor Betty Nguyen.
“Make sure you go right to your computer, change your log-in information and password information on everything from your credit card accounts to where you shop through retailers and your email, as well because, as we saw-Google and Yahoo – the hackers are coming in from everywhere,” she said.
Ulrich, author of ‘The Real Cost of Living’, said almost three-quarters of us use the same password on several accounts.
“Please stop doing that! Protect the banking part as much as you can, because the hackers will come in from the company side. But they’re coming in on your side, too,” she implored.
“Also, use one computer, if you can, to do your banking. I know it’s hard (with everyone using so many different devices). Try to do it all on one computer. That limits exposure.
“And, never, ever do banking or do transactions online on an open Wi-Fi. It’s very tempting because it’s so easy. You could be sitting in a coffee shop or the airport or wherever you are. Squatters will sit there and scour that Wi-Fi. So definitely don’t do that.
“And don’t use your debit card online. This runs counter (to conventional wisdom), because credit cards, people say, are bad. But a credit card protects you and your cash.
“Of course, there’s (a) liability (limit) with your debit card. But who wants their accounts emptied of cash? Instead, use your credit card online, so at least you don’t expose yourself, cash-wise,” she stated.
Source :- http://in.finance.yahoo.com
Image via Wikipedia
Following up on yesterday’s post outlining the proposed changes to RICO and the Computer Fraud and Abuse Act, today I will dissect the White House’s proposal for the National Data Breach Notification Act.
Currently 47 states have data breach notification laws with varying rules and requirements. This makes it very difficult for national and multinational organizations to understand when they must report lost or stolen data and how they must report it. The idea of a national law in the US has been debated for a couple of years now, and this proposal seems to strike a nice balance.
First, the definition of Personally Identifiable Information, or PII:
The new rules would apply to any business possessing the PII of 10,000 or more individuals in a 12-month period. They would supersede any existing state laws, creating one unified national standard.
Organizations discovering lost or stolen PII would have 60 days to notify affected customers unless law enforcement or national security concerns intervene. If there are extenuating circumstances, organizations can provide proof to the Federal Trade Commission (FTC) that they require up to an additional 30 days.
The proposal includes a “safe harbor” provision when measures are in place to protect data (encryption). Organizations must still report the data loss to the FTC within 45 days, including a professional risk assessment, logs of access to the data and a complete list of users who had access to the protected data.
If data is determined to be properly protected and evidence is submitted on time, individual notifications would be unnecessary. Financial institutions who only lose account numbers are also exempt if other protective measures are in place to prevent fraud.
After a data loss incident, organizations would be required to notify individuals by letter, phone or email.
Notices would include what information was compromised and a toll-free number to contact the company responsible to obtain more information. If a third party lost the data, the notice must include the name of the original collector (direct business relationship) of the PII.
States may pass laws requiring notifications to include information about identity theft/fraud prevention.
When more than 5,000 victims are involved, organizations would be required to do the following:
Businesses would be required to notify the Department of Homeland Security for law enforcement purposes when any of the following are true:
Notice to DHS must occur 72 hours before individual notices are served, or 10 days after discovery of the incident, whichever comes first.
The proposed rules would be enforced by the FTC after consultation with the US Attorney General to ensure there is no interference with ongoing criminal investigations. State Attorneys General would also be able to enforce the rules within their jurisdiction after notifying the FTC.
Penalties for non-compliance would be $1000 per person affected per day, for a maximum of $1 million. There would not be a maximum penalty if it is determined the non-compliance was willful or intentional.
Organizations that are required to comply with HIPAA or HITECH data protection laws are exempt from this legislation.
It appears the Obama Administration and Howard Schmidt, the President’s Cyber-Security Coordinator, have taken careful notes from the different laws passed by individual states. This proposal is a great start to making data security a priority and contains provisions to make adjustments after implementation.
Why not download the “The State of Data Security” report we published today? It covers the most prominent data loss incidents and details the actions you can take to prevent you from being the next company to have to notify your customers.
Source :- http://nakedsecurity.sophos.com
