Cybercrime Expert Insights and Tips: Q&A With Justin Feffer

You probably know cybersecurity is a marathon, not a sprint. Law enforcement officials log the big miles. Fortunately, more and more consumers are joining the race.

We talked to Sgt. Justin Feffer, a Los Angeles-based law enforcement officer and cybercrimes investigator, to bring us up to date about cyber threats and what you can do the help protect against them.

Here’s what he had to say.

5 cybercrime questions answered
What does the future of cybercrime and security look like for people afraid of having their information stolen?

Unfortunately, the future looks very similar to our present. I have 14 years of experience dedicated to combatting cybercrime. I still see the same fundamental security flaws contributing to the theft of our most sensitive data. I don’t see the situation improving.

What should internet users be aware of when it comes to protecting their online information long-term? (e.g., cloud storage, permanent email addresses, etc.)

Be sure to do the due diligence needed to pick the right solution. There is very good literature available, including white papers and reviews by researchers and journalists with proven reputations. Don’t pick a solution based upon an ad—particularly a pop-up ad!

Consult with experts who are familiar with the technology you are considering. Most importantly, make sure that the solution you pick has robust security features including multi-factor authentication.

In your opinion, what are the most common cybercrimes that are the easiest to help prevent?

Business email compromise (BEC) and hacked accounts, due to the theft of stolen passwords, are the two most common and easiest cyber-crimes to prevent.

BEC attacks involve the use of targeted emails asking the victim to wire funds for a fraudulent transaction. BEC works because the victim believes the email with the instruction is from someone with authority.

In the most typical attack, the suspect poses as the CEO of the company and sends an urgent email directing the accounts payable manager to pay an invoice via wire transfer by the end of the day. The invoice is fraudulent, and the suspect steals all of the funds sent via the wire transfer.

Businesses must adopt policies prohibiting wire transfers to unfamiliar accounts based upon emailed instructions.

Accounts are most commonly hacked by suspects who use phishing emails to trick the victims into divulging their account passwords. The password phishing attack usually attempts to induce victims to click on a link crafted by the attacker.

These attacks convey a sense of urgency—warning the victim that unless they perform the requested action they will be locked out of their account or otherwise suffer some adverse result. Victims that click on the link are taken to a website that requests their personal information including their usernames and passwords.

You should never rely solely upon a username and password to secure an account. Implement multi-factor authentication (commonly referred to as two-step verification) to secure your accounts. That way even if a password is stolen the suspect won’t be able to log into the account without access to the second factor.

Have computers made finding cybercriminals easier or more difficult? Why?

Computers and modern technology have proven a double-edged sword in the fight against crime.

Modern surveillance cameras, license plate readers, geolocation services and other technological tools have proven to be extremely helpful to law enforcement in finding criminals of all types.

On the other hand, tools such as TOR (The Onion Router), dark web marketplaces, crypto currencies, robust mobile device encryption, and encrypted communications services have created extreme challenges to law enforcement.

These types of technology can often make it impossible for law enforcement to obtain needed evidence even if they have the proper legal authority and compelling need.

For example, a suspect could have 1 million stolen credit cards on his iPhone, and even if law enforcement seizes the phone and has a search warrant to search the phone, they will not be able to access the phone unless the user provides the passcode.

This type of problem was demonstrated very dramatically in the 2015 San Bernardino Inland Regional Center terror attack when the FBI attempted to analyze the terrorist’s locked iPhone.

Do you recommend any third-party tools individuals can use to privately access the internet, transfer data, or securely delete data?

I find that the most important third-party tools include the following:

Reputable Virtual Private Network (VPN) services allow users to safely access the Internet when working remotely from known secure networks.
Reputable cloud-based file transfer services allow users to safely transfer files to fellow employees and colleagues.
Reputable full disk encryption tools can be used to encrypt portable media such as USB drives to prevent data theft if the devices are lost or stolen.

GAO Finds Identity Theft Services Limited in Fraud Prevention!

ID Theft Resolutions,Ltd
Call: 1-888-484-9118

Limited in Fraud Prevention

Following the 2015 OPM data breaches, GAO found that identity theft services offer certain benefits but are also limited in what they can prevent.

April 03, 2017 – Identity theft services offer several benefits to organizations and individuals, but there are limitations in fraud prevention and other identity protection services, according to a recent Government Accountability Office (GAO) report.

Medical identity theft and tax refund fraud are also not always specifically addressed in identity theft services, GAO explained.

With regard to the two Office of Personnel Management (OPM) data breaches from 2015, GAO stated that the level of insurance coverage provided was “likely unnecessary because claims paid rarely exceed a few thousand dollars.”

OPM announced on June 4, 2015 that it had been the victim of a cyber attack. The agency then reported one month later that a significantly greater number of individuals were affected by a “separate but related” cybersecurity breach.

Approximately 21.5 million individuals were affected, with some of the compromised information including “identification details such as Social Security Numbers, residency and educational history, employment history, information about immediate family and other personal acquaintances, health, criminal and financial history.”

“Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization,” Acting Director of the Office of Personnel Management Beth Cobert said in a statement.  And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

GAO stated in its report that OPM provided duplicative identity theft services for about 3.6 million people affected by both of its 2015 breaches.

“Contrary to key operational practices previously identified by GAO, OPM’s data-breach-response policy does not include criteria or procedures for determining when to offer identity theft services, and OPM has not always documented how it chose to offer them in response to past breaches, which could hinder informed decision making in the future,” GAO wrote.

“In the private sector, companies often offer consumers affected by a data breach complimentary identity theft services for reasons other than mitigating the risk of identity theft, such as avoiding liability or complying with state law.”

Identity theft services typically include one or more areas of assistance, such as credit monitoring, identity monitoring, and identity restoration, GAO explained. Medical identity theft, identity theft refund fraud, and certain other threats involving stolen personal information are generally not included.

“Evaluation and analysis of these services by both federal and private-sector entities is limited and tends to focus on outputs (such as contractor performance) rather than outcomes (such as reduction of harm from identity theft),” the report noted.

Out of the 26 identity theft services that GAO reviewed, the agency stated that only one “expressly addressed” medical identity theft.

“That product works with the explanation-of-benefits delivery system of the user’s health insurer to alert the user every time a claim is made against the user’s health plan benefits,” the report said. “Users can flag a claim as suspicious if, for example, they do not recognize the procedure or health care provider, and the company then will investigate the claim.”

Additionally, the service is offered as a benefit by health insurers to their members instead of offered directly to consumers.

OPM did not provide many details to GAO in what type of services it offered following the 2015 breaches.

“The current officials told us that they could not find any formal documentation related to the decision to offer identity theft services or the process leading up to this decision,” GAO wrote. “The agency was able to identify a document comparing past public- and private-sector entities’ responses to breaches that may have been considered when determining which services OPM should offer after the second data breach (of background investigation records).”

OPM has previously been investigated for its large data breaches, with reports finding that certain preventative measures could have helped to potentially prevent the incidents.

Toward the end of 2016, an OIG report found that a failure to prioritize cybersecurity and adequately secure high value data helped contribute to the data breaches taking place.

Additionally, the OPM Inspector General (IG) warned the agency as early as 2005 that the information it maintained was potentially vulnerable to hackers.

OPM had an “absence of an effective managerial structure to implement reliable IT security policies,” and also “failed to implement the Office of Management and Budget’s (OMB) longstanding requirement to use multi-factor authentication for employees and contractors who log on to the network.”