PROJET AUTOBLOG


Krebs on Security

Site original : Krebs on Security

⇐ retour index

Mise à jour

Mise à jour de la base de données, veuillez patienter...

Post-FCC Privacy Rules, Should You VPN?

jeudi 30 mars 2017 à 23:33

Many readers are understandably concerned about recent moves by the U.S. Congress that would roll back privacy rules barring broadband Internet service providers (ISPs) from sharing or selling customer browsing history, among other personal data. Some are concerned enough by this development that they’re looking at obfuscating all of their online browsing by paying for a subscription to a virtual private networking (VPN) service. This piece is intended to serve as a guidepost for those contemplating such a move.

vpnOn Tuesday, the House approved a Senate resolution to roll back data privacy regulations enacted late last year at the Federal Communications Commission (FCC) that would block ISPs from selling to advertisers information about where you go and what you do online. President Trump has signaled his intent to sign the bill (S.J. Res. 34) into law soon.

As shocking as this sounds, virtually nothing has changed about the privacy of the average American’s connection to the Internet as a result of this action by Congress, except perhaps a greater awareness that ISP customers don’t really have many privacy protections by default. The FCC rules hadn’t yet gone into effect, and traditional broadband providers successfully made the case to lawmakers that the new rules put them at a competitive disadvantage vis-a-vis purely Web-based rivals such as Facebook and Google.

Nevertheless, this hasn’t stopped news outlets from breathlessly urging concerned citizens to reclaim their privacy by turning to VPN providers. And VPN providers have certainly capitalized on the news. One quite large (and savvy) VPN provider even took out a full-page ad in the New York Times listing the names of the Republican senators who voted to repeal the still-dormant regulations.

I’m happy if this issue raises the general level of public awareness about privacy and the need for Internet users everywhere to take a more active role in preserving it. And VPNs can be a useful tool for protecting one’s privacy online. However, it’s important to understand the limitations of this technology, and to take the time to research providers before entrusting them with virtually all your browsing data — and possibly even compounding your privacy woes in the process.

In case any readers are unclear on the technology, in a nutshell VPNs rely on specialized software that you download and install on your computer. Some VPN providers will supply customers with their own custom brand of VPN software, while others may simply assign customers a set user credentials and allow users to connect to the service via open-source VPN software like OpenVPN.

Either way, the software creates an encrypted tunnel between your computer and the VPN provider, effectively blocking your ISP or anyone else on the network (aside from you and the VPN provider) from being able to tell which sites you are visiting or viewing the contents of your communications. A VPN service allows a customer in, say, New York City, to tunnel his traffic through one of several servers around the world, making it appear to any Web sites that his connection is coming from those servers, not from his ISP in New York.

If you just want a VPN provider that will keep your ISP from snooping on your everyday browsing, virtually any provider can do that for you. But if you care about choosing from among VPN providers with integrity and those that provide reliable, comprehensive, trustworthy and affordable offerings, you’re going to want to do your homework before making a selection. And there are plenty of factors to consider.

For better or worse, there are hundreds of VPN providers out there today. Simply searching the Web for “VPN” and “review” is hardly the best vetting approach, as a great many VPN companies offer “affiliate” programs that pay people a commission for each new customer they help sign up. I say this not to categorically discount VPN providers that offer affiliate programs, but more as a warning that such programs can skew search engine results in favor of larger providers.

That’s because affiliate programs often create a perverse incentive for unscrupulous marketers to do things like manufacture phony VPN reviews by the virtual truckload, reviews that are aimed at steering as many people as possible to signing up with the service and earning them commissions. In my admittedly limited experience, this seems to have the effect of funneling search results toward VPN providers which spend a lot of money marketing their offerings and paying for affiliate programs.

Also, good luck figuring out who owns and operates many of these companies. Again, from the admittedly few instances in which I’ve attempted to determine exactly who or what is at the helm of a specific VPN provider, I can say that this has not been a particularly fruitful endeavor.

My bar for choosing a VPN provider has more to do with selecting one that makes an effort to ensure its customers understand how to use the service securely and safely, and to manage their customers’ expectations about the limitations of using the service. Those include VPN companies that take the time to explain seemingly esoteric but important concepts, such as DNS and IPv6 leaks, and whether they keep any logs of customer activity. I also tend to put more stock in VPN providers that offer payment mechanisms which go beyond easily-traceable methods such as credit cards or PayPal, to offering more privacy-friendly payment options like Bitcoin (or even cash).

Many VPN providers claim they keep zero records of customer activity. However, this is almost always untrue if you take the time to read the fine print. Also, some VPN services can’t truthfully make this claim because they merely resell network services offered by third-parties. Providers that are honest and up-front about what information they collect and keep and for how long carry more weight in my book.

Most VPN providers will keep basic information about their customers, including any information supplied at the creation of the account, as well as the true Internet address of the customer and the times that customers connect and disconnect from the service. I’ve found that VPN providers which collect the minimum amount of information about their customers also tend to offer little or no customer support. This isn’t necessarily a bad thing, especially if you know what you’re doing and don’t need or want a lot of hand-holding. For my part, I would avoid any VPN provider which asks for personal information that isn’t required by the form of payment I choose.

Then there are more practical, day-to-day considerations that may have little to do with privacy and anonymity. For example, some VPN providers pay a great deal of attention to privacy and security, but may not offer a huge number of servers and locations to chose from. This can present issues for people who frequently watch streaming video services that are restricted for use in specific countries. Other VPN providers may offer an impressive range of countries and/or states to chose from, but do not provide fast enough speeds to reliably satisfy data-intensive applications, such as streaming video.

These are only some of the many factors that are important to weigh when selecting a VPN provider. I asked my favorite source for online privacy — the Electronic Frontier Foundation (EFF) — if they had any recommendations for VPN providers. Alas, their press folks told me the EFF has not yet sought to vet the claims made by various VPN companies. Instead, their media folks referred me to this site, which covers many of the concerns raised in this post in greater detail, and includes what appear to be fairly straightforward reviews and side-by-side comparisons of many popular VPN services.

For personal privacy reasons, I’m not interested in sharing the name of the VPN service that I’ve paid for and trusted for years. But I can say with some gratification that they are one of the highest rated (greens almost across the board) providers listed here.

A quick note about “free VPN” services. Just as with “free” services like Facebook and Gmail, it’s important to know that with free VPN services you probably aren’t so much the customer as the product. Operating a business like a VPN service takes considerable effort and cost, and it’s very likely that anyone operating a free VPN service is also somehow monetizing your use of their service in some way — probably in an way that may be at odds with your reason for using the service in the first place.

Alternatively, if you’re looking for a free option, consider using Tor instead. Short for “The Onion Router,” Tor takes your communications and bounces them through a series of layers or “relays” around the globe, encrypting your data at every hop. The practical and privacy limitations of Tor are explained rather succinctly in this story at How-to Geek, but many of the traditional concerns about Tor are mitigated by the technical limitations that ship with the current Tor Browser Bundle. For most users, the principal drawback of Tor versus paid VPN services is that Tor is likely to be far slower than your average VPN (although, to be fair Tor has gotten quite a bit faster in recent years).

Finally, from the read-my-mind department, I fell asleep last night ruminating over what a grass-roots effort to lawfully and publicly resist this move by Congress might look like, and briefly considered that someone could even set up a site that would offer to purchase the Internet browsing records of the top lawmakers who voted for repealing the FCC rules (should those records ever go on sale by the major broadband providers). Incredibly, I awoke this morning to an email from a reader about exactly such an experiment — searchinternethistory.com — which has raised more than $170,000 so far toward a $1 million goal via GoFundMe.

As cathartic as this effort may be, I can’t recommend supporting it financially. However, if you’re in a generous mood I would wholeheartedly recommend supporting groups like the EFF, which orchestrates efforts to educate lawmakers on important technology policy issues and — failing that — to derail and sometimes overturn bone-headed policy moves in Washington, D.C. that endanger our security and privacy. KrebsOnSecurity supports the EFF with four-figure donations each year, and I would encourage anyone with the means and interest to likewise support the work of this important organization.

Author’s note: On any given week, I probably remove a dozen or so comments from people who appear to be shilling for various VPN providers. Any comments to that effect on this post will be similarly deleted without hesitation or explanation.

Alleged vDOS Owners Poised to Stand Trial

lundi 27 mars 2017 à 15:56

Police in Israel are recommending that the state attorney’s office indict and prosecute two 18-year-olds suspected of operating vDOS, until recently the most popular attack service for knocking Web sites offline.

On Sept. 8, 2016, KrebsOnSecurity published a story about the hacking of vDOS, a service that attracted tens of thousands of paying customers and facilitated countless distributed denial-of-service (DDoS) attacks over the four year period it was in business. That story named two young Israelis — Yarden Bidani and Itay Huri — as the likely owners and operators of vDOS, and within hours of its publication the two were arrested by Israeli police, placed on house arrest for 10 days, and forbidden from using the Internet for a month.

The front page of vDOS, when it was still online last year.

The front page of vDOS, when it was still online last year.

After those restrictions came and went, some readers expressed surprise that there were no formal charges announced against either of the young men. This week, however, Israeli police sent letters to lawyers for both men stating that the official investigation was nearing completion and that they planned to urge government prosecutors to pursue criminal charges.

The police are preparing to recommend prosecutors charge the men with computer fraud and extortion, alleging they caused more than six million shekels worth of damage (approximately USD $1.65 million).

Bidani’s attorney Perach Aroch told KrebsOnSecurity that her client has not yet been officially charged with any crime. But she said once the investigation is complete the defense will have 30 days to review the evidence and to make arguments as to why the case should be dismissed.

“They have to give us 30 days to see all the evidence and to try to convince them why they should not take this case to court,” Aroch said. “After that, [the prosecutors will] decide if it should go to trial.”

18-year-old Yarden Bidani.

18-year-old Yarden Bidani.

The arrest of Bidani and Huri came after the police received information from the Federal Bureau of Investigation (FBI). But the United States apparently isn’t the only country weighing in on this case: According to a story published Sunday by Israeli news outlet TheMarker.com, the government of Sweden also is urging Israeli prosecutors to pursue formal charges.

It’s unclear exactly why the Swedish government is so interested in this case, but the vDOS service has been implicated in a series high-profile attacks that brought down some of the country’s largest news media Web sites last year.

Shortly after those attacks in March 2016, Somerville, Mass.-based security intelligence firm Recorded Future published an analysis linking the assaults against Swedish media sites to vDOS and to “applej4ck,” the hacker nickname allegedly used by Bidani.

In publicizing the news of vDOS’s hack last year, KrebsOnSecurity also published several months of attack logs from the vDOS service. However, those logs only dated back to May 2016.

Itay Huri’s lawyer declined to comment for this story, but TheMarker’s Amitai Ziv obtained a statement from Huri’s attorney, who accused Israeli police of applying pressure and terror through the media instead of looking for the truth.

Ziv said sources he’s spoken to believe the case will almost certainly go to trial.

“Professionals involved in the case said the likelihood of indictments in the affair is very high,” he wrote.

According to Bidani’s lawyer Aroch, the two former friends are now pointing the finger of blame at each other and are no longer speaking to one another.

“They each now accuse each other in things, so it’s a little bit of a problem,” Aroch said.

Aroch said both Bidani and Huri are free to travel and even leave the country, although both men have had their bank and PayPal accounts frozen.

Bidani and Huri allegedly started vDOS when they were 14 years old. By the time the service was shut down last September, it had attracted tens of thousands of customers who paid for attacks in PayPal (when vDOS’s PayPal accounts were shut down, the service briefly shifted to accepting payment via Bitcoin).

My Sept. 2016 investigation into the hacking of vDOS revealed that in just two of the four years the service was in operation, it brought in revenues of more than $600,000.

It’s unclear how many digital sieges were launched by vDOS, but it was likely several million. The aforementioned user logs stolen from vDOS and leaked to KrebsOnSecurity show that in just the span of less than three months last year the service was responsible for more than 150,000 attacks.

KrebsOnSecurity paid a heavy price for breaking the story on vDOS’s hacking and the subsequent arrest of its alleged proprietors. Less than two weeks after those stories were published in September 2016, this site came under one of the largest DDoS attacks the Internet has ever witnessed.

That series of attacks ultimately knocked this site offline for nearly four days. According to follow-up reporting published in January 2017, the attacks were paid for by a cybercriminal who was upset and/or inconvenienced by my exposé on vDOS.

Lawyers for Bidani and Huri have said their clients were merely operating a defensive “stresser” service sold to companies that wished to test whether their sites could withstand large cyberattacks. The owners of these stresser services have sought to hide behind wordy “terms of service” agreements which all customers must agree to, arguing that these agreements absolve them of any sort of liability for how their customers use the service.

Law enforcement officials both in the United States and abroad say stresser services enable illegal activity, and they’ve recently begun arresting both owners and users of these services.

In December 2016, federal investigators in the U.S. and Europe arrested nearly three-dozen people suspected of patronizing stresser services (also known as “booter” services). That crackdown was billed as part of an effort by authorities to weaken demand for these services, and to impress upon customers that hiring someone to launch cyberattacks on your behalf can land you in jail. In October 2016, the U.S. Justice Department charged two 19-year-old men alleged to have operated a stresser service affiliated with the hacking group known as the Lizard Squad.

Phishing 101 at the School of Hard Knocks

vendredi 24 mars 2017 à 17:03

A recent, massive spike in sophisticated and successful phishing attacks is prompting many universities to speed up timetables for deploying mandatory two-factor authentication (2FA) — requiring a one-time code in addition to a password — for access to student and faculty services online. This is the story of one university that accelerated plans to require 2FA after witnessing nearly twice as many phishing victims in the first two-and-half months of this year than it saw in all of 2015.

bgBowling Green State University in Ohio has more than 20,000 students and faculty, and like virtually any other mid-sized state school its Internet users are constantly under attack from scammers trying to phish login credentials for email and online services.

BGSU had planned later this summer to make 2FA mandatory for access to the school’s portal — the primary place where students register for classes, pay bills, and otherwise manage their financial relationship to the university.

That is, until a surge in successful phishing attacks resulted in several students having bank accounts and W-2 tax forms siphoned.

On March 1, 2017 all BGSU account holders were required to change their passwords, and on March 15, 2017 two-factor authentication (Duo) protection was placed in front of the MyBGSU portal [full disclosure: Duo is a longtime advertiser on KrebsOnSecurity].

Matt Haschak, director of IT security and infrastructure at BGSU, said the number of compromised accounts detected at BGSU has risen from 250 in calendar year 2015 to 1000 in 2016, and to approximately 400 in the first 75 days of 2017.

Left unchecked, phishers are on track to steal credentials from nearly 10 percent of the BGSU student body by the end of this year. The university has offered 2FA options for its portal access since June 2016, but until this month few students or faculty were using it, Haschak said.

“We saw very low adoption when it was voluntary,” he said. “And typically the people who adopted it were not my big security risks.”

Haschak said it’s clear that the scale and size of the phishing problem is hardly unique to BGSU.

“As I keep preaching to our campus community, this is not unique to BGSU,” Haschak said. “I’ve been talking a lot lately to my counterparts at universities in Ohio and elsewhere, and we’re all getting hit with these attacks very heavily right now. Some of the phishing scams are pretty good, but unfortunately some are god-awful, and I think people are just not thinking or they’re too busy in their day, they receive something on their phone and they just click it.”

Last month, an especially tricky phishing scam fooled several students who are also employed at the university into giving away their BGSU portal passwords, after which the thieves changed the victims’ direct deposit information so that their money went to accounts controlled by the phishers.

In other scams, the phishers would change the routing number for a bank account tied to a portal user, and then cancel that student’s classes near the beginning of a semester — thus kicking off a fraudulent refund.

One of the victims even had a fraudulent tax refund request filed in her name with the IRS as a result, Haschak said.

“They went in and looked at her W-2 information, which is also available via the portal,” he said.

While BGSU sends an email each time account information is changed, the thieves also have been phishing faculty and staff email accounts — which allows the crooks to delete the notification emails.

“The bad guys also went in and deleted the emails we sent, and then deleted the messages from the victim’s trash folder,” Haschak said.

Part of BGSU's messaging to students and faculty about the new 2FA requirements for university portal access.

Part of BGSU’s messaging to students and faculty about the new 2FA requirements for university portal access.

Ultimately, BGSU opted to roll out 2FA in a second stage for university email, mainly because of the logistics and support issues involved, but also because they wanted to focus on protecting the personally identifiable information in the BGSU portal as quickly as possible.

For now, BGSU is working on automating the opt-in for 2FA on university email. The 2FA system in front of its portal provides several 2FA options for students, including the Duo app, security tokens, or one-time codes sent via phone or SMS.

“If the numbers of compromised accounts keep increasing at the rate they are, we may get to that next level a lot sooner than our current roadmap for email access,” Haschak said.

2FA, also called multi-factor authentication or two-step verification, is a great way to dramatically improve the security of on online account — whether it’s at your bank, a file-sharing service, or your email. The idea is that even if thieves manage to snag your username and password — through phishing or via password-stealing malware — they still need access to that second factor to successfully impersonate you to the system.

Are you taking full advantage of 2FA options available to your various online accounts? Check out twofactorauth.org to find out where you might be able to harden your online account security.

eBay Asks Users to Downgrade Security

mercredi 22 mars 2017 à 18:59

Last week, KrebsOnSecurity received an email from eBay. The company wanted me to switch from using a hardware key fob when logging into eBay to receiving a one-time code sent via text message. I found it remarkable that eBay, which at one time was well ahead of most e-commerce companies in providing more robust online authentication options, is now essentially trying to downgrade my login experience to a less-secure option.

ebay2faIn early 2007, PayPal (then part of the same company as eBay) began offering its hardware token for a one-time $5 fee, and at the time the company was among very few that were pushing this second-factor (something you have) in addition to passwords for user authentication. In fact, I wrote about this development back when I was a reporter at The Washington Post:

“Armed with one of these keys, if you were to log on to your account from an unfamiliar computer and some invisible password stealing program were resident on the machine, the bad guys would still be required to know the numbers displayed on your token, which of course changes every 30 seconds. Likewise, if someone were to guess or otherwise finagle your PayPal password.”

The PayPal security key.

The PayPal security key.

I’ve still got the same hardware token I ordered when writing about that offering, and it’s been working well for the past decade. Now, eBay is asking me to switch from the key fob to text messages, the latter being a form of authentication that security experts say is less secure than other forms of two-factor authentication (2FA).

The move by eBay comes just months after the National Institute for Standards and Technology (NIST) released a draft of new authentication guidelines that appear to be phasing out the use of SMS-based two-factor authentication. NIST said one-time codes that are texted to users over a mobile phone are vulnerable to interception, noting that thieves can divert the target’s SMS messages and calls to another device (either by social engineering a customer service person at the phone company, or via more advanced attacks like SS7 hacks).

I asked eBay to explain their rationale for suggesting this switch. I received a response suggesting the change was more about bringing authentication in-house (the security key is made by Verisign) and that eBay hopes to offer additional multi-factor authentication options in the future.

“As a company, eBay is committed to providing a safe and secure marketplace for our millions of customers around the world,” eBay spokesman Ryan Moore wrote. “Our product team is constantly working on establishing new short-term and long-term, eBay-owned factors to address our customer’s security needs. To that end, we’ve launched SMS-based 2FA as a convenient 2FA option for eBay customers who already had hardware tokens issued through PayPal. eBay continues to work on advancing multi-factor authentication options for our users, with the end goal of making every solution more secure and more convenient. We look forward to sharing more as additional solutions are ready to launch.”

I think I’ll keep my key fob and continue using that for two-factor authentication on both PayPal and eBay, thank you very much. It’s not clear whether eBay is also phasing out the use of Symantec’s VIP Security Key App, which has long offered eBay and PayPal users alike more security than a texted one-time code. eBay did not respond to specific questions regarding this change.

Although SMS is not as secure as other forms of 2FA, it is probably better than nothing. Are you taking advantage of two-factor authentication wherever it is offered? The site twofactorauth.org maintains a fairly comprehensive list of companies that offer two-step or two-factor authentication.

Student Aid Tool Held Key for Tax Fraudsters

mardi 21 mars 2017 à 20:07

Citing concerns over criminal activity and fraud, the U.S. Internal Revenue Service (IRS) has disabled an automated tool on its Web site that was used to help students and their families apply for federal financial aid. The removal of the tool has created unexpected hurdles for many families hoping to qualify for financial aid, but the action also eliminated a key source of data that fraudsters could use to conduct tax refund fraud.

Last week, the IRS and the Department of Education said in a joint statement that they were temporarily shutting down the IRS’s Data Retrieval Tool. The service was designed to make it easier to complete the Education Department’s Free Application for Federal Student Aid (FAFSA) — a lengthy form that serves as the starting point for students seeking federal financial assistance to pay for college or career school.

The U.S. Department of Education's FAFSA federal student aid portal. A notice about the closure of the IRS's data retrieval tool can be seen in red at the bottom right of this image.

The U.S. Department of Education’s FAFSA federal student aid portal. A notice about the closure of the IRS’s data retrieval tool can be seen in red at the bottom right of this image.

In response to requests for comment, the IRS shared the following statement: “As part of a wider, ongoing effort at the IRS to protect the security of data, the IRS decided to temporarily suspend their Data Retrieval Tool (DRT) as a precautionary step following concerns that information from the tool could potentially be misused by identity thieves.”

“The scope of the issue is being explored, and the IRS and FSA are jointly investigating the issue,” the statement continued. “At this point, we believe the issue is relatively isolated, and no additional action is needed by taxpayers or people using these applications. The IRS and FSA are actively working on a way to further strengthen the security of information provided by the DRT. We will provide additional information when we have a specific timeframe for returning the DRT or other details to share.”

The removal of the IRS’s tool received relatively broad media coverage last week. For example, a story in The Wall Street Journal notes that the Treasury Inspector General for Tax Administration — which provides independent oversight of the IRS — “opened a criminal investigation into the potentially fraudulent use of the tool.”

Nevertheless, I could not find a single publication that sought to explain precisely what information identity thieves were seeking from this now-defunct online resource. Two sources familiar with the matter but who asked to remain anonymous because they were not authorized to speak on the record told KrebsOnSecurity that identity thieves were using the IRS’s tool to look up the “adjusted gross income” (AGI), which is an individual or family’s total gross income minus specific deductions.

Anyone completing a FAFSA application will need to enter the AGI as reported on the previous year’s income tax return of their parents or guardians. The AGI is listed on the IRS-1040 forms that taxpayers must file with the IRS each year. The IRS’s online tool was intended as a resource for students who needed to look up the AGI but didn’t have access to their parents’ tax returns.

Eligible FAFSA applicants could use the IRS’s data retrieval tool to populate relevant fields in the application with data pulled directly from the IRS. Countless college Web sites explain how the tool works in more detail; here’s one example (PDF).

As it happens, the AGI is also required to sign and validate electronic tax returns filed with the IRS. Consequently, the IRS’s data retrieval tool would be a terrific resource to help identity thieves successfully file fraudulent tax refund requests with the agency.

A notice from the IRS states that the adjusted gross income (AGI) is needed to validate electronically-filed tax returns.

A notice from the IRS states that the adjusted gross income (AGI) is needed to validate electronically-filed tax returns.

Tax-related identity theft occurs when someone uses a Social Security number (SSN) — either a client’s, a spouse’s, or dependent’s — to file a tax return claiming a fraudulent refund. Thieves may also use a stolen Employer Identification Number (EIN) from a business client to create false Forms W-2 to support refund fraud schemes. Increasingly, fraudsters are simply phishing W-2 data in large quantities from human resource professionals at a variety of organizations. However, taxpayer AGI information is not listed on W-2 forms.

Victims usually first learn of the crime after having their returns rejected because scammers beat them to it. Even those who are not required to file a return can be victims of refund fraud, as can those who are not actually due a refund from the IRS.

This would not be the first time tax refund fraudsters abused an online tool made available by the IRS. During the height of tax-filing season in 2015, identity thieves used the irs.gov’s “Get Transcript” feature to glean salary and personal information they didn’t already have on targeted taxpayers. In May 2015, the IRS suspended the Get Transcript feature, citing its abuse by fraudsters and noting that some 100,000 taxpayers may have been victimized as a result.

In August 2015, the agency revised those estimates up to 330,000, but in February 2016, the IRS again more than doubled its estimate, saying the number of taxpayers targeted via abuse of the Get Transcript tool was probably closer to 724,000.

The IRS re-enabled its Get Transcript service last summer, saying it had fortified the system with additional security safeguards — such as requiring visitors to supply a mobile phone number that is tied to the applicant’s name.

Now, the IRS is touting its new and improved Get Transcript service as an alternative method for obtaining the information needed to complete the FAFSA.

“If you did not retain a copy of your tax return, you may be able to access the tax software you used to prepare your return or contact your tax preparer to obtain a copy,” the IRS said in its advisory on the shutdown of its data retrieval tool. “You must verify your identity to use this tool. You also may use Get Transcript by Mail or call 1-800-908-9946, and a transcript will be delivered to your address of record within five to 10 days.”

The IRS advises those who still need help completing the FAFSA to visit StudentAid.gov/fafsa or call 1-800-4FED-AID (1-800-433-3243).

DON’T BE THE NEXT VICTIM

Here are some steps you can take to make it less likely that you will be the next victim of tax refund fraud:

-File before the fraudsters do it for you – Your primary defense against becoming the next victim is to file your taxes at the state and federal level as quickly as possible. Remember, it doesn’t matter whether or not the IRS owes you money: Thieves can still try to impersonate you and claim that they do, leaving you to sort out the mess with the IRS later.

-Get on a schedule to request a free copy of your credit report. By law, consumers are entitled to a free copy of their report from each of the major bureaus once a year. Put it on your calendar to request a copy of your file every three to four months, each time from a different credit bureau. Dispute any unauthorized or suspicious activity. This is where credit monitoring services are useful: Part of their service is to help you sort this out with the credit bureaus, so if you’re signed up for credit monitoring make them do the hard work for you.

-File form 14039 and request an IP PIN from the government. This form requires consumers to state they believe they’re likely to be victims of identity fraud. Even if thieves haven’t tried to file your taxes for you yet, virtually all Americans have been touched by incidents that could lead to ID theft — even if we just look at breaches announced in the past year alone.

Consider placing a “security freeze” on one’s credit files with the major credit bureaus. See this tutorial about why a security freeze — also known as a “credit freeze,” may be more effective than credit monitoring in blocking ID thieves from assuming your identity to open up new lines of credit. While it’s true that having a security freeze on your credit file won’t stop thieves from committing tax refund fraud in your name, it would stop them from fraudulently obtaining your IP PIN.

Monitor, then freeze. Take advantage of any free credit monitoring available to you, and then freeze your credit file with the four major bureaus. Instructions for doing that are here.

Error happened! 0 - SQLite3::exec(): database disk image is malformed In: /home/cochisebee/www/autoblog/autoblogs/autoblog.php:285 http://autoblog.cochi.se/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/?35 #0 [internal function]: exception_error_handler(2, 'SQLite3::exec()...', '/home/cochisebe...', 285, Array) #1 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(285): SQLite3->exec('INSERT INTO art...') #2 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(418): VroumVroum_Blog->insertOrUpdateArticle('https://krebson...', 'Chinese Antivir...', 'https://krebson...', 1600380201, '

The ...') #3 /home/cochisebee/www/autoblog/autoblogs/autoblog.php(932): VroumVroum_Blog->update() #4 /home/cochisebee/www/autoblog/autoblogs/krebsonsecuritycom_4eab703a256df265f3abda6134d777218e00ffe9/index.php(1): require_once('/home/cochisebe...') #5 {main}