The recent hack of Monster.com servers may have exposed far more job seekers than originally believed. While the original estimate suggested a few hundred thousand users might be affected, the estimates have quickly risen to 1.3 million users with a caution from Monster that not only could the final numbers be much higher, but this might not have been the only security breach of their web site.

Perhaps the only good thing about this and other data breaches is that there are lessons to learn. For example, the Identity Theft Resource Center, a great victim resource based in San Diego recently issued some advice to job seekers that could help minimize the risk of a resume or job application being turned into an identity theft.

For example, you should always leave the following information out of a resume or job application (at least until you have no choice):

- Your Social Security number: an employer doesn't need that until they're ready to hire you, and even then you need to make sure the company and job offer are legitimate.

- The dates you attended various schools, because many authentication security questions use this information (for accessing online bank accounts, for example).

- Your home address; a city and state should be more than enough on your resume.

- Your date of birth should also be unnecessary until you're offered the job. 

- Professional certifications and memberships: these can make it too easy for a thief to socially engineer you into opening an infected email from what you believe is a trusted source. 

- And keep your drivers license number to yourself as well.

But as the Monster data breach showed, the risk is not only that thieves will steal your personal information from an exploited database, but that they are now learning to use the stolen information to create phishing attacks on users.

In other words, using the stolen information to trick job seekers into providing even more personal information, participating in fraudulent schemes, or downloading information-stealing Trojans.

Planning a vacation this year? And thinking about bringing along a credit card or two for company?

Now imagine that your once-in-a-lifetime trip to Rome is interrupted by a pickpocket who makes off with your credit cards. Do you have a plan for a situation like this? Obviously, you need to act fast to prevent credit card fraud.vacation.jpg

What number do you call to cancel your card, and would you even be able to tell them the number of the stolen card? These are just some of the obvious risks that we never seem to worry about until it’s too late.

But knowing the kinds of problems and pitfalls that are out there can make the difference.

Click to read more ...

There are many, many ways to make money from identity theft. You can become an identity thief and take your chances in this vast and profitable industry. You can start a security company and make a slightly smaller fortune trying to protect people from thieves (and often from themselves). You could even build a career prosecuting the crime, although it’s probably the least profitable of all. Or you could just become a mule.

One thing we know about cybercriminals is that they’re creative, and the most recent attack on Monster.com’s users shows just how much. Victims of the attack reported receiving spam emails around the same time as the theft came to light, offering thousands of dollars a week working from home for just a few hours a month.

Security experts now believe that much of this spam is actually sent by the thieves in attempt to recruit mules to help them move their recently acquired loot.

Because banks are on the look out for unusual transfers to faraway bank accounts, the thieves are now looking for help in transferring stolen funds into bank accounts nearer to home – in fact, they’re looking for account holders in the very same banks as the victims - account holders who are willing to have money transferred to their accounts, and then pass it on to those faraway accounts without arousing suspicion.

The mules, as they’re known, are offered a cut of the funds they pass on to thieves. And according to some researchers, criminal gangs need to recruit as many as 20,000 mules in order to keep up with the amount of information being pilfered.

So if you ever receive one of these pitches, or any email money-making offer that requires a US bank account as the only experience necessary, don’t be tempted. Because you’ll only be making more money for the thieves, the security industry, and the prosecutors. And your only reward will be a few years confinement in a faraway place a little upstate.

When TJ Maxx announced that their massive data breach earlier this year would ultimately cost between $3 million and $5 million, I wasn't sure if it was naivety or dishonesty. But nothing near the insanity of the security experts who claimed the real cost would be closer to $1 billion.

Seems like the lunatics really were in charge, because in a recent SEC filing TJ Maxx parent TJX now admits that the costs so far could exceed $150 million, and security experts are sticking by their estimate of $1 billion or more.

And yet despite being accused of letting the biggest and costliest identity theft in history to happen under their very noses, it doesn't seem to worry customers. In the most recent quarter sales were up 9% at TJX. In spite of the ecomonic woes. Go figure!

On a side note authorities seem to be one step closer to the criminal masterminds behind the crime, with the arrest in Turkey of a Ukrainian citizen trading in some of the stolen credit cards.

Last week I reported on rumors that users of Monster.com's job search web site might have had their personal information stolen by a gang of hackers that had managed to infect the Monster site with malicious code.

Now the media is reporting that not only are the rumors true, but instead of affecting a few thousand victims as many as 1.6 million records might have been compromised, affecting hundreds of thousands of users.

The scheme apparently used infected ads and banners on the Monster.com web sites to steal personal information that was then used to send phishing emails to Monster users. These emails in turn installed an information-stealing Trojan on the user's computer in an attempt to steal bank login and password information.

Not surprisingly, there's no mention of the issue on Monster's home page. Under a very obscure link called Security Center, there is a vague reference to a "fraudulent email" that may be in circulation, and simply advises that if you responded to such an email you should contact law enforcement. So that maybe they could clean up Monster's mess? Nice one!