SEC Charges Adviser with Defrauding Investors via Social Media Sites

On Wednesday, the Securities and Exchange Commission today charged a Chicago-area investment adviser, Anthony Fields, with fraudulently promoting more than $500 billion in fictitious securities on several social media sites and issued two alerts and an investor bulletins regarding the risks investors and advisory firms face when using social media.

image

“Fraudsters are quick to adapt to new technologies to exploit them for unlawful purposes,” said Robert B. Kaplan, Co-Chief of the SEC Enforcement Division’s Asset Management Unit. “Social media is no exception, and today’s enforcement action reflects our determination to pursue fraudulent activity on new and evolving platforms.”

The SEC order against Fields alleges he made multiple fraudulent offers through his two sole proprietorships – Anthony Fields & Associates (AFA) and Platinum Securities Brokers. He provided false and misleading information to the public regarding assets under management, clients and operational history. Fields also did not maintain required records, failed to implement adequate compliance policies and procedures, and presented himself as a broker-dealer though not registered with the SEC as one.

The SEC has issued three new publications for both investment advisers and investors:

“Investment Adviser Use of Social Media” reviews concerns that may arise from use of social media by firms and their associates, and offers suggestions for complying with relevant federal securities laws.

“Social Media and Investing: Avoiding Fraud” aims to raise investor awareness of fraudulent investment schemes that use social media, and provides tips for checking the backgrounds of advisers and brokers.

“Social Media and Investing: Understanding Your Accounts” contains best practices including privacy settings, security tips, and password selection aimed to help social media users protect their personal information and avoid fraud.

For additional information on avoiding securities fraud, visit the SEC’s website for individual investors: www.investor.gov.

Facebook Misses the Mark with Places

Yet again, Facebook has demonstrated their utter lack of understanding for personal boundaries and any sense of appropriate privacy. One of the things you can do with Facebook Places that you can’t with Foursquare, Gowalla, etc., is check your friends in.

Bad idea. Really bad idea. If I choose to tell the world where I am 24/7, that’s my prerogative. I can even live with people tweeting things like “I’m at #BATHH with @ScottAllen @LaniAR @KateBuckJr & other cool peeps.” But the idea of people creating structured, archived data about my location is just really unnerving. The potential for misuse is staggering.

I echo Laurie Ruettimann’s sentiment:

tumblr_l7fsy8lv7O1qznkl0

More on what’s wrong with Facebook Places at Social Media Today.

How to Protect Yourself and Your Company Against a Hacker Attack (Like Twitter's) — at No Cost

Image representing Twitter as depicted in Crun...

Twitter’s security meltdown has done a fantastic job of publicizing how vulnerable a modern, cloud-based startup can be to a determined hacker

I have been surprised that in the numerous articles about how to protect yourself against hacking, I have seen very little mention of the powerful technique that we discussed in The Virtual Handshake.  Here’s a slightly updated version of what we wrote in the book:

Use a different user ID and password for all of the important sites you visit. If a thief knows your password on one site, it’s too easy for him to then use that password on many other sites. (That homogeneity is what broke down Twitter’s security.)  A good way to keep unique passwords for every site is to develop a standard method for creating a password from the name of the site. For example, to create a unique password for Orkut.com:

1. Pick a standard word for use with all your sites.  We’ll use "jade."

2. Split it in half. In the middle, insert the number of letters in the domain name. "Orkut" has 5 letters, so we write "ja5de."

3. Add a letter at the beginning that is the first letter of the domain name. "Orkut" = "O," giving us "Oja5de."

Although this allows you to easily calculate the password, a hacker cannot readily deduce a pattern because each site has its own unique password. Of course, you need to create your own algorithm; do not use this one! To avoid confusion from an excessive number of passwords, it’s okay to use the same password on all Web sites for which security is not critical, e.g., newspaper sites.

One weakness in this approach is the use of a common word as a base.  Christopher Faulkner, CEO of C I Host, suggests pick a line from a song or popular phrase, and use the first letter of each word. For example, "Four Score and Seven Years Ago" becomes "4s&7YA" .

Reblog this post [with Zemanta]

Twitter Phishing Scam Alert, Password Safety

I’d heard this was going on, but I just received my first one of these, so I figured I’d better share it with everybody. I received an email that looks like a Twitter direct message notification:

TwitterPhishing

I was a bit suspicious of the message and URL (http://twitterblog.access-logins.com/login), and Google Chrome (my new default browser since Firefox went crazy on me) was kind enough to give me a possible phishing alert when I went to the site.

The site looks exactly like Twitter — the URL is the only give-away. But if you put your user name and password in, you’ve just let someone hack your Twitter account.

The notification will appear to be from someone you know — the follower data is publicly available if your profile is open. It doesn’t necessarily mean their account has been hacked. If uou only get an email notification, not an actual Twitter DM, then their account is probably OK. If you receive one of these as an actual Twitter DM, then they’ve probably been hacked and should immediately change their password.

On the topic of passwords, I know a lot of people use the same password everywhere. BAD IDEA!!!

I hope it’s obvious why you shouldn’t do it. The problem, of course, is trying to manage/remember multiple passwords. One approach is to use some kind of password management software, but that only works from your own computer, and you’re in trouble if you want to log on from somewhere else.

In Chapter 16 (pp. 140-141) of The Virtual Handshake (free download or buy at Amazon), we offer a simple scheme for creating passwords that are unique for each site, but not easily decipherable if someone obtains a single password. I’ve found, though, that more and more sites are requiring longer passwords — sometimes 8 characters — and also doing things like requiring both numbers and letters in the password. A couple of years ago, I posted a little more complex password scheme that should meet those requirements.

Developing a secure password management scheme is one of the single best things you can do to protect against online identity theft.

Apparently, Phishing Is Not Funny

A fascinating event occurred on Twitter today. In short, someone cracked a joke about a new 3rd-party Twitter application. Someone else took it seriously and blogged about it on ZDNet, creating a wave of misplaced mass hysteria. Brian Ambrozy has the whole story in more detail, but I especially appreciated his Twitter-style summary:

  • Hay guys, Twitterank gives u a twit score. Mine is 110.23! Check it!
  • Looks like @brianoberkirch made a funneh. oops
  • Now Oliver Marks sez @brianoberkirch hacked twitter omgz
  • A MILLIONTY PEOPLE READ OLIVER MARKS AND RETWEETED IT
  • Everybody skurred nao

This does raise some interesting issues. For example, if you’re generally a highly credible source, as Brian Oberkirch is, do you have a responsibility to be so reliable that you can’t even crack a joke? I experienced this myself last year when an April Fool’s post I made was so believable that it was prompting calls to LinkedIn customer service (even though I said "April Fool’s" at the end of the post). I took a look around the web at some of the other pranksters (Google being one of the biggest), and wrote about it in April 2nd – The Day After. I still don’t know where the line is, but I certainly don’t think Brian crossed it.

The real problem is in the system that allowed a blogger who didn’t do any fact-checking with other sources to jump on the story under the loaned credibility of the ZDNet brand. It was an honest mistake, and well-intentioned, but it was magnified by being published under a trusted brand. As Shannon Whitley wrote:

Bloggers are not journalists in the professional sense of the word.  It’s not only a misconception, but judging by how quickly erroneous information can spread, it’s a very dangerous idea. […] Amateurs can produce high-quality content and, in a particular area of expertise, can provide more depth on a subject.  However, we should never kid ourselves that the amateurs have the same level of experience, nor do they support the same level of standards as the professional.  Read carefully and watch those banners.  You may see a professional logo at the top of the page, but that doesn’t mean the same level of trust can be transferred to the content beneath it.  I think it’s time that organizations like CNN and ZDNet change the layout of their amateur sites.  It’s too easy to mistake the work of an amateur for that of the professional and trusted journalist.

In general, I agree with Shannon. However, I do think he perhaps has some misplaced trust in those "professional" journalists. I have done dozens of interviews with journalists, and while some adhere to very high standards, others are frankly kind of lazy. I’ve been misquoted numerous times in ways that changed the meaning of what I said. I’ve seen stories that drew obviously wrong conclusions from the facts. I’ve seen factual errors in the stories I’ve been quoted in. Many of the journalists are freelance writers with no formal journalistic training. And on non-critical pieces, i.e., anything in any section other than "news", a lot of publications don’t do rigorous fact-checking. If it wouldn’t lead to a potential lawsuit, they don’t bother.

So while you may want to be a little extra-cautious if the author is designated as a "blogger" rather than a staff reporter, you need to take what the reporters say with a grain of salt as well. If you are going to make an important business or life decision based on the information, check your facts with multiple sources.

MySpace Phishing, Spyware, Identity Theft

Let me say first off that I am, generally, a MySpace fan. I’m active on there, and my teenage son and my two older stepsons all have accounts.

But you’ve got to be careful on there. Last Thursday I spent the better part of a day cleaning off spyware and a Trojan virus from my son’s machine. I had some precautions in place, but obviously not enough. I won’t go into the whole story, but we’re about 98% sure that it came not directly from MySpace, but from the page of someone who sent my stepson a private message.

It was a particularly nasty virus, known as a keylogger, which records keystrokes from your computer and sends anything interesting — user names and passwords, credit card numbers, social security numbers, etc. — to a hacker somewhere who collects them, presumably for identity theft purposes.

Turns out there’s another little disturbing fact about MySpace that I was unaware of… it seems you don’t have to actually have a valid e-mail address to use MySpace. In fact, apparently you can register under someone else’s address, as Auren Hoffman writes about in Assuming an Identity on MySpace:

That’s right … I can sign up on MySpace under your email address and assume your identity. MySpace does send an email to verify the email address – but you do not have to click on the verification email to use MySpace. You can still do everything on MySpace you’d always do – like creating an account, adding pictures, adding friends, and generally being active on MySpace. You can assume anyone’s identity on the number one site in America. But this is only if that email address was not used to sign up for an account.

He goes on to note that many people will just ignore the verification e-mail from MySpace, thinking that it’s not a valid one – perhaps a phishing scam – since they didn’t sign up themselves. If they ignore it, though, then someone else now has a MySpace account in not only their name, but their e-mail address as well.

The danger? Auren explains:

Though this can be fun and tame … like me signing up as Clark Kent @ superman.com … it can also be used for malicious purposes. Someone can assume another person’s identity, get people to trust them, and be fooled when that person goes to verify their email address in MySpace (which is the only way to verify someone today).

So what can you do to protect yourself?

First, install good anti-virus and anti-spyware software. If you just want to pay for this, you’re welcome to, but there are some excellent free solutions out there. I have tried most of them, and the ones that in my experience consistently find and fix things the others can’t are AVG Anti-Virus and Anti-Spyware.

Beyond that, MySpace offers some safety tips, but they fall way short. At the other end of the spectrum, I think some of the parent-oriented sites and privacy-advocate sites go a little overboard. I recommend Rock Safe from MyCityRocks, which offers practical and realistic guidelines to help users of social networking software protect their identity and participate safely.

Finally, download a free copy of The Virtual Handshake and read Chapter 16 on Privacy & Safety.

Have fun, be safe, and feel free to stop by and connect with me on MySpace.

The Presentation of Self in the Information Age

The Presentation of Self in the Information Age
http://hbswk.hbs.edu/item/5435.html

by John Deighton

Executive Summary:

In the past, we knew a lot about the seller of a product (through ads, marketing, or reputation) but little about the individual buyer. Times have changed. From the Internet to store loyalty cards, technology has made the marketplace into an interactive exchange where the buyer is no longer anonymous. The future market will likely be one in which personal information is shared and leveraged. Consumers who are willing to share their information will be more attractive to sellers and more sought-after than those who have bad reputations or refuse to participate. Key concepts include:

* Consumers will play an increasingly leveraged role in the marketplace by “branding” themselves and sharing personal information with sellers.
* Technology is making the idea of consumer branding a reality, but it is unclear how personal information will be used in the marketplace, or which uses will be the most beneficial to both buyers and sellers.
* Look deeper into loyalty programs for the societal and commercial, and positive and negative effects of sharing personal information in the marketplace.

more…

I Have Been Joe Jobbed – Need Your Help

It seems that an evil spammer (who shall remain nameless pending further investigation) has developed a personal vendetta against me and is maliciously trying to smear my reputation by posting bogus blog comment spam in my name (and my wife’s – that bastard!), linking to this site, my About.com site (entrepreneurs.about.com), and another domain I use just for e-mail.

This is a blog variation on a tactic employed by email spammers called a Joe job, “an incident of spamming designed to tarnish the reputation of an innocent third party.” (Wikipedia) While this tactic has been around for at least ten years, its application in blog comment spamming is new and presents a whole new set of issues in identifying the perpetrator and fighting it.

If you don’t want to read the whole story…
Click here if you have received one of these spam messages
Click here if you’d like to help me keep my name clear and stop this perpetrator

The posts are that genre of innocuous spam that doesn’t actually say enough to trip off the spam filters. Here are a couple of examples:

Posted on kcyap.com/wordpress-16-theme-design-competition:

Comment by Scott Allen

Hi. I’ve got some really good stuff for download at my site at http://snipurl.com/tvhamazon.
Not to be boasting or anything, but I am the coauthor of this little gem. Come on by and have a look.
BTW, your blog is just okay.

Posted on www.simonwaldman.net/2005/12/30/these-are-a-few:

Scott 512-215-9720 Says:

Hi. I’ve got some really good stuff for download at my site at
http://www.thevirtualhandshake.com/ Come on by and have a look.
BTW, your blog is great.

To anyone even remotely familiar with my work, it’s obvious that this is totally antithetical to everything I teach, everything I believe in, and couldn’t possibly be from me. But I’m not a household name to the vast majority of bloggers out there, so to someone who’s never heard of me, this is incredibly damaging to my reputation, to the book, and to my co-author David Teten by implication. In fact, I first learned this was occurring from a blogger who sent me a message saying:

Hi. I’ve got some really good spam on my blog from you – I really appreciated it. Thanks for visiting, I’m sorry your last name is “512-215-9720”

Does your book really sell that badly that you must spam blogs for more attention?

Never having visited their blog, I was shocked to see the least. I can’t say that I blame them. Comment spam pisses me off too.

So how did this all start? I wrote to a comment spammer asking them to stop and telling them I was going to expose their site publicly as engaging in spam marketing if they continued.

So how do I know they’re the ones behind this?

  1. The fake posts started within minutes after sending that message.
  2. The site that was doing the spamming has comments right next to the fake comments in my name on all the same sites. Talk about a smoking gun!
  3. Other evidence I can’t disclose at this time.

What I’m Doing About This

I’m not an expert on spamming, or internet security, etc. But fortunately, a lot of really smart people in my network are. I’m not a lawyer, but a lot of smart people in my network are. I’m a bit of a PR expert, but I haven’t really ever had to deal with a smear campaign like this. Fortunately, some really smart people in my network have.

I turned to that network of really smart people that I’ve built up over the past few years and asked for advice. While there were certainly some differences of opinion, there were a few things that stood out as consistent advice, all of which I’m following.

  1. I’ve reported this to the FBI as a case of identity theft and fraud.
  2. I’ve reported it to About.com’s legal department, since they are now implicated by the impersonator linking to my site at About.
  3. I’m going on a counter-PR campaign to make sure my name stays clear and that this person is caught and prosecuted. This is what the vast majority of the people who gave me advice said to do. The legal process will be long and arduous. Counter-publicity is the only way that I can immediately combat the damage this person is doing to me right now.

I would never have wished for this. It’s going to be a pain in the rear to monitor this, collect the evidence, and take appropriate action. It creates a lot of work for me, and will damage my reputation with those people who never hear about this and just assume that I’m a spammer.

But ironically, in the process of trying to create negative publicity, this whole fiasco will probably end up generating far more positive publicity for me. As a result of my posting on one list, I ended up doing a full-hour interview on The David Lawrence Show last night. You can listen to the whole thing for just a quarter, or to the 10-minute podcast for free. Thanks, David!

How You Can Help

If you have received one of these bogus comments in my or my wife’s name (Jayne), please do the following:

  1. Leave it up until I can capture a screen shot as evidence.
  2. Make a note of the raw IP address.
  3. If you can, please make a note of any other comment spam from the same IP address. This is particularly important.
  4. Contact me with the information.
  5. Once I’ve confirmed back to you that I’ve got the screenshot, delete the comment.

If you would like to support me in helping keep my name clear and catch this perpetrator:

  1. Please post about it in your blog and link back to this post.
  2. If you see fake comments in my name like the ones above, please contact me with the URL so I can gather evidence and contact the blog owner.

Thanks for your understanding and support. I don’t know what I’d do without the support of the network I’ve built in the past few years — yet again another lesson in the importance of building a diverse and powerful network.

WiPhishing – phishing to wireless LAN users

From Mobile Pipeline, via Arieanna Foley:

Basically, the new phishing model will start with a log-in page for a public WiFi network. What you’d expect at any hotspot, really. …
Without realizing it, the user will enter personal information to the logon page, whereupon the hacker will proceed to put 45 or so viruses onto the computer.

The attack is specifically targeted at business people – it will typically take place at a tradeshow, airport or conference.

What can you do? Use a firewall. Use only those websites that have SSL security (watch for the logo and click on it). Try to use a VPN (virtual private network). Don’t stay connected to the wireless network if you don’t need to be.

Lawmakers OK Video Voyeurism Privacy Bill

The growth in cellphone cameras allows for more illegal video voyeurism.

This is the law of unintended consequences in action…