Scam of the day – October 26, 2014 – Myverizon38.com scam

October 26, 2014 Posted by Steven Weisman, Esq.

This scam is a slight variation of the scam I reported to you about on March 6, 2014 in the Scam of the day. “Spoofing” is the name for the tactic used by identity thieves to make a call that you receive appear to come from a legitimate source, when, in truth it is from a scammer who has merely managed to make it look like the call is legitimate.  Many people are reporting receiving calls on their smart phones or landlines that on Caller ID appear to be from “Technical Support” and carrying a telephone number that is a real number for Verizon Wireless technical support.  The call received is an automated robocall that informs you that you have are eligible for a $38 reward and then directs you to the website www.myverizon.38.com.  This website is a phony website which lures you into providing personal information that is then used to make you a victim of identity theft.  In other variations of this scam, merely by clicking on a link on the phony website, you will unwittingly download keystroke logging malware that will steal the personal information from your computer and use this information to make you a victim of identity theft.   This type of scam by which a legitimate-looking, phony website tricks you into providing personal information or clicking on tainted links is called “phishing.”  Back when I first reported on this scam to you, the phony website was www.verizon54.com and the amount of the phony reward was $54.

TIPS

You can never trust a phone call to actually be from whom the caller says.  Spoofing is easy to accomplish by identity thieves.  Don’t be tricked into trusting a telephone call.  In addition, robocalls are illegal so you should never trust a prerecorded call.  Nor should you click on links that you are not sure are legitimate.  If you have any thought that the original contact might be legitimate, contact the company directly at a website address or telephone number that you know is accurate to inquire about the particular matter.

Scam of the day – October 25, 2014 – Sergei Tsurikov sentenced to 11 years for credit card hacking

October 25, 2014 Posted by Steven Weisman, Esq.

Sergei Tsurikov, an Estonian hacker was sentenced to eleven years in federal prison following his conviction for the sophisticated hacking of RBS WorldPay, a credit card processing company.  The scheme involved hacking into the computers of RBS WorldPay, breaking the encryption software used by RBS WorldPay and accessing the customer data on payroll debit cards used by a number of RBS WorldPay’s customers to pay their employees.  Payroll debit cards are used as a way of allowing employees to conveniently withdraw their wages through ATMs.  Through his hacking, Tsurikov was able to raise the account limits on the hacked accounts and then provided a network of his accomplices around the world with 44 counterfeit cards that were used to withdraw more than 9 million dollars from more than 2,100 ATMS in more than 200 cities in the United States, Russia, Ukraine, Estonia, Japan and Canada and other countries.  The entire robbery was accomplished in less than twelve hours.

TIPS

Sophisticated hackers are rarely caught and prosecuted, which is one reason that this type of crime is such a growth industry.  In particular, one of the problems has been getting the cooperation of foreign law enforcement agencies necessary to take effective action against this type of crime.  However in this instance, there was significant international cooperation throughout the investigation and later prosecution by law enforcement agencies in the United States, Estonia, the Netherlands and Hong Kong.  Ultimately, it was Estonian law enforcement that apprehended Tsurikov who was then extradited by Estonia to the United States where he was put on trial and convicted.  This is a very positive step forward in fighting international cybercrime.

Scam of the day – October 24, 2014 – President Obama’s Executive Order regarding credit card security and identity theft

October 24, 2014 Posted by Steven Weisman, Esq.

President Obama has signed an Executive Order leading the way for greater protection for Americans from data breaches and identity theft.   He also announced that a number of companies including Home Depot Target,  Walgreen and Walmart are accelerating their move to more secure chip and PIN credit card use at their stores. Although regulations that would encourage retailers to switch to these smart cards no later than October of 2015, these companies are planning on completing the move to smart card readers by January of 2015 with Walmart already leading the way.  Also starting in January Citi and FICO are joining together to make credit scores available free to Citi Bank credit cards.  Already providing free credit scores are Discover, Barclaycard, Pentagon Credit Union and First National Bank of Omaha.  It is hoped that more banks will follow this example.  Under the President’s order the reporting of credit card fraud will be made quicker and easier within two years.  Finally, the President announced that the Department of Justice and the FBI are working to improve greater information sharing between hacked companies and affected consumers with the National Cyber-Forensics and Training Alliance’s Internet Fraud Alert System.

TIPS

The President’s actions are a good first step and they do indicate a greater willingness of businesses to work with the government in order to better protect consumer data.  However, much remains to be done and Congressional action is definitely required to improve the laws necessary to protect consumers from data breaches and identity theft.  However, it is good to see the President taking the lead on this important issue. Meanwhile, the primary responsibility for protecting ourselves from identity theft still rests with all of us as individuals.  I urge you to pick up a copy of my new book “Identity Theft Alert” which provides simple steps you can take to dramatically improve your chances of avoiding identity theft.  You can order the book from Amazon by clicking on the link on the right hand side of this page.  I also urge you to read scamicide.com every day so you can become aware of the latest scams and identity theft schemes.

Scam of the day – October 23, 2014 – Latest security updates from the Department of Homeland Security

October 23, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates includes many important updates and security patches to prevent serious problems including important security updates for Microsoft Windows,  Internet Explorer, Mozilla Firefox, iPhones and Apple TV.

TIPS

Here are the links to the latest security updates as issued by the Department of Homeland Security:

https://www.us-cert.gov/ncas/current-activity/2014/10/22/Microsoft-Releases-Advisory-Unpatched-Windows-Vulnerability

https://www.us-cert.gov/ncas/bulletins/SB14-293

https://www.us-cert.gov/ncas/bulletins/SB14-286

https://www.us-cert.gov/ncas/current-activity/2014/10/20/Apple-Releases-Security-Updates-iOS-and-Apple-TV

Scam of the day – October 22, 2014 – Staples becomes the latest data breach victim

October 21, 2014 Posted by Steven Weisman, Esq.

Staples, the  popular office supply store is the latest major retailer to be hacked and suffer a data breach.  As I have written many times before, including in a column for USA Today in which I wrote about the data breaches following the same pattern each time, the news about the Staples data breach is in the early stage where the company announces that it is investigating what it calls a “potential” credit and debit card breach.  As I indicated in my USA Today column, http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ this is because the retailer generally does not discover that it has been hacked until banks monitoring fraudulent credit card use notice a pattern of fraudulent card use that lead back to the source of the stolen credit card and debit cards, which in this case was some Staples stores.  Ironically, earlier in the day before it announced the “potential” data breach, Staples announced that the Staples App would work with Apple Pay, the new pay by phone App in the iPhone 6.  Greater use of pay by phone and smart credit cards with chips would dramatically reduce the problems caused by the epidemic of data breaches targeting magnetic strip credit card and debit cards used throughout the United States.

TIPS

At the moment, we don’t yet know how long the Staples data breach, which initially appears to have been limited to stores in the Northeastern United States has been going on.  Certainly if you have shopped at a Staples store in the last six months you should carefully review your credit card statements and monitor your account carefully.  As always, I urge you not to use your debit card for retail purchases because of the greater risk of serious financial harm when compared to using a debit card which provides greater consumer protection.  As more information about this data breach becomes known, I will let you know.

Scam of the day – October 21, 2014 – FDA sets rules for cybersecurity for medical devices

October 21, 2014 Posted by Steven Weisman, Esq.

I have been warning you about the dangers posed by the Internet of things for a long time.  As more and more of the things we use become connected to the Internet including but certainly not limited to cars, refrigerators, coffee makers and thermostats, it becomes tremendously convenient, for example, for us to use our smart phones to program our thermostats from afar so that our homes will have the proper temperature when we return from a day at work.  But every technological advance regardless of how constructive it may seem has the potential to be exploited by scammers, hackers and identity thieves.   Among the items that are a part of the Internet of Things are also medical devices both wearable and implanted.  Security was not a concern when these networked devices were created and the concern about the ability of these devices being able to be manipulated is very real.  Generally they have lacked security measures for control of the device and authentication of those having access to the devices.  In addition, they may be transmitting large amounts of sensitive data in an unencrypted manner.   Now the Food and Drug Administration has finally released guidelines on cybersecurity for medical devices.  The FDA is recommending to manufacturers that they consider cybersecurity risks when designing and manufacturing medical devices that are a part of the Internet of things. Medical devices that are a part of the Internet of things should be manufactured as to require authentication to access the device and should all data being transferred to and from the device should be encrypted.

TIPS

As for us, the patients, it is incumbent upon us to insist that our medical care providers prove to us that our Internet of things medical devices are secure before we agree to use any such devices.

Scam of the day – October 20, 2014 – Cybersecurity legislation

October 19, 2014 Posted by Steven Weisman, Esq.

The recent disclosure of the massive hacking of J.P. Morgan Chase and a number of other financial institutions has focused attention on the vulnerability of these companies at the core of the American economy.  Cybercrime is a reality of modern day life, but the manner in which the government and industry are presently battling this scourge is seriously lacking.  According to White House Cybersecurity Coordinator Michael Daniels, the administration has given up on its efforts to pass a large, comprehensive cybersecurity bill and instead is focusing its attentions on a more piecemeal approach that would increase the authority of the Department of Homeland Security and facilitate cooperative efforts between the Department of Homeland Security and private companies.  The present lack of communication and cooperation between business and government is troubling.

TIPS

The tremendous interconnectedness of computers, smartphones and other electronic devices has revolutionized every aspect of the way we live today, but it has also exposed tremendous vulnerabilities of individuals, companies and governments to attack by criminals and countries readily able to exploit those vulnerabilities.  It is incumbent upon us all to appeal to our business and government leaders to work together and come up with unified solutions that are sufficient to meet the dire threats we face while protecting the privacy of individuals as much as possible.  The talent is there.

Scam of the day – October 19, 2014 – AT&T to pay $105 million for cramming

October 19, 2014 Posted by Steven Weisman, Esq.

Cramming is the name for putting unauthorized third party charges on to a consumer’s telephone bill without the knowledge or approval of the consumer.  This has long been a problem with landline phones and recently has become a major problem with cellular service.  There are many ways that these unauthorized charges make their way to a victim’s phone, sometimes, consumers actually unknowingly sign up for premium texting services that may be for things such as flirting tips, horoscopes or celebrity gossip.  Whatever the source of the charges, they are fraudulent and typically cost about $9.99 per month and continue to appear for months without end.  Recently AT&T agreed to pay $105 million to settle cramming charges brought by the Federal Trade Commission. Of that total, $80 million will be refunded to affected customers by the FTC.  It is expected that other phone providers will be faced with similar charges although AT&T is the first to reach a national settlement. Under the terms of the settlement, AT&T is required to notify all affected customers of the settlement and that refunds are available.

TIPS

If you believe you were a victim of cramming on your AT&T bill, you have until May 1, 2015 file a claim on the FTC’s website at https://www.ftcsettlementatt.com/en/Claim

Even if you are not an AT&T customer you should carefully review your phone bill each month to make sure that there are no unauthorized charges.

Scam of the day – October 18, 2014 – Was Dropbox hacked?

October 17, 2014 Posted by Steven Weisman, Esq.

Dropbox is a popular service that enables you to store photos, documents and other information in the cloud.  Hackers are claiming that they stole close to 7 million Dropbox usernames and passwords and have posted some of these on Black market websites offering to post more in exchange for bitcoins, the untraceable digital currency.  According to Dropbox, however, the company has not been hacked.   Dropbox says that because people often use the same username and password for multiple accounts, that information was stolen from other, less secure companies and attempted to be used on Dropbox.  According to a Dropbox spokesman, “These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.  We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now.  All other remaining passwords have been expired as well.”

TIPS

This is another example of why it is a good practice to have separate distinct passwords and usernames for all of your accounts so that if one company where you have your information is hacked, your other accounts are not endangered.  In addition, as always, if the company with which you are dealing provides for dual factor identification, you should take advantage of this to provide added security so that you would not be in danger of having your account taken over even if someone managed to get your username and password.  Dropbox provides for dual factor identification.  If you use Dropbox and haven’t yet added dual factor identification, here is a link to enable you to set it up for your account. https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/

Scam of the day – October 17, 2014 – Another Heartbleed-like security flaw discovered

October 17, 2014 Posted by Steven Weisman, Esq.

We all remember the Heartbleed scare from last April where a security flaw in the Open SSL encryption technology used throughout the Internet was discovered and a rush to fix it was done before the flaw could be extensively exploited by hackers.  Now we learn about another flaw in encryption software which although not as serious as Heartbleed is still significant.  This one goes by the acronym of POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption.  A POODLE attack could enable a hacker to steal information from unwary victims.  Fortunately, patches have been created and are provided below.

TIPS

Here is a link from the Department of Homeland Security to security updates to resolve this problem.  https://www.us-cert.gov/ncas/current-activity/2014/10/16/OpenSSL-Patches-Four-Vulnerabilities

And while we are at it, here are the latest Department of Homeland Security links to security updates for Mozilla Firefox and Thunderbird.  https://mail.aol.com/38798-516/aol-6/en-us/Suite.aspx