Scam of the day – October 22, 2014 – Staples becomes the latest data breach victim

October 21, 2014 Posted by Steven Weisman, Esq.

Staples, the  popular office supply store is the latest major retailer to be hacked and suffer a data breach.  As I have written many times before, including in a column for USA Today in which I wrote about the data breaches following the same pattern each time, the news about the Staples data breach is in the early stage where the company announces that it is investigating what it calls a “potential” credit and debit card breach.  As I indicated in my USA Today column, this is because the retailer generally does not discover that it has been hacked until banks monitoring fraudulent credit card use notice a pattern of fraudulent card use that lead back to the source of the stolen credit card and debit cards, which in this case was some Staples stores.  Ironically, earlier in the day before it announced the “potential” data breach, Staples announced that the Staples App would work with Apple Pay, the new pay by phone App in the iPhone 6.  Greater use of pay by phone and smart credit cards with chips would dramatically reduce the problems caused by the epidemic of data breaches targeting magnetic strip credit card and debit cards used throughout the United States.


At the moment, we don’t yet know how long the Staples data breach, which initially appears to have been limited to stores in the Northeastern United States has been going on.  Certainly if you have shopped at a Staples store in the last six months you should carefully review your credit card statements and monitor your account carefully.  As always, I urge you not to use your debit card for retail purchases because of the greater risk of serious financial harm when compared to using a debit card which provides greater consumer protection.  As more information about this data breach becomes known, I will let you know.

Scam of the day – October 21, 2014 – FDA sets rules for cybersecurity for medical devices

October 21, 2014 Posted by Steven Weisman, Esq.

I have been warning you about the dangers posed by the Internet of things for a long time.  As more and more of the things we use become connected to the Internet including but certainly not limited to cars, refrigerators, coffee makers and thermostats, it becomes tremendously convenient, for example, for us to use our smart phones to program our thermostats from afar so that our homes will have the proper temperature when we return from a day at work.  But every technological advance regardless of how constructive it may seem has the potential to be exploited by scammers, hackers and identity thieves.   Among the items that are a part of the Internet of Things are also medical devices both wearable and implanted.  Security was not a concern when these networked devices were created and the concern about the ability of these devices being able to be manipulated is very real.  Generally they have lacked security measures for control of the device and authentication of those having access to the devices.  In addition, they may be transmitting large amounts of sensitive data in an unencrypted manner.   Now the Food and Drug Administration has finally released guidelines on cybersecurity for medical devices.  The FDA is recommending to manufacturers that they consider cybersecurity risks when designing and manufacturing medical devices that are a part of the Internet of things. Medical devices that are a part of the Internet of things should be manufactured as to require authentication to access the device and should all data being transferred to and from the device should be encrypted.


As for us, the patients, it is incumbent upon us to insist that our medical care providers prove to us that our Internet of things medical devices are secure before we agree to use any such devices.

Scam of the day – October 20, 2014 – Cybersecurity legislation

October 19, 2014 Posted by Steven Weisman, Esq.

The recent disclosure of the massive hacking of J.P. Morgan Chase and a number of other financial institutions has focused attention on the vulnerability of these companies at the core of the American economy.  Cybercrime is a reality of modern day life, but the manner in which the government and industry are presently battling this scourge is seriously lacking.  According to White House Cybersecurity Coordinator Michael Daniels, the administration has given up on its efforts to pass a large, comprehensive cybersecurity bill and instead is focusing its attentions on a more piecemeal approach that would increase the authority of the Department of Homeland Security and facilitate cooperative efforts between the Department of Homeland Security and private companies.  The present lack of communication and cooperation between business and government is troubling.


The tremendous interconnectedness of computers, smartphones and other electronic devices has revolutionized every aspect of the way we live today, but it has also exposed tremendous vulnerabilities of individuals, companies and governments to attack by criminals and countries readily able to exploit those vulnerabilities.  It is incumbent upon us all to appeal to our business and government leaders to work together and come up with unified solutions that are sufficient to meet the dire threats we face while protecting the privacy of individuals as much as possible.  The talent is there.

Scam of the day – October 19, 2014 – AT&T to pay $105 million for cramming

October 19, 2014 Posted by Steven Weisman, Esq.

Cramming is the name for putting unauthorized third party charges on to a consumer’s telephone bill without the knowledge or approval of the consumer.  This has long been a problem with landline phones and recently has become a major problem with cellular service.  There are many ways that these unauthorized charges make their way to a victim’s phone, sometimes, consumers actually unknowingly sign up for premium texting services that may be for things such as flirting tips, horoscopes or celebrity gossip.  Whatever the source of the charges, they are fraudulent and typically cost about $9.99 per month and continue to appear for months without end.  Recently AT&T agreed to pay $105 million to settle cramming charges brought by the Federal Trade Commission. Of that total, $80 million will be refunded to affected customers by the FTC.  It is expected that other phone providers will be faced with similar charges although AT&T is the first to reach a national settlement. Under the terms of the settlement, AT&T is required to notify all affected customers of the settlement and that refunds are available.


If you believe you were a victim of cramming on your AT&T bill, you have until May 1, 2015 file a claim on the FTC’s website at

Even if you are not an AT&T customer you should carefully review your phone bill each month to make sure that there are no unauthorized charges.

Scam of the day – October 18, 2014 – Was Dropbox hacked?

October 17, 2014 Posted by Steven Weisman, Esq.

Dropbox is a popular service that enables you to store photos, documents and other information in the cloud.  Hackers are claiming that they stole close to 7 million Dropbox usernames and passwords and have posted some of these on Black market websites offering to post more in exchange for bitcoins, the untraceable digital currency.  According to Dropbox, however, the company has not been hacked.   Dropbox says that because people often use the same username and password for multiple accounts, that information was stolen from other, less secure companies and attempted to be used on Dropbox.  According to a Dropbox spokesman, “These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.  We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now.  All other remaining passwords have been expired as well.”


This is another example of why it is a good practice to have separate distinct passwords and usernames for all of your accounts so that if one company where you have your information is hacked, your other accounts are not endangered.  In addition, as always, if the company with which you are dealing provides for dual factor identification, you should take advantage of this to provide added security so that you would not be in danger of having your account taken over even if someone managed to get your username and password.  Dropbox provides for dual factor identification.  If you use Dropbox and haven’t yet added dual factor identification, here is a link to enable you to set it up for your account.

Scam of the day – October 17, 2014 – Another Heartbleed-like security flaw discovered

October 17, 2014 Posted by Steven Weisman, Esq.

We all remember the Heartbleed scare from last April where a security flaw in the Open SSL encryption technology used throughout the Internet was discovered and a rush to fix it was done before the flaw could be extensively exploited by hackers.  Now we learn about another flaw in encryption software which although not as serious as Heartbleed is still significant.  This one goes by the acronym of POODLE, which stands for Padding Oracle On Downgraded Legacy Encryption.  A POODLE attack could enable a hacker to steal information from unwary victims.  Fortunately, patches have been created and are provided below.


Here is a link from the Department of Homeland Security to security updates to resolve this problem.

And while we are at it, here are the latest Department of Homeland Security links to security updates for Mozilla Firefox and Thunderbird.

Scam of the day – October 16, 2014 – FDA warns consumers about Ebola treatment scams

October 16, 2014 Posted by Steven Weisman, Esq.

The recent outbreak of the deadly Ebola virus in West Africa has many people around the world concerned about the spread of this disease.  As usual, scam artists, the only criminals we call artists are ready to exploit the public’s fear and concerns by offering for sale various medicines that they say will prevent or successfully cure Ebola.  These quack medicines are being sold on the Internet.  None of them are effective.  Presently no vaccine or drug has been approved by the FDA to either prevent or treat Ebola although there are a number of experimental vaccines and treatments in development, but not available to the public at this time.  So if you are tempted to buy an Ebola related medicine or a supplement that claims to prevent Ebola or cure it, don’t give into the temptation.  You only will be wasting your money.


Check with your physician before embarking on any medical treatment.  As for supplements, you cannot trust any advertisement for any supplement that indicates that it prevents or cures any disease because federal law outlaws such claims.  It is also important to remember that even if you see an advertisement for an Ebola medicine on legitimate media, such as newspapers, radio, television, magazines or the Internet, you cannot be confident that the medicine being advertised is legitimate.  Media companies do not investigate the efficacy of the products sold through their advertisements.

Scam of the day – October 15, 2014 – Medicare open enrollment scams

October 15, 2014 Posted by Steven Weisman, Esq.

The open enrollment period for Medicare begins today on October 15th and goes until December 7th.  This is the only time during the year that people enrolled in Medicare can change their Medicare health plans, supplemental or Medigap plans and their prescription drug plans.  By now, people already enrolled in Medicare should have received an Annual Notice of Change from their health insurance providers describing any changes to their plans such as the dropping of particular drugs from your prescription drug plan.  If you are satisfied with your plans, you do not need to do anything.

Scammers and identity thieves view the open enrollment period as senior citizen hunting season as myriads of Medicare scams are common during this time.  Among the scams are phone calls or emails purporting to be from Medicare informing you that Medicare is issuing new Medicare cards and that in order to continue to receive benefits, you need to obtain a new card which can be done by providing the person contacting you with your Medicare number which is your Social Security number.  If you provide this number, you will end up becoming a victim of identity theft.  Other times you may be contacting by someone purporting to be from your insurance company asking to verify information.  Again, this is a common tactic of identity thieves trying to trick you into providing information.  You also may be contacted by people claiming to have supplemental insurance programs that will save you thousands of dollars.  Here too, you cannot be sure that they are legitimate when they contact you by phone, text message, email or even regular mail.


Medicare is not issuing new cards and they will never contact you by phone and ask for your Medicare number.  Never give personal information to anyone who calls you on the phone because you can never be sure who is actually on the other end of the line.  Through a technique called “spoofing” a scammer can fool your Caller ID and make it appear that the call is from the government or some legitimate company when in fact, it is from an identity thief who is eager to steal your money.  If you want to get information you can trust about what insurance plans are available to you and at what cost, merely go to the “Plan Finder” section of Medicare’s website  If you want to speak with someone on the phone, call Medicare at its 24 hour hotline 1-800-MEDICARE.

Scam of the day – October 14, 2014 – Snapchat hacked in “the Snappening”

October 14, 2014 Posted by Steven Weisman, Esq.

After days of rumors, it was confirmed that Snapchat, the mobile app used for transmitting photos and videos that purport to self-destruct after viewing was the victim of a hacking in which approximately 90,000 photographs and 9,000 videos were stolen.  Reports indicate that this hacking may have been going on for years.  The stolen videos and photos were originally posted on the website which has now been taken down.  The material was later posted on Reddit and also 4chan, the website where the recent celebrity iCloud hacked photos first appeared.  The hacking appears not to have been a direct hack of Snapchat itself, but rather from a third party app used to save Snapchat photos and videos.  Particularly troublesome about this hacking is the fact that about half of Snapchat users are between the ages of 13 and 17, making nude photos and videos of these Snapchat users child pornography.


Although Snapchat does not appear to be implicated in this data breach, it does not have a great history of protecting the privacy of its users as evidenced by a privacy complaint brought by the FCC which was later settled.  This incident does, once again, emphasize the dangers of downloading apps from non-legitimate app stores instead of the established app stores such as iTunes or GooglePlay.  It also highlights the need for people to remember that their privacy is only as secure as the weakest places that hold their information, photos or other material.  Nothing is fool proof.

Scam of the day – October 13, 2014 – Attention Kmart shoppers: You have been hacked

October 13, 2014 Posted by Steven Weisman, Esq.

Yesterday, I told you about Dairy Queen becoming the most recent company to announce that it had been hacked.  Today, it is my duty to tell you that Dairy Queen has lost that honor to Kmart, which, in a filing with the SEC announced that it too had been hacked and suffered a data breach in which debit card numbers and credit card numbers had been compromised through the same type of “Backoff” malware that I have been warning you about for months.  The data breach began in early September and was discovered by Kmart on October 9th.   Required filings with the SEC have become the most common way for the public to learn that they have been involved with a data breach at the companies where they shop.  The pattern of this data breach again follows what I described in my column for USA Today on September 27th entitled “Coming soon:  Another major retailer hacked” in which I provided a fill-in-the-blank format for the stories of future data breaches in which I predicted exactly how they would occur in the future which is precisely what happened at Kmart.  Here is a link to that column:

Kmart has assured its customers that no debit card PINs were compromised, but this is of little consolation since as I described in my Scam of they day of January 1, 2014, identity thieves can often decipher PINs using computer programs that easily crack the many common PINs that people use.  To make things worse, even if you have a very secure PIN, as I described in my Scam of the day for September 12, 2014, identity thieves are exploiting vulnerabilities in bank security systems to merely change the PINs of the stolen cards and thereby bypass the need to know the PINs of the cards they steal.  Heads they win, tails you lose.


As I so often say, you are only as safe as the places you do business with who have the weakest security.  Despite government warnings last July to retailers about the dangers of the “Backoff” malware, thousands of retailers have still not taken the necessary steps to protect their computer systems.  All that we can do is to refrain from using debit cards for retail purchases and only use credit cards.  The laws protecting you from fraudulent use of debit cards are not as strong as those that pertain to fraudulent use of credit cards.  Also, since there is always a time lag from the time that the data breach actually occurs and when the company realizes that it has been hacked, it is important to regularly monitor your credit card statements for fraudulent purchases.

These kind of retail hackings will continue to happen and provide tremendous profits to hackers and identity thieves until retailers in the United States join the rest of the world and implement the smart card with chip technology used throughout the rest of the world.

Kmart will be offering free credit monitoring to affected customers.  For more information, go to their website or call them at 888-488-5978.