Scam of the day – November 26, 2015 – Security flaw discovered in Dell computers

November 26, 2015 Posted by Steven Weisman, Esq.

A security flaw in new Dell computers was discovered by some Dell customers who promptly reported it to Dell, which has responded by providing a patch.  The flaw involves a company installed security certificate called “eDellRoot,” which ironically made these computers vulnerable to hacking such that the hackers could read encrypted messages and redirect Internet traffic to phony websites that could be used to trick the computer users into providing personal information that could be used to make them victims of identity theft.

The motive behind the eDellRoot certificate was actually a good one.  According to Dell, “it was intended to provide the system service tag to Dell online support allowing us to quickly identify the computer model, making it easier and faster to service our customers.”  After a quick investigation, Dell has apologized and provided a security patch to correct the problem.


Dell has removed the eDellRoot program from the computers it is now selling, however, if you recently purchased a Dell computer, it is highly likely that it has the flawed program.  However, here is a link from Dell to which you can go to remove the offending program.

Steve Weisman’s latest column from USA Today

November 25, 2015 Posted by Steven Weisman, Esq.

Here is a link to my latest column from today’s edition of USA Today.  It deals with the timely topic of identity theft and data breach threats while holiday shopping.  Happy Thanksgiving to all.

Scam of the day – November 25, 2015 – Gigi Hadid being blackmailed after apparent hacking

November 25, 2015 Posted by Steven Weisman, Esq.

Victoria’s Secret model, Gigi Hadid is reportedly being blackmailed by hackers who allegedly stole photographs of her  from her iCloud account and are threatening to make them public unless she pays a ransom.  Hadid has indicated that she has no intention of paying anything to the hackers.  This case brings back memories of the hacking and release of nude photos of a number of celebrities including Jennifer Lawrence, Kate Upton and Kim Kardashian in September of 2014.  Although presently it is unconfirmed whether her iCloud account actually has been hacked and, if so, how it was done, it is helpful to look back at how the celebrity iCloud accounts were hacked last year.  Using the “forgot password” link on Apple’s iCloud, it appears in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the phones were hacked directly from where the photos were stolen.


There are a number of lessons that we all can learn from how easy it was for hackers to gain access to someone’s iCloud account.  And to paraphrase Shakespeare  the fault is most often not “in the stars,” but our own responsibility.   All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is available online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have put in your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol last year, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – November 24, 2015 – Woman pleads guilty to data breach at Michaels

November 23, 2015 Posted by Steven Weisman, Esq.

Some of you may remember the 2011 data breach at Michaels, a national chain of craft stores in which 94,000 debit and credit card numbers were stolen along with the PINs for the debit cards.  Recently, Crystal Banuelos, the apparent mastermind of the scam, pleaded guilty to charges of conspiracy to commit bank fraud and aggravated identity theft.  Sentencing is scheduled for February 23, 2016 in the Federal District Court for New Jersey.  Unlike the notorious data breaches at Target and Home Depot, in this case, Banuelos and her co-conspirators physically went into 80 Michaels’ stores around the country posing as service technicians and swapped out legitimate card processing equipment for machines controlled by them that would capture the credit card and debit card information along with the PINs used with the debit cards and transmit that information electronically to Banuelos, who then used that information to create counterfeit debit cards which they used with the stolen PINs to steal $420,000 from their victims’ accounts through ATMs.


While PINs are encrypted in a fashion that makes it all but impossible for hackers of legitimate card processing equipment to capture PINs, the use of their own equipment enabled Banuelos and her cohorts to harvest PINs as well as credit and debit card information.  However, the new EMV chip card processing devices will not be as easily manipulated to steal this information in the future.  Again the lesson for consumers is that you are only as safe as the places with which you do business that have the weakest security so it is important to regularly check your bank account and credit card accounts for evidence of any fraudulent use and report that use as soon as possible.  It is also important to refrain from using your debit card for retail purchases because if your information is compromised, your rights under consumer protection laws are not as strong as if your credit card information is compromised

Scam of the day – November 23, 2015 – Dish Network telephone scam

November 23, 2015 Posted by Steven Weisman, Esq.

The Dish Network is a popular satellite television and Internet provider used by millions of people, which is why it is a good hook for scammers who are calling people purporting to be Dish Network technicians and telling their intended victims that they need to update their satellite service at a cost of $120.  The scammer then uses the carrot and the stick approach.  The carrot is that after updating, the customer’s monthly bill would be reduced by $20.  The stick is that if they did not update, their satellite service would not work.


You can never be sure who is really calling you on the phone which is why you should always be skeptical if someone demands money or personal information under any circumstances.  In this case, the Dish Network does not call its customers if it is upgrading their services and they would not charge for upgrades.  However, if you have any questions, you should do what Paula Zimmerman did when she received a call purporting to be from a Dish Network technician.  She merely called the real Dish Network customer service to confirm that indeed the call she had received was a scam.

Scam of the day – November 21, 2015 – Starwood hotels discloses major data breach

November 21, 2015 Posted by Steven Weisman, Esq.

Starwood hotels announced today that it has joined a long line of hotels that have suffered a significant data breach involving credit cards and debit cards.  Just in the last year, major data breaches have occurred at The Trump Hotel Collection, Hilton Hotels and the Mandarin Oriental.  The hacking involves fifty-four of its hotels including its Sheraton, Westin and W brands.  According to Starwood, the data breach resulted in the theft of credit and debit card information including card numbers, the names of the card holders, security codes and expiration dates of the affected cards.  The malware used to gather the data, consistent with some of the more recent hotel data breaches, was found in the payment systems at the hotels’ restaurants, gift shops, bars and other retail shops within the various hotels, but not at the front desk card processors.   The hacking started in November of 2014.   This type of data breach is something about which I wrote a column for USA Today a year ago in which I explained the pattern of these data breaches and why they occur.  Here is a link to that column, entitled “Coming Soon:  Another Major Retailer Hacked.”

Here is a link to the explanation by Starwood of the data breach.

Here is a link to a list of the affected hotels so that you can determine if you stayed at one of the affected hotels since November of 2014.

As is so often the case in these types of data breaches, Starwood is offering a year of free credit monitoring to those affected by the data breach although it is certainly late to be counting on this to provide significant assistance.  Here is a link to information as to how to apply for the free credit monitoring.

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1st mandate credit card issuers and retailers to switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so for some time.  If smart EMV chip cards had been used at the Starwood hotels, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Starwood and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.


Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Starwood properties since November of 2014 you should carefully monitor your credit card account and bank account for any indication of a problem.

Scam of the day – November 19, 2015 – Verizon Wireless robocall scam

November 19, 2015 Posted by Steven Weisman, Esq.

Scammers are now making robocalls that purport to be from Verizon Wireless in which they promise a “bonus reward” payment of $54.  All you have to do in order to claim your “bonus reward” is go to a Verizon Wireless website and verify your personal information.  Of course, the website you are directed to is not a Verizon Wireless website although it appears genuine.  The account information you verify is actually being turned over to a scammer who uses this information to access your account, steal more information and make you a victim of identity theft.  Making the problem worse is that through a technique called “spoofing,” your Caller ID can be fooled into showing the call coming from “technical support” and the number that it shows, 800-922-0204 is an actual Verizon Wireless customer assistance number although the call is not coming from Verizon Wireless customer assistance.


As I have mentioned many times, regardless of what your Caller ID may indicate, you can never be sure who actually is calling you when you receive a phone call and you cannot trust your Caller ID.  Of course, whenever you are promised something for nothing, as in this scam, you should always be skeptical.  If you have any thought that the offer may be legitimate, you can always contact the real company by going to a website address or calling at a phone number that you know is legitimate, not the phone number to which you are directed in the scammer’s telephone call, email or text.

Scam of the day – November 18, 2015 – Debt collection scams

November 18, 2015 Posted by Steven Weisman, Esq.

Debt collection scams essentially come in two varieties.  One occurs when scammers use deceptive and abusive tactics to collect on debts such as credit card debt in violation of the FTC Act and the Fair Debt Collection Practices Act.  Often these scammers misrepresent who they are, often claiming to be sheriffs or other process servers, and falsely threaten their victims with arrest and other serious consequences.  Presently the FTC is returning millions of dollars to people who were abused by Asset Capital and Management Group, in such a debt collection scam.  Victims of this particular company can get more information about receiving a check for their losses by calling 855-312-3324.  You also can click on the tab entitled “FTC Scam Refunds” at the top of this page.  I urge everyone to check out this particular tab from time to time to see if you are eligible for refunds relating to various FTC actions.

The second debt collection scam involves scammers harassing their victims about totally non-existent debts.  They manage to sound convincing to their unfortunate victims because the scammers have previously gathered much personal information about their potential victims so that when they talk to them on the phone they sound convincing and legitimate.  Using illegal collection tactics, they threaten arrest and garnishment of wages unless the victim pays the non-existent debt immediately.  Often out of fear, their victims pay.  The Federal Trade Commission (FTC) has taken action against 61 such scammers over the last three years, but the scam continues.  One particular phony debt collection scam shut down by the FTC operated out of call centers in India and scammed unsuspecting victims out of more than five million dollars before it was closed by the FTC.


Debtors have considerable rights pursuant to the Fair Debt Collection Practices Act including the right of the debtor who may have been first contacted by phone to request that written documentation in support of the claimed debt be sent to the debtor before any further action is taken.  In addition, debtors have the right to demand that they not be contacted by phone, after which no legitimate debt collector will contact the debtor.  To do so would violate federal law.   For more information about your rights as a debtor and what to do if you are in debt or being hounded by someone posing as a legitimate debt collector you can find much helpful information by clicking on this link from which is an interagency website for a number of different federal agencies.