Scam of the day – September 21, 2016 – New proposed rules for New York financial services companies

September 21, 2016 Posted by Steven Weisman, Esq.

The New York Department of Financial Services has just proposed significant new cybersecurity rules for banks and financial services companies doing business in New York. These regulations come in the wake of repeated cybersecurity breaches at many banks and other financial services companies.  While the regulations set minimal standards all institutions must follow, the regulations were written in a manner to encourage companies to go further and not limit security innovation.  Among the provisions of the regulations are the establishment of the position of chief information security officer at each company as well as increased use of encryption and dual factor authentication.  In addition, the proposed regulations also carry potential criminal liability for officials of companies not meeting the new standards.  The proposed regulations are open to public comment for 45 days and are slated to go into effect on January 1, 2017.

TIPS

Here is a link to the proposed regulations.  http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf

While these regulations are a good start toward more secure banking, it is still important for all of us to take responsibility for our own secure banking.  First and foremost you should monitor your bank accounts often for indications of any irregularities.  You should be particularly careful when banking with your smartphone or on your computer.  Use a strong password, strong security question and multi factor authentication whenever possible.  Here is a link to a column which I wrote for USA Today with more tips on how to protect yourself when banking online or on your phone.  http://www.usatoday.com/story/money/columnist/2016/02/27/e-banking-tip-moms-maiden-name-say-grapefruit/80756330/

Scam of the day – September 20, 2016 – Income tax identity thief sentenced

September 19, 2016 Posted by Steven Weisman, Esq.

Jesse Scott Wilson  of Alaska was recently sentenced to 92 months in prison for his role in an income tax identity theft ring that electronically filed at least 428 phony income tax returns using stolen Social Security numbers resulting in refunds of $681,258 being paid to Wilson and his three cohorts.  Wilson will not have to go far in order to start his prison sentence because both he and his fellow conspirators were already incarcerated in an Alaska prison throughout the time that they managed to pull of their crime.  This just serves as an example of how incredibly easy it has become for someone to commit income tax identity theft which costs the American taxpayers billions of dollars each year.

In 2015 the IRS instituted a new cooperative effort between the IRS, state tax administrators and private tax preparation leaders.  Included among the steps being taken are review by the IRS of the IP address of computers filing income tax returns to identify computers filing multiple returns and reviewing the time it takes to complete an electronic income tax return which can also help identify fraudulent returns since completing a fraudulent return generally takes less time than a legitimate return.  In addition, income tax preparation software companies will be using enhanced validation protocols including increased use of security questions.

However, all of these steps which are expected to cost taxpayers an additional 281 million dollars to implement totally miss the point.  The easiest and simplest way to dramatically reduce income tax identity theft still is not being done by Congress, namely changing the laws regarding employers filing of W-2s.  Under present law, for the upcoming tax filing season, employers must file W-2s with the federal government by February 29th if they file paper W-2s and as late as March 31st if they file, as so many do, electronically.  Unfortunately Congress in its infinite wisdom requires these W-2s to be filed with the Social Security Administration (SSA) by those dates.  The SSA does not send the W-2s to the IRS until July so the IRS does not get around to matching the W-2s filed by employers with those filed by individual taxpayers with their income tax returns until months after the IRS has already sent a refund based on the W-2 filed by the taxpayer or identity thief.  In order to dramatically reduce income tax identity theft, all Congress has to do is merely require employers to file W-2s with the IRS instead of waiting for the SSA to send them to the IRS.  It also would make much more sense than Congress appears to have to require the IRS to match those employer filed W-2s with those filed by individual taxpayers BEFORE sending out a refund in order to easily identify counterfeit W-2s.  For years Congress has been advised to make these simple changes, but it still fails to do so.

TIPS

Try as it may, the IRS is having a difficult time stopping income tax identity theft by which an identity thief steals your personal information and files a phony income tax return using your name and gets a refund.  Along with protecting your personal information, particularly your Social Security number as much as you can, the best thing you can do to avoid becoming a victim of income tax identity theft is to file your income tax return early.  Income tax identity theft can only work when the criminal is able to file an income tax return using your name and Social Security number before you file your own legitimate income tax return so consider filing as early as possible.

Scam of the day – September 19, 2016 – Accused autistic hacker to be extradited to the United States

September 18, 2016 Posted by Steven Weisman, Esq.

Thirty-one year old accused hacker Lauri Love, who lives with his parents in Britain was ordered last week to be extradited to the United States to face charges that he hacked into the computers of numerous high-profile victims including the Federal Reserve, the Department of Defense, NASA and even the FBI.  One thing that makes his case unique is that Love has Asperger’s syndrome, a form of autism.  However, a hacker having autism may not be as unusual as you might think.  Recent research tends to show that many people with autism have a particular aptitude for computer technology and many autistic people are active in online gaming forums where they may come into contact with cybercriminals seeking to exploit their skills.  Other autistic people may see hacking as just another online game and not be fully aware of the consequences.

TIPS

The fact that such high profile government agencies such as the Federal Reserve, the Department of Defense, NASA and the FBI have been so vulnerable to hackers, even relatively unsophisticated hackers is not particularly comforting.  Cybersecurity is an essential element of the functioning of the federal government and it presently is not as good as it should be.  In July, President Obama released his first Federal Cybersecurity Workforce Strategy in an effort to “identify, recruit, develop, retain, and expand the pipeline of the best, brightest, and most diverse cybersecurity talent for Federal service and for our Nation.”  This is just the latest action by the Obama administration which has been taking steps to increase cybersecurity since 2009.  For the most part, the new federal rules have been slow to transform the federal government’s cybersecurity culture, but hopefully, as the seriousness  of cyberthreats become increasingly more apparent, change will be more forthcoming.

Scam of the day – September 18, 2016 – Work at home reshipping scams

September 18, 2016 Posted by Steven Weisman, Esq.

Postal inspectors are again warning people about reshipping scams.  Reshipping scams sound appealing.  You get to work at home and all you have to do is receive goods your new employer sends you, which are often electronics, inspect them and reship them to an address provided to you by your new employer.  The problem is that these goods have been purchased with stolen credit cards and you have just become an accomplice to the crime when you ship them to someone else who will then sell them to turn the merchandise into cash.  The term scammers use to describe the people doing the reshipping is a “mule” and it can get you into a lot of trouble.  It makes you an accomplice to the crime and participating in money laundering.   The companies offering this type of work may seem legitimate, but they are not.   Often the advertisements for these work at home scams appear in legitimate media that have not properly checked out the legitimacy of the advertisements they run so you can’t rely on the fact that the advertisement  appears in a trusted media source.

TIPS

As always, if it sounds too good to be true, it usually is.  Check out any work at home scams with the big three – your local attorney general, the Better Business Bureau and the FTC.  And as always, you can Google the name of the particular company offering you the work at home program with the word “scam” next to it and see what turns up.  You also can use Google Earth to look into the physical address of the potential employer to see if it matches what the advertisement and communications with this employer indicate.  As for reshipping scams, they are always a scam and you should steer clear of them.

Scam of the day – September 17, 2016 – National Australia Bank phishing scam

September 17, 2016 Posted by Steven Weisman, Esq.

Phishing scams by identity thieves posing as your bank are not limited to the United States. Reproduced below is a phishing email that is presently being sent to customers of the National Australia Bank that is consistent with the pattern for such phishing emails around the world.  The email looks official and even has an easily counterfeited logo of the bank.  Such emails often indicate that unless you verify your account information, your account will be suspended.  In this particular phishing email, if the customer clicks on the link provided it will take the customer to an official looking page that asks for personal information including bank account and credit card information.  After filling in the form the victim is actually directed to the real National Australia Bank website, but by then, it is too late.  The victim has already turned over his or her information to an identity thief who can use it to access the victim’s bank account and credit card.

You should always ignore any email like this.

TIPS

Although the good rule to follow is to never click on any links or download attachments in emails and text messages unless you have absolutely confirmed that they are legitimate, phishing emails such as this have telltale indications that they are phony.  In this instance, the email is addressed to “Dear Customer.”  Any legitimate email that you would get from your bank would use your name and provide the last few digits in your account number.  In addition, no bank will ask you to verify account details by way of a link in an email or a text message.  If you receive an email or text message such as this and are concerned that it might be real, you should merely call your bank at a telephone number that you know is accurate where you can confirm that the email was merely a phishing scam.

Scam of the day – September 16, 2016 – Critical new updates to Adobe Flash

September 15, 2016 Posted by Steven Weisman, Esq.

After a one month break, new security updates have just been issued for Adobe Flash software.  I have been warning you for years about flaws in Adobe Flash that have been exploited by hackers and identity thieves against individuals, companies and government agencies including the U.S. State Department and the White House.  Problems with Adobe Flash are nothing new.  In 2010 Steve Jobs vociferously complained about its security and it has routinely been cited as being extremely vulnerable.  Despite security patch after security patch, new problems keep coming up.

Beginning on October 11th Microsoft will begin blocking outdated versions of Adobe Flash from running in Internet Explorer on Windows 7.  If you use Windows 8.1, Windows 10 or Windows Server 2012R2, this will not affect you because these systems automatically install Adobe Flash security patches.

It appears that just as companies retire certain programs when it is just too difficult to patch them, this may well be the time for Adobe to retire Flash and if it doesn’t, you should consider retiring it yourself and replacing it with another plugin that performs the same function, but is safer.    Adobe Flash has already been proven to be so vulnerable to successful attacks by hackers that installing new security patches as quickly as they are issued is little more than putting a Band-aid on the Titanic if I can mix my metaphors.

TIPS

Here is the link to the latest Adobe Flash security update which I urge you to download as soon as possible if you wish to continue to use Adobe Flash: https://www.us-cert.gov/ncas/current-activity/2016/09/13/Adobe-Releases-Security-Updates

Some alternative plugins you may wish to consider to replace Adobe Flash include  GNU Gnash, and Silverlight.  Silverlight can be downloaded free directly from the Microsoft at this link: https://www.microsoft.com/silverlight/ while GNU Gnash can be downloaded free at this link: http://www.gnu.org/software/gnash/

Scam of the day – September 15, 2016 – What the data breach at the World Anti-Doping Agency means to you

September 14, 2016 Posted by Steven Weisman, Esq.

The World Anti-Doping Agency (WADA), the international agency that enforces the rules regarding the use of performance enhancing drugs and other prohibited substances by athletes around the world was hacked, apparently by Russian hackers who released the medical files of American athletes Simone Biles, Venus Williams, Serena Williams and Elena Delle Donne.  In each case, the records show that these athletes used drugs that were permitted under the Therapeutic Use Exemptions for legitimate medical reasons.  In the case of Simone Biles, the records indicated that she took Ritalin for ADHD.  None of the use of these drugs appeared to be related to improper drug use for performance enhancement.

Perhaps the bigger aspect of this story and one that is being overlooked in much of the media is how the hacking was accomplished.  Once again it appears that the hacking was done by exploiting information obtained through spear phishing.  Spear phishing occurs when you receive an email or text message specifically tailored to you with a link in it that the victim clicks on and unwittingly downloads keystroke logging malware that enables the hacker to be able to steal all of the information from the victim’s computer or smartphone including passwords and other critical information.

TIPS

Spear phishing has been used successfully by hackers in most of the major data breaches of the last few years including Sony, Target and the Office of Personnel Management (OPM).  Spear phishing is distinguished from the usual phishing email that can be easily spotted because, unlike ordinary phishing emails and text messages, spear phishing emails and text messages often appear to come from a trusted source and contain sufficient personal or relevant information that they appear to be genuine.  Often, we are our own worst enemies because we provide too much personal information on social media that can be used by clever cybercriminals to fashion spear phishing emails and text messages.  It is for this reason that you should never click on any links in an email or text message until you have confirmed that the email is legitimate.  You should also use security software and make sure that it is constantly updated with the latest patches although even doing that won’t protect you from the newest zero day exploits which exploit computer vulnerabilities that have previously not been discovered.  It usually takes the security software companies about a month to come up with defenses against the latest zero day exploits.

Scam of the day – September 14, 2016 – Steps to take when getting a new smartphone

September 14, 2016 Posted by Steven Weisman, Esq.

According to the advertising slogan, diamonds are forever.  However, smartphones definitely are not.  Most people update to a new smartphone about every two years.  We use our smartphones for many purposes from doing banking to taking photos and our smartphones contain large amounts of personal information including passwords, account numbers and other information that we should take care to keep private when we turn in our phones.  The first thing, however,  that you should be doing even if you do not intend to turn in your phone soon is to backup all of the data from your phone on to your computer, a portable hard drive or the cloud.

TIPS

When you are going to turn in your phone for a new one, you should clear your old phone of all app data and use a factory reset that is intended to clear your device of information stored in the phone.  Generally, your service provider can transfer the information to your new smartphone before you delete it from your former phone.  Check the owner’s manual, the provider’s website or the website of your phone’s manufacturer for instructions about how to do a hard reset of your phone before you dispose of it.  It is also important to remove or delete the data contained on your phone’s SIM or SD card which contain important data and photos.  Even if you have cleared and reset your phone, your SIM or SD card will retain information so it is critical to remove your SIM or SD card from your old phone or have the data on these cards deleted.

Scam of the day – September 13, 2016 – Phony Hillary Clinton video contains malware

September 12, 2016 Posted by Steven Weisman, Esq.

A common way that hackers manage to trick people into downloading malware used to steal the information from your computer or smartphone and enable them to make you a victim of identity theft is to send the malware disguised as an attachment for a video of something of great interest to many people.  It may be something related to a celebrity, such as purported nude videos or it may be of an event in the news, such as a video purporting to show formerly unavailable footage of, for instance, the shootings in the Orlando nightclub.  The presidential election is tremendous fodder for people seeking videos of candidates in compromising situations and scammers are taking advantage of this with malware attached to emails promising to provide newsworthy events. Such is the situation, as reported by computer security company Symantec, with an email presently circulation promising that the attached video shows Hillary Clinton accepting money from an ISIS leader in 2013.  In addition to being a totally outrageous accusation not based in any fact, the email is fraught with poor grammar.  However, that is not stopping some people who are clicking on the link and unwittingly downloading malware that can result in their becoming a victim of identity theft.

TIPS

Regardless of who sends you an email or a text message with a link attached, you should never click on the link until you have confirmed that the communication is legitimate.  Even if the message appears to come in the email or text message from a trusted friend, you can’t be sure that your friend has not had his email or smartphone hacked and used by a scammer to spread malware.  You should have security software on all of your electronic devices including your computer and smartphone and make sure that you keep your security software up to date with the latest security patches, but you cannot totally rely on that software to protect you from all malware dangers because it generally takes the software security companies about a month to catch up with the latest strains of malware.  Finally, in regard to communications promising startling videos or pictures of celebrities or newsworthy events, you should be particularly skeptical as to their authenticity.   Instead, it is better to rely on legitimate news sources that you can trust to be safer and more accurate.

Scam of the day – September 12, 2016 – Four year old data breach revealed

September 12, 2016 Posted by Steven Weisman, Esq.

It was recently disclosed that Brazzers, a porn website had been hacked four years ago.   Personal information of users of its forum in which subscribers communicated about porn movies was stolen and is now available on the Internet.  The information stolen included not only user names, email addresses and passwords, but also the substance of their  conversations in the forum, which could be embarrassing to Brazzer subscribers if the information became public leading to concerns about blackmail by cybercriminals with access to this information.  This data breach is reminiscent of the data breach at Ashley Madison, which proved to be extremely embarrassing to customers of that website that dealt with extra-marital affairs.  Of course, any data breach in which user names, email addresses and passwords are compromised poses a threat to the victims of the data breach who can be more seriously victimized by cybercriminals using that information to advance spear phishing schemes targeting the victims and luring them to click on links that will download keystroke logging malware that will steal personal information from the victim’s computer, smartphone or other electronic device and use that information to make the person a victim of identity theft.  In addition, many people use the same password for all of their accounts and once their password at one website becomes known, it can lead to attacks at other places such as online banking.

TIPS

The website Have I Been Pwned https://haveibeenpwned.com/ is a good place to go to find out if you have been victimized in a data breach.  This website gathers information about data breaches and you can put in your email address to find out if you have been a victim of any data breaches such as Brazzers where information is being circulated on the Internet.  It is also important to use a distinct and unique password for each of your online accounts so if you do become a victim of a data breach at one account, the security of your other accounts are not threatened.  Finally, for people who go to websites that they would prefer no one to know about, they should consider using a different user name and separate email address from their usual use name and email address.