Scam of the day – September 7, 2014 – HealthCare.gov hacked

September 6, 2014 Posted by Steven Weisman, Esq.

The health care industry in general is responsible for more data breaches than any other sector.  The lack of security throughout the health care industry including hospitals and other providers of health care is a huge problem that is only going to get worse as the computers of health care providers continue to be targeted and the personal data that they contain becomes harvested by hacking identity thieves.  From its inception security issues at HealthCare.gov, the website of the federal government’s health insurance marketplace created pursuant to the Affordable Care Act, commonly referred to as Obamacare have been a source of concern of mine and many other experts in cybersecurity.  Recently, it was disclosed that HealthCare.gov was indeed hacked although, according to government spokesmen no personal information of consumers in the 36 states that use HealthCare.gov was compromised.  However, this is of little consolation to the many people who use HealthCare.gov.

When HealthCare.gov was first launched last October, there were major security concerns about the website and the website was activated even before it met federal standards for security.  Everyone remembers the difficulties that were encountered in the initial use of HealthCare.gov, however, until now, the federal government had not reported any data breaches although Aaron Albright, a spokesman at the Centers of Medicare and Medicaid Services which operates HealthCare.gov admits that there are numerous security weaknesses within the system which could lead to hacking that could result in data breaches including weaknesses with the servers including the continued use of manufacturer’s default passwords which could be easily exploited.  In addition, servers have not been subject to regular security scans.

TIPS

Unfortunately, it is probably only a matter of time before HealthCare.gov is hacked by identity thieves who will steal personal information stored there.  If you have done business with HealthCare.gov, you should regularly monitor all of your financial accounts and you may wish to put a credit freeze on your credit report to prevent someone with access to your personal information from using your credit to make large purchases in your name.  You can find instructions as to how to put a credit freeze on your credit reports on the right hand side of this page.

Scam of the day – September 6, 2014 – Dairy Queen hacked

September 6, 2014 Posted by Steven Weisman, Esq.

Largely lost among the news of recent data breaches at companies such as Home Depot, Supervalu and UPS was the announcement by Dairy Queen that a number of its stores suffered data breaches leaving customers’ credit card and debit card information in the hands of identity thieves.  Unlike Home Depot and Target, for example, Dairy Queen franchises are independently owned, however, the extent of the hacking appears to include stores in Florida, Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee and Texas.  The discovery of the data breach followed the same pattern as found in recent data breaches against Home Depot and others in that it was banks monitoring fraudulent credit card and debit card usage that found the common link being usage at Dairy Queen franchises.  This is not unusual because it appears that the same, difficult to discover Backdraft malware about which I have warned you repeatedly in the past and about which the Department of Homeland Security warned retailers in a July 31st alert was used.

TIPS

We can expect this scenario to continue to be repeated, however this is no reason to stop using your credit card.  It is reason enough to stop using your debit card for retail purchases because the consumer protection laws for fraudulent use of debit cards are not nearly as strong as those that apply to the fraudulent use of credit cards.  In addition, even if you discover the misuse of your debit card immediately, you will temporarily lose access to your bank account to which the debit card is attached while the bank investigates the crime.  This can delay your access to your own money and can jeopardize automatic payments that you may make from the account, such as mortgage payments.  As for your credit card, you should regularly monitor its use for any unauthorized use and report it to your card company immediately upon discovering any misuse in order to minimize the inconvenience.

Scam of the day – September 5, 2014 – Latest security updates from the Department of Homeland Security

September 5, 2014 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates include an important security patch for Google Chrome and Mozilla Firefox and Thunderbird.

TIPS

Here are the links to the latest security updates as issued by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB14-244 and https://www.us-cert.gov/ncas/current-activity/2014/09/03/Mozilla-Releases-Security-Updates-Firefox-and-Thunderbird

Scam of the day – September 4, 2014 – Romance scam arrest

September 4, 2014 Posted by Steven Weisman, Esq.

Thirty-two year old Krist Koranteng, of Maryland was recently arrested and charged with running a romance scam by which he is alleged to have stolen more than a million dollars from his elderly victims who he contacted online and then through emails, telephone calls and text messages convinced his victims that he was deeply in love with them.  Romance scams are big business.  According to the Internet Crime Complaint Center more than 56 million dollars is lost each year to romance scams with women over 50 being the most highly targeted victims.  Typically, in romance scams, the scammer, early on professes his or her love for the victim, but it is not too much later that the scammer starts requesting money for reasons ranging from sick relatives to phony investments to tickets for air travel to come meet their new love.

TIPS

There are many red flags to help you identify romance scams.  The most important thing to remember is to always be skeptical of anyone who falls in love with you quickly online without ever meeting you and early into the relationship needs you to wire money.  Here are a few other things to look for to help identify a romance scam.  Often their profile picture is stolen from a modeling website on the Internet.  If the picture looks too professional and the person looks too much like a model, you should be wary.  Particular phrases, such as “Remember the distance or color does not matter, but love matters a lot in life” is a phrase that turns up in many romance scam emails.  Also be on the lookout for bad spelling and grammar as many of the romance scammers claim to be Americans, but are actually foreigners lying about where they are and who they are.  Often they will ask you to use a webcam, but will not use one themselves.  This is another red flag.  One thing you may do is ask them to take a picture of themselves holding up a sign with their name on it.  In addition, ask for a number of pictures because generally when the scammers are stealing pictures of models from websites, they do not have many photographs. Ask for the picture to be at a particular place that you designate to further test them.  Wiring money or sending money through a cash card is always a cause for concern so if your new love suggests that you send money in that manner, you should be particularly skeptical.

Scam of the day – September 3, 2014 – Major data breach at Home Depot

September 3, 2014 Posted by Steven Weisman, Esq.

According to the old saying, “fool me once, shame on you, fool me twice, shame on me.”  Reports have surfaced of yet another major data breach similar to the kind we first saw with Target and repeated regularly since then.  As usual, it is not the company that is discovering the loss of data on credit  cards and debit cards used at the store, but rather banks that monitor the sale of stolen credit and debit cards on black market websites noting the common thread of the cards having been used at Home Depot.  First indications are that the data breach may have affected every one of Home Depot’s 2,200 stores throughout the United States.  The potential loss of data may well be far greater than suffered by Target.  It also appears that the breach may have been done by the same Eastern European hackers that stole data from Target, P.F. Chang’s and others using the same “backdraft” malware that I have warned you about for a long time and about which the Department of Homeland Security warned retailers on July 31st.  This will not be the last major data breach as retailers are still not doing enough to protect the security of their data or the privacy of their customers.  In addition, the loss of credit card data could have been avoided had retailers seen the writing on the wall when the Target data breach occurred and advanced the switch over to smart credit cards with computer chips that generate a unique code each time the card is swiped thereby thwarting hackers and identity thieves who would be stealing a number that was worthless for further use.  Present regulations put no incentive on retailers to switch to these cards which are used throughout the world, but not in the United States, until October of 2015.

So what do you do?

TIPS

For starters, do not use your debit card for retail purchases.  Limit its use to ATMs.  There are strong laws to protect you from fraudulent use of your credit card, but the laws protecting you from liability in the event of fraudulent use of your debit card are not strong and you potentially risk losing your entire bank account to which the card is attached.  In addition, even if you report the fraudulent use of your debit card immediately, your bank will freeze your account while it investigates the breach which can be very inconvenient if you need immediate cash or have bills automatically paid from your account.  Another thing you should always do is monitor all of your financial accounts regularly for fraudulent use.

Scam of the day – September 2, 2014 – Beware of nude photos of Jennifer Lawrence, Kate Upton and others

September 2, 2014 Posted by Steven Weisman, Esq.

News of stolen nude photos and videos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Jenny McCarthy, Rhianna, Avril Lavigne, Hayden Pannettiere, Hope Solo, Cat Deeley, Kayley Cuoco, Kim Kardashian, Scarlet Johannsson and others is sweeping across the Internet.  Although a few of the named celebrities, such as Victoria Justice have denied the accuracy of the photographs, many of the celebrities including Jennifer Lawrence and Kate Upton have confirmed that, much to their chagrin, the photos and videos are real.  Although the exact manner by which these photographs and videos were hacked and stolen is not known at the moment, it appears that they were taken from Apple’s iCloud.  The possibility exists that a vulnerability in Apple’s iCloud security is at the root of the problem, but another scenario is that the fault is with the individuals who took these photographs and videos of themselves.  Anyone who is able to get someone’s email address and password would find it easy to gain access to that person’s iCloud account and download the photographs and videos.  Obtaining an email address is a relatively easy task for any hacker and passwords can be obtained either from other hacked devices or by, as often is the case, by using the “forgot password” link on Apple’s iCloud, as with other accounts.  The answers to the security questions used to obtain the password through the “forgot password” function are generally easy to find for celebrities whose personal information, such as where they went to high school or other information used in security questions is easily found online.

The security flaw, however may also have been with Apple.  A vulnerability with the Find My iPhone  may have permitted hackers to use a brute force attach whereby they would flood the page with computer generated passwords until the correct password was guessed.  This vulnerability has now been patched and brute force attacks will not be effective because repeated failures to enter the correct password will result in the user being locked out.

So what does all of this mean to you?

This hacking presents two separate problems.  The first is that identity thieves will be taking advantage of the public’s interest in these photos and videos.  You will be receiving emails, text messages or social media postings with links that promise to bring you to these stolen photographs that will download keystroke logging malware when you click on the links.  Once this malware is installed on your computer, smartphone or other portable device, your personal information will be stolen and the information will be used to make you a victim of identity theft.

The second problem is the same problem faced by the celebrities whose accounts were hacked.  How do you keep your accounts secure?

TIPS

Don’t give in to the temptation to view these photos and videos online.  Ethically, it is the wrong thing to do.  However, it also is too risky an activity.  You cannot trust any email, text message or social media posting that promises access to these photos and videos.  Many of these will be laced with malware and you cannot know which one’s to trust.  Trust me, you can’t trust anyone.  In addition, identity thieves will be setting up phony websites that promise to provide these photos and videos, but again will only end up installing malware on your computer when you click on links in these websites.  Identity thieves are often adept at search engine optimizing so a phony website might appear high in a search from your web browser.

As for securing your own account, you should use a unique password for all of your accounts so if any of your accounts are hacked, all of your other accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the two-factor identification protocols offered by Apple and many others.  With two-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the two-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – September 1, 2014 – Phone scams

September 1, 2014 Posted by Steven Weisman, Esq.

Although so much of our attention is focused on scams perpetrated on the Internet and through means of high technology, a recent survey confirmed that low technology, namely the telephone still is fertile ground for many scams.  According to the Truecaller/Harris survey more than 17 million Americans became victims of telephone scams during the past year at a cost of 8.6 billion dollars.  One specifically telephone connected scam is “cramming” where fraudulent charges are added to your phone bill and often go unnoticed by people who pay little attention to the detailed information provided in lengthy, monthly phone bills particularly for wireless service. There are many ways that these unauthorized charges make their way to a victim’s phone, sometimes, consumers actually unknowingly sign up for premium texting services that may be for things such as flirting tips, horoscopes or celebrity gossip.  Whatever the source of the charges, they are fraudulent and typically cost about $9.99 per month and continue to appear for months without end.  You can find more detailed information about cramming by putting the word “cramming” into the archives section of Scamicide.  Other telephone related fraud occurs when people provide personal information over the phone when called by scamming telemarketers or to scammers who entice or scare the person receiving the call to either provide personal information or make a payment, such as in the present scam in which you receive a call purportedly from the IRS demanding payment for outstanding taxes.

TIPS

In regard to protecting yourself from cramming, you should never click on links or sign up for anything unless you have carefully read the fine print to see what else you may be signing up for.  In fact, you should never click on links in an email or text message unless you have independently verified that it is legitimate.  As for calls from telemarketers, not all telemarketers are criminals, but unfortunately, you have no way of knowing when you receive a call whether or not the person on the other end of the conversation is indeed legitimate or not so you should never provide personal information or payment in response to a telephone call until you have independently verified the call.  You may even wish to put yourself on the federal Do Not Call list to avoid telemarketers.  If you do get a call from a telemarketer after you have put yourself on the list, you know that the person is not legitimate and you should ignore the call.  Here is a link to the Do Not Call list if you wish to enroll.  https://www.donotcall.gov/  You can still receive calls from charities even if you are on the Do Not Call List, but again, you cannot be sure that the person calling is really from the charity so never give money over the phone to a telemarketer who calls you on behalf of a charity.  It is also worth noting that when you do make a charitable donation to a legitimate charity telemarketer, the telemarketer takes a percentage of your contribution as a commission.  If you want your donation to do the most good, you should contact the charity directly to make your donation.

Scam of the day – August 31, 2014 – Ponzi Investment scammer convicted

August 31, 2014 Posted by Steven Weisman, Esq.

It is interesting to note that when it comes to investment scams, sophisticated investors are often the victims.  This was true in the Ponzi investment scam of Bernie Madoff and it was true of the investment scam of recently convicted David Rose.  Rose specialized in scamming doctors and dentists who he lured into investing in, what they thought, were companies doing research and development in the medical field.  Rose was, as many scam artists are, a slick operator.  He met with clients and provided them with private placement memorandums that described in detail how the money was to be invested.  Unfortunately, of the two million dollars he took from investors, none of it was actually invested in anything.  Instead, Rose used the money to buy luxury boats and cars, jewelry as well as for other personal uses.

TIPS

The rules for protecting yourself from investment scams are always the same.  Before investing in anything, you should make sure you understand the investment and carefully investigate both the investment and the person advising you to make the investment.  In addition, a red flag in both the Madoff scam and the Rose scam is when the person advising you to make the investment is also the custodian of the account.  They should never be the same person.  Always have a separate broker-dealer from your individual adviser.  This way the actual funds and investments are monitored by a third party.

Scam of the day – August 30, 2014 – New scam threats springing from J.P. Morgan data breach

August 30, 2014 Posted by Steven Weisman, Esq.

As I have told you so many times, whenever something catches the attention of the public, it catches the attention of scammers and identity thieves who use it as a hook to turn that public’s interest in something into making the public victims of scams.  The recent death of Robin Williams and the Ice Bucket Challenge are two examples of things that have fascinated the public that were used to turn people into scam victims.  You can find the details about both of these scams in previous Scams of the day.  Now, the J.P. Morgan bank hacking is a big news story and it should be.  The data breach at J.P. Morgan and a number of other banks poses a serious threat to the financial well being of many people.  Scammers and identity thieves are now capitalizing on this concern and fear in the public to send emails and text messages to people in which the identity thieves pose as J.P. Morgan or other banks.  In the emails and text messages, you are told about problems with your account that require your immediate attention and you are directed to click on a link for further information.  If you click on this link, however, you will end up downloading keystroke logging malware that will steal the personal information from your computer and use it to make you a victim of identity theft.  In another variation of this scam, you are directed to provide your personal banking account information in response to the email for verification purposes.  Of course, if you do this, all you will succeed in doing is providing an identity thief with the information he or she needs to steal money from your accounts.

TIPS

Whenever you receive an email or a text message you cannot be sure of who sent it to you.  Even if the address of the sender appears to be legitimate, it is easy for a scam artist (remember, they are called artists) to “spoof” or counterfeit a legitimate address to make the message appear to be legitimate.  Never provide personal information in response to an email or text message.  Never click on links in emails or text messages unless you are absolutely sure that the message is legitimate.  If you have think that the email or text message may be legitimate, you should call the bank or other purported sender at a phone number that you independently have confirmed is legitimate to inquire.  Don’t call the number provided to you by the scammer.

Scam of the day – August 29, 2014 – J.P. Morgan and other banks hacked

August 29, 2014 Posted by Steven Weisman, Esq.

The FBI is investigating an apparent hacking of banking giant J.P. Morgan and as many as four other banks by what initially appears to be sophisticated hackers from Eastern Europe.  Some are theorizing that the hacking was sponsored by the Russian government in retaliation for sanctions brought against Russia in the wake of its actions in relation to Ukraine.  Much sensitive data was compromised and stolen as a result of the hacking.  The initial investigation appears to be focusing on the exploitation of computer programs used by a J.P. Morgan employee to work from a remote location.  This type of exploitation of remote desktop software such as Microsoft’s Remote Desktop, Apple’s Remote Desktop, Chrome’s Remote Desktop, Splashtop, Pulseway and LogMein that enable the convenience of logging into a company’s computers from an off site location has proven to be a major security flaw that has been continually exploited in company after company for quite a while going back to Target’s hacking last year to the recent UPS hacking.  I have warned people about this flaw for sometime and the FBI has warned American businesses to watch for this.

TIPS

Banks are a frequent target of cyberattacks and American banks have generally done a good job in recent years in protecting data, however, as this latest hacking shows, more needs to be done, particularly in regard to the particular type of malware used in this attack which may be or be similar to the “Backoff” malware I have been warning about.  As for we as consumers, there is little we can do other than to carefully monitor all of our accounts, only use credit cards rather than debit cards for retail purchases and limit the amount of personal information you provide to any company or governmental agency with which you do business.  This will not be the last major hacking exploiting this flaw to occur.