Scam of the day – August 20, 2016 – Guilty plea in insider trading hacking case

August 19, 2016 Posted by Steven Weisman, Esq.

I have been reporting to you about developments in this ingenious and massive stock fraud for a year since when the story first broke.   Forty-three people were charged both civilly and criminally in the largest hacking and securities fraud enterprise in American history.  The defendants were made up of rogue stock traders including hedge fund manager and former Morgan Stanley employee Vitaly Korchevsky along with computer hackers based in the Ukraine.  The hackers used simple phishing tactics to gain access to more than 150,000 press releases issued by Marketwired, PR Newswire in New York and Business Wire of San Francisco on behalf of numerous American companies including Panera, Caterpillar, Inc and Align Technology that contained earnings and other corporate information prior to their public release.  This enabled the rogue stock traders to make trades based on this inside information before it became known to the public.  Trades using this stolen information were made by traders in Russia, Ukraine, Malta, Cyprus, France and here in the United States in Georgia, New York and Pennsylvania  It is estimated that between 2010 and 2015, the defendants made profits of as much as 100 million dollars on 800 trades during this time.  A number of the civil defendants have already pleaded guilty to charges related to this scam and now Leonid Momotok, a Russian naturalized American citizen pleaded guilty to conspiracy to commit wire fraud in regard to this scam.  According to prosecutors, Momotok made more than 1.2 million dollars in illegal profits by trading Panera Bread Co. and DealerTrackTechnologies based upon the stolen inside information.

The cornerstone of this scam as so many cyberscams was the ability to hack into the company computers of Marketwired, PR Newswire and Business Wire by hacking into social media sites where they stole the passwords of employees of these companies who used the same passwords at work.  The scammers also used spear phishing emails to gain the further access they needed to infiltrate the computers of the targeted companies.

TIPS

One of the biggest takeaways from this case is how easy it is to still use spear phishing emails to lure people into clicking on links tainted with malware that permits hackers to steal a person’s or company’s data. Apparently corporations still have not learned to sufficiently train their employees to recognize phishing emails nor have they learned to encrypt and segregate sensitive data from hackers.   This is important to all of us as individuals because identity thieves and hackers use the same phishing techniques to hack into the computers of us as individuals and steal our personal information.  Never click on links in emails regardless of from whom they appear to come unless you are absolutely sure that the link is legitimate.  It well could contain keystroke logging malware that will steal all of the information from your computer.  Also, it is important to remember that you cannot rely on your anti-malware software to protect you because the best anti-malware software is always at least a month behind the latest malware.  However, it is still important to have security software on all of your electronic devices and keep that software up to date with the latest security patches because many scammers use older versions of malware for which there are defenses.

Finally, this case also reminds us to use unique passwords for all of our accounts so that if our password is compromised at a company with lax security, our own security at other places where we use passwords is not threatened.   Although it may seem difficult to have to remember so many different password, an easy way to deal with this is to have a strong base password that contains capital letters, small letters and symbols and adapt that base password for each of your accounts.  Using an easily remembered phrase as the base password such as IDon’tLikePasswords is effective.  Make it even better by adding a couple of symbols at the end such as IDon’tLikePasswords!!! and then adapt it for each of your accounts so, for instance, your Amazon account password would be IDon’tLikePasswords!!!AMA.

Scam of the day – August 19, 2016 – AT&T penalized 7.75 million dollars over cramming charges

August 18, 2016 Posted by Steven Weisman, Esq.

It was just two years ago that AT &T paid a 105 million dollar settlement related to cramming on cell phone bills.  Cramming is the name for adding unauthorized third party charges to a consumer’s telephone bill without the knowledge or approval of the consumer.  This has long been a problem with landline phones and recently has become a major problem with cellular service.  There are many ways that these unauthorized charges make their way to a victim’s phone.   Sometimes, consumers unknowingly sign up for premium texting services that may be for things such as flirting tips, horoscopes or celebrity gossip when entering a contest or lottery.  Whatever the source of the charges, they are fraudulent and typically cost about $9.99 per month and continue to appear for months without end.  Recently, while conducting a drug and money laundering investigation, the Drug Enforcement Agency (DEA) discovered two companies, Discount Directory, Inc. and Enhanced Telecommunications Services that were sham companies established for the sole purpose of cramming nine dollar monthly directory service charges on to AT&T landline bills.  While AT&T was not aware these charges were fraudulent when they agreed to add these charges to consumers’ bills, neither did they ask for any proof that their customers had actually signed up for these services.  Meanwhile, AT&T got a share of every monthly crammed payment.  According to the FTC, AT&T “ignored a number of red flags that the charges were unauthorized, including thousands of charges submitted by the Companies for nonexistent, disconnected, or otherwise ‘unbillable’ accounts.”

Pursuant to the new settlement, AT&T will refund all the fees it collected on behalf of the two companies as well as pay a $950,000 fine.  They have also agreed not to bill for most third-party services on landlines. AT&T has indicated that they will be sending refund checks to their defrauded customers within the next 90 days.

TIPS

Even if you are not an AT&T customer  this case is another reminder that you should carefully review your phone bill each month to make sure that there are no unauthorized charges.  Telephone bills can be long and complicated to read, but is important to make sure that you understand every charge that appears on your bill because sometimes crammers make the charges appear to be legitimate.  If you find a charge for a service you did not order, contact your phone service provider to have the charges removed.

Scam of the day – August 18, 2016 – Major data breach at health care provider

August 18, 2016 Posted by Steven Weisman, Esq.

Recently a Ukranian hacking group called “Pravyy Sector” managed to hack into the server of the Central Ohio Urology Group, which includes twenty-four clinics and posted online literally hundreds of thousands of files that included massive amounts of personal information that could be exploited for identity theft and other illegal purposes.  While you may not be a patient of Central Ohio Urology Group and therefore may not consider this to be a serious matter, but it is very serious because it is just another example of the pervasive lack of security in the health care industry.

As I warned everyone in my USA Today column in which I made my cyberpredictions for 2015, the health care industry is tremendously vulnerable to data breaches and we can expect these data breaches to continue.  Here is a link to that column.  http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/

An audit of health care companies and insurers showed that more than 81% of these companies have suffered a data breach in the last two years alone and that number only relates to the data breaches that have been discovered.  There may have been more that remain undiscovered.   The health care industry is the perfect storm for data breaches.  It is a highly digitized industry that has massive amounts of personal information that it shares with numerous offices and institutions and yet has not, in many instances instituted the necessary security precautions to protect the information stored.

The potential consequences of medical company data breaches can be tremendous to affected individuals.  The medical records of an identity thief accessing your medical insurance can become intermingled with your medical records such that you can mistakenly receive improper treatment, such as a potentially deadly blood transfusion of the wrong blood type.  Other information such as your Social Security number which may be stored by a health care provider can be stolen and used for purposes of more traditional identity theft. Finally, the vulnerability of the computer systems of health care providers has made them prime targets for successful ransomware attacks.

TIPS

The health care industry has got to recognize that it is a prime target of hackers and identity thieves.  Encryption of all data should be the rule and not the exception for health care providers.  Authorization authentication to access records from both on-site and particularly off-site should be enhanced.  As for us as the patients, we should limit the amount of personal information given to health care providers if they do not have a need for it.  Health care providers do not need our Social Security numbers.  Don’t give it to them.  We also should demand that they institute better data security measures.

Scam of the day – August 17, 2016 – Latest security update from the Department of Homeland Security

August 16, 2016 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  These new updates in today’s Scam of the day from the Department of Homeland Security include critical new updates to  the Android operating system to correct vulnerabilities threatening the security of millions of cell phone users about which I wrote in a recent Scam of the day.  Also included are important security updates for Microsoft 10, Microsoft Edge, Internet Explorer, and Google Chrome.

TIPS

Here are the links to  the recent security updates as posted by the Department of Homeland Security: https://www.us-cert.gov/ncas/bulletins/SB16-228

Scam of the day – August 16, 2016 – More hotel data breaches

August 16, 2016 Posted by Steven Weisman, Esq.

Yesterday, HEI Hotels and Resorts, a company that manages hotels operating under  brand names such as Marriott, Hyatt and InterContinental, announced that 20 of its hotels suffered a data breach that resulted in hackers stealing customer names, credit and debit card account numbers, expiration dates and three digit verification codes for tens of thousands of transactions going back as far as March of 2015.

It is not known yet whether the data breach is related to the hacking by the Russian organized crime group Carbanak, that, as reported recently by Brian Krebs managed to install malware into the credit and debit card processing equipment manufactured by MICROS used in hotels around the world.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at HEI’s hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Kimpton and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

Here is a link to which you can go to find out which hotels were affected by the data breach and when the data was compromised.  http://www.heihotels.com/list-of-properties

Scam of the day – August 15, 2016 – Coca Cola Olympic lottery scam

August 15, 2016 Posted by Steven Weisman, Esq.

With the closing ceremonies of the 2016 Rio Olympic Games just six days away, Olympic related scams continue to proliferate.  One of the latest begins with an email you receive that announces “Congratulations! You’ve just won a cash prize from the Coca-Cola Foundation in partnership with the International Olympic Committee (IOC).”  The email goes on to inform you that you have been chosen by a random drawing of email addresses.  All you need to do to claim your prize is provide personal information.  Of course there is no such lottery and the information you provide may be used to make you a victim of identity theft.  In addition, like most lottery scams, although, you are initially told that there is no cost to claim your prize, later you are told that you must pay administrative fees or taxes before your prize can be delivered to you.

TIPS

As I have often told you, it is difficult to win any lottery you enter.  It is impossible to win one that you have not even entered.  You should always be skeptical about being told that you have won a lottery you never entered.    Additionally, while it is true that income taxes are owed on lottery winnings, legal lotteries never collect tax money from winners.  They either deduct the taxes from the winnings or leave it up to the winners to pay their taxes directly to the IRS.  You also should never pay a fee to collect a legal lottery prize.

As for this particular lottery scam, in one version of the scam presently being circulated you are told that you can either provide your account number and bank routing information to the lottery sponsor in order for the funds to be sent electronically to you although this also would enable the scammer to get access to your bank account and empty it, or you can come and pick up your check personally in Nigeria.  If that doesn’t tell you everything you need to know about this being a scam, nothing will.

Scam of the day – August 14, 2016 – Kimpton Hotels investigating possible data breach

August 13, 2016 Posted by Steven Weisman, Esq.

Kimpton Hotels,  a chain of 62 boutique hotels is looking into a possible data breach, which essentially means that they were indeed hacked and they are just trying to confirm this fact.  Almost in every instance when companies are hacked, it is the credit and debit card processors that notice a pattern of fraudulent card use and then trace it back to the hacked companies, which in this instance appears to have occurred in almost half of the Kimpton hotels in the  United States. When this is confirmed, Kimpton will just be the latest of a long line of hotels including  Omni Hotels and Resorts, Hyatt, Hotels, Starwood Hotels, Hilton Hotels and Trump Hotels (twice) that all suffered similar data breaches in the last year in which credit card and debit card information of their customers was stolen by unknown hackers.

The primary reasons for the continuing problem of data breaches at hotel chains are the weak cybersecurity of many hotel chains coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1, 2015  mandated credit card issuers and retailers switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have been slow to switch to the new card processing equipment.  If smart EMV chip cards had been used at Kimpton Hotels, the card information that was stolen would have been worthless, but since they still used the old fashioned magnetic strip cards, Kimpton and its customers face financial problems from this data breach.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted  more than a year ago, continue to occur again and again.  As for us, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  You also should regularly monitor your credit card statements for indications of fraudulent use.

August 13, 2016 – Steve Weisman’s latest column from USA Today

August 13, 2016 Posted by Steven Weisman, Esq.

It has been ten months since the switch to the computer chip EMV credit cards was mandated for credit card issuers and merchants in order to avoid liability for fraudulent charges yet many stores still haven’t made the change.  Here is a link to my latest column for USA Today in which I explain what is going on and what it means to all of us as consumers.

http://www.usatoday.com/story/money/columnist/2016/08/13/where-emv-card-10-months-later/87446678/

Scam of the day – August 13, 2016 – Healthcare worker convicted of identity theft

August 13, 2016 Posted by Steven Weisman, Esq.

Data breaches at hospitals and other health care providers are a major problem.  The Ponemon Institute’s study of the health care industry this year found 90% of health care organizations suffered data breaches during the last two years including the massive data breach at Anthem.  However, often overlooked is the fact that not all data breaches are caused by outside attacks.  Many of them are caused by rogue employees with access to data that they steal and then sell to others or use themselves for purposes of identity theft.  Recently Alana Wells a health care worker in Alabama pleaded guilty to stealing patients’ names, dates of birth and Social Security numbers and then using them with her co-conspirators for purposes of income tax identity theft by which they filed phony tax returns using the names and Social Security numbers of their victims’ seeking fraudulent tax refunds.  Sentencing will occur later this year and she faces a sentence of up to seven years in prison.

TIPS

Apart from the lesson that employers must do a better job of protecting the data they hold from rogue employees, which admittedly is a difficult job, one thing we as consumers should do is recognize that this problem occurs everywhere and consequently, whenever possible, we should limit the amount of personal information we give any company or institution with which we do business to the minimum amount necessary.  When it comes to hospitals and health care institutions, despite the fact that they routinely ask for your Social Security number, they have no true reason to use it as an identifier. When asked, suggest another number such as your driver’s license.

Scam of the day – August 12, 2016 – Important Microsoft security patches and updates

August 12, 2016 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.    Microsoft recently issued a large number of security patches necessary to fix critical vulnerabilities in software such as Internet Explorer, Edge and Office. The particular vulnerabilities being patched with these updates will protect users from being hacked when they merely visit a tainted website.  Other of the patches will fix  problems with how Windows, Office and Skype handle specific types of fonts such that hackers could exploit this vulnerability to take control of the victim’s computer if the victim views files with certain fonts or by visiting a malicious website.

TIPS

Here is the link to the recent Microsoft security updates: https://www.us-cert.gov/ncas/current-activity/2016/08/09/Microsoft-Releases-August-2016-Security-Bulletin