Scam of the day – April 10, 2014 – Serious security danger on the Internet of Heartbleed

April 10, 2014 Posted by Steven Weisman, Esq.

The term “Heartbleed” sounds serious and it is.  Heartbleed is the name of the recently discovered security flaw in the Open SSL encryption security technology that is used by up to 2/3 of websites on the Internet.  An indication that the website you are communicating with uses Open SSL is the presence of the tiny padlock icon next to the website address.  Another indication of the use of Open SSL being used is the letter “s” appearing after the initial “http” at the beginning of a website address.  The padlock and the “s” indicated to people communicating with websites that your communications were encrypted and safe from hackers.  Now we have discovered that this encryption technology had been cracked by attackers as long as two years ago.  This means that your communications online with your bank and retailers may have been compromised.  Many websites that have used the Open SSL encryption technology including Amazon and Facebook have fixed the problem or are working on it.  There are patches available.

TIPS

The first thing that you should do is to change your passwords at websites you have used that utilized the Open SSL encryption because your password may be in the possession of hackers.   However, do not change your password until you have confirmed with the Website that it has patched the security flaw.   Heartbleed is a good reminder to us all that we should change our passwords on a regular basis as well as have different passwords for every website where we use a password so that if one gets hacked, identity thieves would not have the passwords for all of our other accounts.  It doesn’t have to be a difficult task as just adding or changing a letter or two can do the trick if you have a good, complex password with letters both capital and small as well as figures and signs.  Also, again as we all should be doing, monitor all of your accounts regularly for evidence of fraudulent use.

Here is a helpful link you can go to in order to check and see if the websites you go to were among those affected by Heartbleed.  One word of caution, this is not guaranteed by its creator to be 100% accurate: http://filippo.io/Heartbleed/

For people who have websites that use Open SSL, here is a link to the notice from the Department of Homeland Security with the links to rectify the situation.https://www.us-cert.gov/ncas/alerts/TA14-098A

Scam of the day – April 9, 2014 – Follow up on ATM danger

April 8, 2014 Posted by Steven Weisman, Esq.

Yesterday Microsoft officially ended technical support for its Windows XP program, which is still used by 95% of the world’s ATMs.  Many people are justifiably concerned about the security of the ATMs that they use and if it is safe to still use them or are they in serious jeopardy of having their accounts hacked.  Although April 8th was the day that Microsoft indicated that it would no longer issue technical updates to the Windows XP operating system, some ATMs work on a variation of the Windows XP operating system called Windows Embedded.  Security updates for Windows Embedded will continue to be issued until January 12, 2016.  In addition, some major banks have made private arrangements for security updates from Microsoft for Windows XP.  JPMorgan, for instance has made private arrangements with Microsoft for updates for another year.  However, the basic fact is that Microsoft is stopping further updates of Microsoft XP because it is an outdated system and the cost of constantly patching it does not make sense.  Anyone using Windows XP whether commercially or privately should update to another operating system as soon as possible.

TIPS

Ask your bank what it is doing about the Windows XP operating system and if they tell you that they are still able to use it in the short run, ask them what their intentions are in the long run because security patches are not a solution to the vulnerabilities that have already been identified in the Windows XP operating system.   If your account is hacked due to a flaw in the Microsoft XP operating system running an ATM that you use, you will not be responsible for any funds lost if you notify the bank right away and it is a good idea to monitor your account online every few days to make sure that it is secure. If you use Windows XP on your home devices, you too are at risk and should update your operating system to another system as soon as possible.

Scam of the day – April 8, 2014 – Latest security update from the Department of Homeland Security

April 8, 2014 Posted by Steven Weisman, Esq.

As regular followers of Scamicide know, whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security.  Today’s software update applies to Apple’s Safari browser.

TIPS

Here is a link to the latest release from the Department of Homeland Security with links to this important security update:

https://www.us-cert.gov/ncas/current-activity/2014/04/02/Apple-Releases-Security-Updates-Safari

 

Scam of the day – April 7, 2014 – Multi-million dollar bank hacking conspiracy broken

April 7, 2014 Posted by Steven Weisman, Esq.

A few days ago, Robert Dubuc and Oleg Pidtergerya pleaded guilty to a number of criminal counts in charges brought against them in federal court.  The conspiracy of which they were a part is very telling of the danger that threatens the international banking system.  The scheme began before the two defendants ever got involved.  Ukrainian hackers gained illegal access to the bank accounts of more than a dozen large financial institutions and companies, including Automatic Data Processing, Inc (ADP), Citibank, E-Trade, JP Morgan Chase Bank, Pay Pal, TD Ameritrade and TIAA-CREF.  Once the hackers gained access to the accounts, they transferred funds stolen electronically from these accounts to bank accounts and pre-paid debit cards that they controlled.  At this point they then progressed to the cashing out phase of the scam by which people known as “cashers” would withdraw the funds from the new accounts through ATM withdrawals and bank withdrawals after which the funds were sent to the two Ukranian hackers behind the scam.  Dubuc and Pidtergerya were cashers.

TIPS

Banks and other financial institutions have not been particularly forthright when it comes to disclosing the successful hacking of their accounts.  Nor has their security been as good as it has to be.  Where this leaves us as customers is that we need to be particularly vigilant in monitoring our accounts at all times for signs of fraudulent purchases.  Sometimes we are our own worst enemy such as when we unwittingly download keystroke logging malware through clicking on tainted links or downloading dangerous malware that steals the information from our computers, smartphones, tablets and other portable electronic devices and then uses this information to make us victims of identity theft and access our accounts.  It is important to monitor all of your financial accounts more often than monthly.  It is also important to maintain the most up to date security software on all of our electronic devices and finally, it is up to us to use caution whenever we are online and not to click on links unless we are absolutely sure they are legitimate.

Scam of the day – April 6, 2014 – FTC shuts down telemarketing scam

April 6, 2014 Posted by Steven Weisman, Esq.

The FTC has obtained injunctions closing down a major telemarketing scam that stole more than twenty million dollars from senior citizens.    The telemarketing used promises of various services including, ironically, fraud protection.  Other services being sold were legal services and prescription drugs.  In addition, in other instances, the scammers impersonated government officials and bank employees.  In those calls, the scammers tricked their victims into providing their bank account information which was then used by the scammers to access the victims’ bank accounts and steal their money.  The primary defendant is Ari Tietolman and various companies he operated including First Consumers, LLC, Standard American Marketing, Inc. and PowerPlay Industries, LLC, Patient Assistance Plus, Legal Eye and Fraud Watch.

TIPS

You can never be sure of who is calling you on the phone so you should never give personal information over the phone to anyone whom you have not called.  Even if your Caller ID appears to show that the caller is who he says he is, you cannot trust your Caller ID because it can be manipulated through a technique called spoofing to make it appear as if the call is legitimate when it is not.  If you are interested in a service or product about which you are informed in a telemarketing call, you should ask them to send you written material and then investigate the company and the product or service before considering committing.   If a call asking for personal information appears to you to possibly be legitimate, you should still not provide the information over the phone to the caller, but rather hang up and call the real company with which you do business to see if the original call was a scam.

Scam of the day – April 5, 2014 – Shredding company employee implicated in identity theft

April 5, 2014 Posted by Steven Weisman, Esq.

For years I have advised everyone to shred any documents they have containing personal information before discarding them.  Identity thieves have been known to go through the trash of individuals, companies and government agencies looking for documents that contain personal information such as credit card numbers or Social Security numbers that can be used for identity theft purposes.  Mere horizontal shredding may not be sufficient to protect you.  There have been many instances where identity thieves were able to piece together horizontally shredded documents to get the information they seek. It is far better to use a cross shredder that will render the documents unusable by anyone seeking to obtain information from the documents.  Although, many individuals will have their own shredders at home, many companies use the services of shredding companies that will come to the company’s location and either pick up the materials to bring back to the shredding company’s headquarters to be shredded or shred the material right at their customer’s location using a truck with shredding machinery incorporated into the truck.  Recently some identity theft was traced back to a Texas shredding company Cintas Document Management that picked up documents to be brought back to the Cintas’ headquarters to be shredded.  Police are investigating one particular rogue employee who it is thought took the documents he was supposed to bring back to Cintas for shredding and instead used the documents to get information which he used to make some customers victims of identity theft.

TIPS

If you are doing shredding of your documents at home, you should use a cross-shredder.  If you are having your documents shredded by a shredding company, you are better off hiring a company that sends a truck to your company to shred the documents at your company’s site while you watch.

Scam of the day – April 4, 2014 – Debit card texting scam

April 4, 2014 Posted by Steven Weisman, Esq.

The Attorney General of Vermont is warning people in Vermont about a scam that is also turning up around the country in which people receive a call or a text message informing them that the bank account accessible through their debit card is frozen.  The potential victim is then given a telephone number to call to straighten the matter out.  The number is of course phony and not tied to any bank.  If the number is called, the potential victim can be turned into a real victim by providing the asked for personal information that is inquired about by the identity thief who then uses the information to access the victim’s bank account.

TIPS

If you receive such a call or a text message, you should ignore it.  Many people have received purporting to be from banks where the people receiving the calls don’t even have bank accounts.  This happened to me.  Never provide information to anyone who calls or texts you because you can never be sure who they are.  Even if you have Caller ID that indicates that the call is from a legitimate source, you cannot trust the call because Caller ID can be fooled into showing what appears to be a legitimate call through a technique called spoofing.  If you are concerned that the call may be legitimate, merely call your bank at a number that you know is legitimate and you will soon learn that the original call or text was phony

Scam of the day – April 3, 2014 – AT&T phishing scam

April 3, 2014 Posted by Steven Weisman, Esq.

Many people use AT&T for their phone service so when identity thieves indiscriminately call people and tell them that for merely completing a survey on AT&T’s website, sums of money ranging from $100 to $350, depending upon the particular scammer calling, would be credited to the person’s AT&T account, the identity thieves stand a good chance of finding AT&T customers among their calls.  The websites to which the potential victim is directed are, of course, phony.  This type of scam where you are directed to a phony website is called phishing.  When you go to the phony website, many of which have names that appear to resemble that of the real AT&T website, such as att620.com or goatt320.com, you will be directed to provide personal information, which will then be used to make you a victim of identity theft.  Alternatively you may be prompted to click on links that will download keystroke logging malware on your phone, which will gather information from your smartphone and use it to make you a victim of identity theft.

TIPS

Never provide information to anyone over the phone or in response to a text message or email that you have not contacted because you can never be certain that they are who they purport to be.  Never click on links that purport to take you to a website because when you click on the link, you may be downloading keystroke logging malware or other malware.  Instead, if you believe that the initial communication has a chance of being legitimate, merely contact by phone or online the company at an email address, phone number or website that you know is legitimate.  In the case of this particular scam, a quick call to AT&T would let you know that this is a scam call to avoid.

Scam of the day – April 2, 2014 – Mystery Shopper scam conviction

April 2, 2014 Posted by Steven Weisman, Esq.

Recently Dave Brister was convicted of multiple counts of conspiracy, wire fraud, mail fraud and check fraud in a number of scams including the infamous Mystery Shopper scam about which I have often written here on Scamicide.  Brister or one of his co-conspirators initiated the scam with an advertisement placed on Craigslist in which Brister posed as a company seeking to hire mystery shoppers.  Real mystery shoppers are people who are hired by companies to shop at their retail stores and then report about the experience to the company for quality control purposes.  It sounds like easy work and it is which is the primary attraction of both legitimate secret shopping jobs and phony ones.  So many people want to do secret shopping, the companies that do this legitimately have no need to advertise to hire people to become secret shoppers.  Once the victim has taken the bait and has agreed to be a mystery shopper for the scammer, the victim is sent a check that may appear to be a certified check which the victim is instructed to deposit into his or her bank account and use the money to make the assigned purchases.  The check is for more than the amount that the mystery shopper spends with the mystery shopper told that he or she keeps the some of the check as payment for his or her services.  The victim is then told that the remaining funds are to be wired back to the mystery shopper company.  It is only after the money is wired from the victim’s account that he or she learns that the check from the scammer bounces.  It was counterfeit, however the funds wired from the victim’s account are gone forever without recourse.

TIPS

One reason why this scam works so well is that there really are mystery shopping jobs although the actual number is quite few and they do not go looking for you.  If you want to find out if a mystery shopping company is legitimate, you can contact the Mystery Shopping Providers Association which is a trade organization of legitimate mystery shopping companies.  Their website is www.mysteryshop.org.  Other indications that you are involved with a scam is when you receive a check for more than what is owed you and you are asked to wire the difference back to the sender.  This is the basis of many scams.  Whenever you receive a check, wait for you bank to tell you that the check has fully cleared before you consider the funds as actually being in your account.  Don’t rely on provisional credit and never accept a check for more than what is owed with the intention to send back the rest.  That is always a scam.  Also be wary whenever you are asked to wire funds because this is a common theme in many scams because it is difficult to trace and impossible to stop.

Scam of the day – April 1, 2014 – Military identity theft worsens

April 1, 2014 Posted by Steven Weisman, Esq.

According to a study done by the Federal Trade Commission members of the military are twice as likely to become a victim of identity theft.  One of the primary reasons for this is the military personnel’s Social Security number.  A Social Security number is the key to identity theft.  Once an identity thief has this, he or she is off to the races.  Until recently all military ID cards used the Social Security number and although the Department of Defense has changed its policy and is now issuing military IDs with a unique Department of Defense number, the transition to these numbers only started in 2011 and will take four years to complete so many members of the military still have the old ID cards.  In addition, while Veterans Identification Cards no longer show the veteran’s Social Security number on the card, the person’s Social Security number is still embedded in the magnetic stripe on the back of the card so identity thieves who, through various pretenses manage to scan the card can obtain the Social Security number.  These cards are also being phased out, but many veterans still have these cards.

TIPS

Members of the military with the old-style cards should be particularly careful about providing the card as identification and should limit its use as an identifier whenever possible.  Although members of the military are eligible for an Active Duty Alert to be placed on their files with the three major credit reporting agencies that requires creditors to verify the identity of anyone before issuing credit in the name of the member of the military, a credit freeze, which locks your credit report and requires a PIN to make it available is probably a better choice.  You can find instructions as to how to put a credit freeze on your credit reports on the right hand side of this page.