Scam of the day – October 2, 2014 – Important update on Bash bug

October 2, 2014 Posted by Steven Weisman, Esq.

On September 27th I warned you about the revelation that there was a bug called Shellshock in the Bash command-line interpreter on many operating systems including Linux, Unix and Apple’s OSX that had just been discovered after more than twenty years.  This bug is simple to exploit and tremendously dangerous since when exploited by hackers, permits the hacker to take over the computers using the infected operating systems.   The Federal Financial Institution Examinations Council (FFIEC) has warned the banking industry that it should take immediate steps to protect itself from this major threat.  Hackers have been busy trying to take advantage of this security flaw by attacking servers using affected operating systems while security experts have been equally as busy trying to create new patches.   A series of security patches have been released just in the last couple of days. It is also important to know that, as individual computer users, your firewall should protect you unless a hacker tricks you through phishing into clicking on a link and download malware to exploit the flaw.

TIPS

For all of us, this is a reminder to never click on a link in an email, text message or social media posting unless you are absolutely sure that it is legitimate.  Too often, what appear to be legitimate communications with emails are phishing scams with malware attached.

Here are links provided by the Department of Homeland Security which in turn have links to the latest security patches issued by Apple and others to deal with this problem.

https://www.us-cert.gov/ncas/current-activity/2014/09/24/Bourne-Again-Shell-Bash-Remote-Code-Execution-Vulnerability

https://www.us-cert.gov/ncas/current-activity/2014/09/30/Apple-Releases-OS-X-bash-Update-10

Scam of the day – October 1, 2014 – Supervalu stores hacked for second time in two months

October 1, 2014 Posted by Steven Weisman, Esq.

Regular readers of Scamicide.com may remember that it was just last August 17th that I told you about the hacking at grocery chain Supervalu.  Well, it has happened again.  Now the company is saying that a second, entirely different hacking and data breach occurred just a few weeks after the previous hacking was discovered that affected customers at some of its Shop ‘n Save, Shoppers Food & Pharmacy and Cub Foods stores as well as some of its liquor stores.  Although the company is saying that due to what it calls its “enhanced” security technology installed after the last data breach, it believes that no cardholder data was actually taken by the hackers, it is still too early in the investigation to definitively make that statement.  In last Saturday’s USA Today, I wrote a column about the commonality of the data breaches over the last year that you may find interesting.  Here is a link to that column:

http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

You can well expect there to be continuing problems at retailers in the weeks and months ahead with data breaches.

TIPS

Specifically for people who think they may have been affected by the most recent Supervalu data breach, you can go to Supervalu’s website for more detailed information.  Supervalu’s website is www.supervalu.com.  They have also established a call center for information about free credit monitoring being offered through the company AllClear ID.  You can reach the call center at 855-731-6018.  If you receive an email or text message purporting to be from AllClearID or Supervalu asking you to click on a link to access the free credit monitoring services, don’t do so.  You can’t be sure that the email or text message is legitimate and all you may end up doing is downloading malware on to your own computer or other electronic device that will enable the identity thief to steal all of the personal information stored on your computer or other personal electronic device  and use it to make you a victim of identity theft.  Instead go directly to Suprevalu’s true website at www.supervalu.com.

For the rest of us who may not be personally affected by this latest data breach, this serves as a reminder that we should not use debit cards when shopping in retail stores because of the greater harm that can come if your debit card is hacked.  It also is important to remember to regularly monitor your credit card statement, preferably online to look for fraudulent charges.  Remember, when it comes to data breaches, the retail merchants who get hacked are always months behind when the hacking occurred so you need to be monitoring your accounts for improper activity.

Scam of the day – September 30, 2014 – U.S. Bancorp fined and ordered to pay customers millions

September 30, 2014 Posted by Steven Weisman, Esq.

Headlines last week trumpeted the fining by the Consumer Financial Protection Bureau of U.S. Bancorp 9 million dollars.  U.S. Bancorp was also ordered to return 48 million dollars to customers for illegal billing practices regarding its identity theft products.  The Consumer Financial Protection Bureau (CFPB) alleged that U.S. Bancorp charged its customers for credit monitoring services, but that the customers often did not receive the services promised and paid for.  Before you start judging U.S. Bancorp too harshly, however, it is important to note that the credit monitoring program of the bank was provided by a third party contractor, Affinion Group, which had previously run into similar problems with Capital One and Bank of America.  According to Affinion, this problem was not one of intentionally trying to cheat consumers, but more a matter of customers not being sufficiently told that they would need to submit more detailed information in order to fully activate the credit monitoring services, leaving the customers assuming that they were covered, when in fact, they were not.  Affinion says it has corrected this communications failure by now requiring authorizations for immediate access to credit reports for credit monitoring when customers initially enroll in their programs.  However, this change does not alter the fact that many customers were cahrged for services they either did not agree to or just did not receive.  In some cases the interest payments and fees from these programs resulted in customers going over their credit limit and being subject to bank penalties.  For its part, U.S. Bancorp has agree along with paying the fine to better monitor the third party vendors it uses.

TIPS

If you were directly affected by this, you should contact your local U.S. Bancorp branch.  For the rest of us, the first lesson is to make sure that you fully understand the details of any contract you sign up for.  Specifically as to credit monitoring services, you should make sure you understand what you need to do to activate the services and precisely what services are provided and at what cost.  Remember, credit monitoring services do nothing to actually prevent identity theft; they only help you become aware of the crime earlier.  It is also important to note that no credit monitoring service does anything for you that you cannot do for yourself at much less cost and often free.  For more details as to what you can do to protect yourself from identity theft, I suggest you get a copy of my new book “Identity Theft Alert.”  You can order it from Amazon merely by clicking on the link on the right hand side of this page.

Scam of the day – September 29, 2014 – Child identity theft

September 28, 2014 Posted by Steven Weisman, Esq.

Last week, Florida became the latest state to enact a law to help combat identity theft of children’s identities.  The new law has the clever acronym of KIDS, which stands for the Keeping ID Safe act.  Under this law, parents of minors are able to open a file with each of the major credit reporting agencies, Equifax, TransUnion, and Experian and then immediately freeze the accounts so that even if an identity thief managed to obtain the child’s Social Security number and other personal information, the identity thief would not be able to access the credit report for purposes of running up large debts using the credit of the child, who generally does not become aware that his or her identity has been stolen until he or she reaches older teen years when he or she might first apply for a car loan or financial aid for college.  Identity theft of children’s identities is a huge national problem.  According to a study by the Carnegie Mellon CyLab, children are more than 51 times more likely to become a victim of identity theft than adults.

TIPS

If you live in one of the states that has a law such as Florida’s, take advantage of the law, set up a credit report for your children and immediately freeze the account. And while you are at it, you should also freeze your own credit reports as your best precaution against identity theft.  If your state does not have such a law, let your state legislators know that you want them to pass such a law.  I am proposing such a law in my own home state.  As much as possible try to limit the places that have your child’s Social Security number and become familiar with the Family Educational Rights Privacy Act which helps you protect the privacy of your child’s school records and lets you opt out of information sharing by the school with third parties.  Finally, the security company AllClear ID (www.allclearid.com) provides a free service called ChildScan which not only searches credit records tied to your child’s Social Security number, but also checks employment records, criminal records and medical records to recognize at an early stage if your child has become a victim of identity theft.

Scam of the day – September 27, 2014 – “Shellshock” software bug threatens the Internet

September 26, 2014 Posted by Steven Weisman, Esq.

In somewhat of a repeat of the story of the “Heartbleed” bug where a vulnerability that had existed for two years before researchers discovered it and patched it, a new online security problem has just been discovered.  It is a bug that is called Shellshock that affects software called Bash which is an acronym for Bourne-Again Shell which is part of the operating systems of millions of computers and other devices now part of what we call the Internet of Things, such as refrigerators or even your car.  While the Heartbleed bug was bad enough in that it jeopardized your passwords and credit cards, Shellshock has the potential to be much worse in that a hacker could actually use it to take over millions of computers, home security systems, routers, Macintosh computers and smartphones using the Android operating system, such as the Samsung Galaxy and other devices that use the affected operating systems.  To make things worse, while Heartbleed went undiscovered for two years, the Shellshock flaw went undetected for twenty years.

When the flaw was discovered by researcher Stephane Chazelas, security experts immediately went to work to remedy the problem and although it is not completely fixed, the Department of Homeland Security issued an alert earlier this week with links to the security patches that have now been developed.  This threat is a very serious one.  The Department of Homeland Security has ranked the problem as a 10, which is its most serious classification for a security vulnerability.  Complicating it further, the Department of Homeland Security ranks the complexity of the bug as a 1, which means even unsophisticated hackers can easily exploit this problem.

TIPS

This is a problem that I will be monitoring a great deal and you should check with Scamicide on a daily basis to get the latest information you need to safely use all of your Internet connected devices.  For now, I urge you to check out the Department of Homeland Security’s latest alert with links to the now available security patches.  If any of your devices use the Linux/UNIX operating system or the Apple Mac OS X, you should be particularly vigilant in making sure your devices are secure.  Here is a link to the Department of Homeland Security’s latest alert: https://www.us-cert.gov/ncas/alerts/TA14-268A

Scam of the Day – September 26, 2014 – Bank tellers charged with identity theft

September 26, 2014 Posted by Steven Weisman, Esq.

For a long time I have told you that you are only as safe from identity theft as the places with the weakest security that have your information.  It is for this reason that I urge you to limit the places that do have your personal information, such as your Social Security number as much as you can.  For example,  your doctor asks for your Social Security number, ask in return if they would be willing to accept your driver’s license.  A doctor does not need your Social Security number; they generally ask for it merely to make collection of overdue bills easier.  Sometimes, however, you have no control over the security breaches that can make you a victim of identity theft.  New York Attorney General Eric T. Schneiderman announced recently that three bank tellers and two other people stole more than $850,000 from the accounts of customers of the banks where the tellers worked and had access to personal and financial information of hundreds of customers.  The banks have reimbursed the customers who lost money in this scam.

TIPS

It is very important to be vigilant in regard to monitoring all of your financial accounts for fraudulent activities.  This means regularly reviewing all of the transactions in your bank accounts, brokerage accounts, credit cards and all other financial accounts that you may have.  The earlier you spot a problem, the easier it is to correct.  This also means monitoring your bills such as your telephone bills for fraudulent charges that may appear through a scam called cramming where regular small charges, sometimes easy to overlook, are put on your phone bill by scammers in various ways.

Scam of the day – September 25, 2014 – GAO report on income tax identity theft and the IRS

September 25, 2014 Posted by Steven Weisman, Esq.

Earlier this week, the General Accountability Office issued a new report dealing with income tax identity theft and what the IRS should be doing to reduce this problem which, last year alone cost taxpayers more than 5 billion dollars in fraudulent refunds paid to identity thieves who stole the Social Security numbers of innocent taxpayers and filed phony income tax returns along with counterfeited W-2s.  A report last year done by the Treasury Department predicted that the IRS will pay out more than 21 billion dollars in fraudulent tax refund checks over the next five years.  As for the innocent taxpayers whose Social Security numbers were used in these fraudulent returns, it sometimes takes as long as a year for the IRS to correct the problem and pay to the real taxpayer his or her legitimate refund.   In its report this week the GAO singled out a significant failing in the way that the IRS processes income tax returns, namely under the present system, W-2s are sent by employers not to the IRS, but to the Social Security Administration who often does not get around to forwarding these to the IRS for matching with already filed income tax returns until July, well after most tax refunds have been paid.  A simple solution would be to require e-filing or simultaneous filing with the IRS of the W-2s before refunds are sent out.  Regular readers of Scamicide.com may remember that I exposed this problem and made the same recommendation more than a year ago in my Scam of the Day of August 3, 2013.

TIPS

In order to avoid income tax identity theft personally, you should file as soon as possible to beat a potential identity thief to the punch.   You should also try to protect the privacy of your Social Security number as much as possible to minimize the opportunity for an identity thief to file an income tax return using your name and number.

Scam of the day – September 24, 2014 – Money flipping scam

September 23, 2014 Posted by Steven Weisman, Esq.

An old scam with a new twist is appearing lately on social media such as Twitter, Facebook, Craigslist and Instagram where an advertisement promises you that through a simple money flipping scheme that takes advantage of quirks in the monetary system, your investment of, for example $100 can quickly be turned into $1,000 by “flipping” and leveraging the money.  In case you need further convincing, the ads often have photographs of happy investors and testimonials about how easy it is.  This is the same type of ploy used by Charles Ponzi, the Godfather of today’s scammers including the infamous Bernie Madoff.  How the scheme works is that all you have to do is to purchase a prepaid debit card and put, for example $100 on the card.  You then provide your card number and PIN from the card to the scammer who promptly steals your money and is never heard from again.  Money lost through prepaid debit cards is impossible to recover which is why they are a payment method of choice of scam artists.

TIPS

Of course, if it sounds too good to be true, it usually is and this money flipping scam is no exception to this rule.  Another important rule in investing is to never invest in anything that you do not totally understand.  Anyone researching this scam would soon learn that it is nothing more than an impossible investment scam.  Finally, always be skeptical if anyone wants you to pay with a prepaid debit card.  Sometimes the arrangement may indeed be legitimate, but it should always put you on guard.

Scam of the day – September 23, 2014 – How LinkedIn can be used to hack companies

September 22, 2014 Posted by Steven Weisman, Esq.

LinkedIn is a very popular social networking service site for business people where 300 million people share knowledge and opportunities.  Unfortunately, however the information provided on LinkedIn can be manipulated in the hands of a hacker to provide information that can be used to hack a business’ computers and data.  If you look up a company on LinkedIn you will find a number of profiles for individual employees of the company.  Many of these will include the employee’s email address.  After viewing a few employee profiles a hacker can determine the protocol used for emails within the company, such as initial of first name, last name@companyname.com.   Using this information, the hacker can send a legitimate appearing email to a company employee that looks like it comes from within the company luring the real employee to either click on a tainted link or enter a username and password.  This can be used to either directly install malware on to the company’s computers through the tainted link or get access through the user name and password of the employee victimized by the scam.  From there it is an easy thing to install malware to steal information from the company.

TIPS

Never click on links in emails, text messages or social media or download attachments until you have absolutely confirmed that they are legitimate.  Also, when it comes to network security, most companies will never ask for an employee’s user name or password.  Again, never provide this information on any website or anywhere else until you have first confirmed that the website is legitimate.  It might be a phony, tainted website merely phishing for your information.  Trust me, you can’t trust anyone.