Scam of the day – February 4, 2014 – What does the Yahoo email breach mean to you?

February 4, 2014 Posted by Steven Weisman, Esq.

A few days ago, Yahoo announced that its email security had been breached.  Yahoo is the second largest email provider with approximately 273 million users.  The actual breach which involved the theft of both usernames and passwords was accomplished not by hacking Yahoo directly, but rather by hacking a third party website’s database that allowed the use of Yahoo email addresses to establish customer accounts.  Similarly, the recent breach of Target also appears to have been accomplished by hacking into a Target vendor’s systems to obtain the credentials necessary to, in turn breach the security of Target.  Many people may not be particularly alarmed that all was taken in the Yahoo hacking were usernames an passwords, however, because people often use the same user name and passwords for multiple accounts, including online banking, the threat posed by this hacking could be quite serious.  In addition, these usernames and passwords could be used by identity thieves for “spear phishing” a technique by which identity thieves are able to send specifically targeted messages to potential victims that appear to come from trusted sources thereby making the potential victim more likely to click on a link or download an attachment in the email that would be riddled with malware that will steal all of the information from a person’s computer or other electronic device and use that information to make the person a victim of identity theft.

TIPS

If you haven;t already done so, change your username and password for Yahoo email if you are a user of Yahoo email.  Even if you are not a Yahoo email user, you should make sure that all of your online accounts have different user names and passwords because the risk of your being a future victim of a similar type of data breach is very high.  It is a good idea to change your passwords every few months and make sure that the password is at least eight characters long and is a mixture of letters and symbols.  For tips on how to pick a good password, check out my book “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – February 3, 2014 – Small charge on credit card scam

February 3, 2014 Posted by Steven Weisman, Esq.

This particular scam has been around for ten years, but with the increased hacking of credit card information from major retailers such as Target, the scam has been increasing in frequency.  The scam starts when your credit card number is compromised and falls into the hands of an identity thief.  Although this can happen in a myriad of ways, one of the more common ways is that the people who hack large numbers of credit card numbers from companies such as Target, sell the numbers to identity thieves on black market websites.  Some identity thieves will buy thousands of credit card numbers and then set up phony online businesses from which they make monthly charges on the cards in small amounts, such as $9.84.  Why, you might ask do they use this number?  Many people do not scrutinize their monthly credit card statement sufficiently, particularly when the charge is an innocuous, small amount that is less than ten dollars and appears to be made to a legitimate sounding company thus enabling the scam to continue for great periods of time before it is discovered.  This scam has been a  particular favorite of identity thieves in Cyprus, the UK and India who have gone to great effort to create websites for phony, but legitimate looking companies from which these charges are made.

TIPS

In a famous quote attributed to a number of early American Revolutionary leaders including Thomas Jefferson, “the price of liberty is eternal vigilance.”  That quote is certainly applicable to life today in regard to avoiding scams and identity theft.  It is important to review your credit card statements, bank statements and other account records carefully each month and even more often, online.  Identifying any irregularities or improper activities and reporting them immediately is a good way to protect yourself from serious identity theft.

Scam of the day – February 2, 2014 – Multi-national effort results in arrest of hackers

February 2, 2014 Posted by Steven Weisman, Esq.

Many of you may be familiar with my motto that “things aren’t as bad as you think – they are far worse” at least in regard to scams and identity theft, but I am happy to report to you today that through a joint effort of law enforcement agencies in Romania, India, China and the United States criminal charges were recently brought against two Arkansas men, Mark Anthony Townsend and Joshua Alan Tabor for allegedly operating a black market website www.needapassword.com on which they would illegally obtain email passwords and sell them to hackers.  According to the FBI, Townsend’s and Tabor’s efforts resulted in the hacking of approximately 6,000 email accounts.  In addition to the arrests in the United States of Townsend and Tabor as well as three of their customers in California, Michigan and New York, arrests were also made in Romania, India and China of other people allegedly operating similar criminal enterprises including the arrest in China of Ying Liu for running the black market website www.hacktohire.net.  Perhaps the most positive takeaway from these arrests is the extensive cooperation between these countries, particularly China, which has not been particularly helpful in the past in taking actions against hackers attacking people outside of China.

TIPS

Hacking into a person’s email is far from innocuous.  Often people will have great amounts of personal information that can be mined for identity theft purposes.  In addition, access to a person’s email account also provides their list of email contacts which can be further exploited to make the people on the contact lists victims of identity theft through a technique called spear phishing whereby an email would appear to come from a trusted friend’s email address when, in fact, the email is coming from an identity thief who may have a link or a download containing malware in the email that the person receiving the email trusts and clicks on the link or downloads the attachment to their detriment because it often may contain keystroke logging malware that enables the identity thief to steal all of your personal information from your computer.  The two things that you can do to protect yourself are to first, use a strong password that is difficult to break and also a security question, the answer to which is not readily determined by a search of information on the Internet.  Sarah Palin’s email was hacked when the hacker was able to change her password by answering her security question as to where she met her husband.  The hacker obtained the answer by merely going to Wikipedia.  Even if you are not famous, you still may have a security question with in answer that hacker could find, such as the name of your pet or your mother’s maiden name.  Instead, I suggest you use a nonsensical answer to your security question, such as the name of your favorite vegetable and make the answer “seven.”  For information as to how to set up a good password, check out my book “50 Ways to Protect Your Identity in a Digital Age.”  On the right hand side of this page is a link to Amazon.  A goods password is long and mixes letters and symbols.   The second thing you should do is never download attachments in emails or click on links until you have confirmed that they are legitimate.  Merely because the email containing the link or attachment appears to come from a trusted source does not mean that the link or attachment can be trusted.

Scam of the day – February 1, 2014 – ACH deposit scam

February 1, 2014 Posted by Steven Weisman, Esq.

Today’s scam comes to me from a reader of Scamicide who sent me the story about how her bank account had a couple of thirty-two cent deposits into her account followed by withdrawals of $500.  The reader was vigilant and reported the fraudulent withdrawals immediately and the bank, as it is required to do reimbursed the stolen money out of the bank’s funds. Although many people are not familiar with this particular scam, it has been around for at least 7 years.  It is called the ACH deposit scam.  ACH is an acronym for Automated Clearing House, which is used to make electronic deposits and withdrawals from bank accounts, such as when some people receive their paycheck through a direct deposit into their account or an automated payment from the account for a regular bill that you have authorized.  In this instance a scammer uses software to generate entirely random bank account numbers and then make deposits of as small as a penny into these accounts.  When a deposit goes through, the scammer knows that the program has identified a valid account number and he then sends out an ACH withdrawal to the account.  The ACH withdrawal from the scammer looks legitimate and may even have the name of a legitimate company, but the unauthorized ACH withdrawal is a scam.  In an effort to prevent this scam from occurring, some banks will not permit ACH withdrawals that have not been initiated internally from the bank, but many banks do not take this precaution.

TIPS

It is easy to overlook or ignore deposits of just a few cents into your bank accounts, but you do so at your own peril.  Make sure that your regularly review all of your bank account transactions at least once a month and report any irregularities to avoid becoming a victim of the ACH deposit scam.  It is preferable to view your account records online more often than once a month.

Scam of the day – January 31, 2014 – Identity theft ring busted in New York City

January 31, 2014 Posted by Steven Weisman, Esq.

Recently Manhattan District Attorney Cyrus R. Vance, Jr. announced the arrest of thirteen people for identity theft perpetrated through skimmers installed in gas pumps at gas stations in Texas, Georgia and South Carolina.  Skimmers, as I have told you many times previously are small electronic devices that are often installed by identity thieves to ATMs and other devices, such as gas pumps that have credit card swiping capabilities.  The skimmer captures the information from the inserted credit card or debit card and transmits the information to the identity thief who is then able to use that information to make phony credit cards and debit cards to steal money from the victim of identity theft.  In this case, the skimmers were installed on gas pumps at Raceway and RaceTrac gas stations in Texas, Georgia and South Carolina.  The stolen information was transmitted from the skimmer using Bluetooth technology to the identity thieves who then made phony credit cards using that data which they then used to withdraw cash from ATMs in New York City.

TIPS

Certainly if you used a credit or debit card at a Raceway or RaceTrac gas station in Texas, Georgia, or South Carolina in 2012 or 2013, you should check your credit card statements and bank account statements for evidence of any fraudulent use although frankly we should all check our credit account statements and bank account statements at least once a month and preferably more often.  If you find irregularities, report them to your bank or credit card company immediately.  Also, whenever you use a credit or debit card swiping device, you should always carefully inspect the device for any evidence of tampering.  Skimmers can be quite thin, but are most often visible if you carefully inspect the device you are using.  If the device seems at all peculiar, don’t use it.

Scam of the day – January 30, 2014 – Beware of the Internet of things

January 30, 2014 Posted by Steven Weisman, Esq.

As if we all didn’t have enough to worry about now we have the Internet of things about which to be concerned.  As more and more of the things we use become connected to the Internet including but certainly not limited to cars, refrigerators, coffee makers and thermostats, it becomes tremendously convenient, for example, for us to use our smart phones to program our thermostats from afar so that our homes will have the proper temperature when we return from a day at work.  But every technological advance regardless of how constructive it may seem has the potential to be exploited by scammers, hackers and identity thieves.  I have already told you about the very real concerns about cars being able to be hacked and controlled from afar.  Check out the archives of Scamicide for more information about that particular issue. Now, however, a new problem has surfaced.  The Internet security company Proofpoint has recently found that a botnet of more than 100,000 was made up of not only computers that had been hacked but 25% of the botnet was made up of Internet connected  devices including televisions and refrigerators.  Botnets, as I have informed you previously is a network of hacked electronic devices used by scammers and identity thieves to spread malware while avoiding detection.  You can find more about botnets in the archives of Scamicide and in my book, “50 Ways to Protect your Identity in a Digital Age.”

TIPS

The danger posed by botnets of devices part of the new Internet of things is quite real and very chilling.  Although many of us would not think of neglecting to provide proper security software for our computers, laptops, tablets and smartphones, many people do not consider what they need to do to maintain the privacy and security of their refrigerator, car and other devices used that are a part of the new Internet of things.  Unfortunately, among the people not giving enough attention to security in the Internet of things are the very companies developing these products.  The most effective place to find a helping hand is at the end of your own arm so whenever you are considering purchasing a convenient device with Internet capabilities, make sure you inquire as to the necessary security steps to take to make your use of the device safe.

Scam of the day – January 29, 2014 – The scam artist only rings once

January 29, 2014 Posted by Steven Weisman, Esq.

“The Postman Always Rings Twice” was a classic movie from 1946 that was remade in 1981 starring Jack Nicholson.  Perhaps the postman always rings twice, but scam artists only need to ring once to hook you into a scam that can add hundreds of dollars to your phone bill.  The scam starts innocently enough with a call to your cell phone from a number that you don’t recognize.  However, before you have a chance to decide whether or not to take the call, the caller disconnects the call after only a single ring.  Curiosity, it is said, killed the cat and curiosity can end up turning you into a victim of a scam because if you call back the number, usually from an area code you will not recognize, in this particular scam you will end up calling a premium rate telephone number for a service such as music, psychics or even pornography that will result in your incurring a charge on your phone and the longer you stay on the line, the higher the charges will be.  Many of these calls are originating from various Caribbean islands, such as Antigua, Barbados, the Dominican Republic and Grenada.  The scam started many years ago in Jamaica where the area code is 876.

TIPS

Don’t fall prey to your curiosity.  It could end up costing you money.  If you are tempted to return a call that hung up after just one ring, Google the area code and if the call originated in a foreign country, particularly one from a Caribbean country such as Jamaica and the infamous 876 area code, you should not return the call.  Consider yourself lucky that you have dodged a scam attempt.  The safest and best thing to do if you do get a call that disconnects after just one ring is to just ignore it.

Scam of the day – January 28, 2014 – The untold story of the hacking of Michaels

January 28, 2014 Posted by Steven Weisman, Esq.

This past weekend, Chuck Rubin, the CEO of Michaels, the country’s biggest arts and crafts stores issued the following statement: “We are concerned there may have been a data security attack on Michaels that may have affected our customers’ payment card information and we are taking aggressive action to determine the nature and scope of the issue.” Thus Michaels becomes the third large national retail store chain to become involved with a major hacking of its credit and debit card data following Target and Neiman Marcus.  What Michaels’ short statement did not indicate is that the company is still not even sure that it has been hacked although every indication is that it has been.   As in the case of the hackings of both Target and Neiman Marcus, it was not the company that discovered that its security had been breached, but rather the banking industry which discovered a pattern of fraudulent purchases using credit and debit cards recently used at Michaels.  So although the evidence is pretty strong that Michaels has been hacked, security experts and Michaels have still not been able to identify how the hacking occurred, which is indeed troubling because it means that newer and even more advanced malware was likely used to perpetrate the hacking.  As I told you just a couple of days ago, you can expect to hear this story again and again in the new year.

TIPS

Once again, I want to advise you that you should limit your debit card’s use to ATM machines.  Do not use it for retail purchases because the consumer protections provided to you by law just are not as great as they are for fraudulent use of your credit card.  Also, as I advised you previously, you may wish to consider putting a credit freeze on your credit report at each of the three major credit reporting agencies to protect you from an identity thief getting access to your credit report in order to use your credit to make large purchases in your name.  you can find detailed instructions as to how to put a credit freeze on your credit report by clicking on the link designated as “credit freezes” on the right hand side of this page.  Finally, for your own protection of your computer, smart phone and other electronic devices, you should make sure that you have installed anti-virus software and anti-malware software.  You should also make sure that you keep this software current with the latest updates as soon as they are available, however, as the situation with Michaels illustrates, new strains of malware are always at least thirty days ahead of anti-malware software to protect you from those malware programs so you should always be wary of phishing and other techniques used to lure you into unwittingly downloading malware.  You can learn in detail how to protect yourself from phishing and other threats by reading my book “50 Ways to Protect Your Identity in a Digital Age” which can be ordered by clicking on the icon of the book on the right hand side of this page.

Scam of the day – January 27, 2014 – Coca Cola data breach

January 27, 2014 Posted by Steven Weisman, Esq.

A few days ago, Coca Cola disclosed that a number of laptops had been stolen from its corporate headquarters in Atlanta.  These laptops had personal data of up to 74,000 people and, most disturbingly, the data had been stored on the laptops totally unencrypted.  The laptops have been recovered, but it is not yet known whether the affected individuals are in increased danger of identity theft due to the original theft of the laptops.  Among the information on the laptops were the names and Social Security numbers of 18,000 Coca Cola employees as well as personal information including driver’s license numbers on another 54,000 people.  This is yet the latest instance of a disturbing trend of companies and government agencies not taking the basic security step of encrypting personal data on portable laptops.  NASA has been victimized twice by theft of laptops with sensitive personal information.  It shouldn’t take a rocket scientist to figure out that this information should be encrypted.

TIPS

What can you do to protect yourself from this type of corporate negligence?  The first thing you can do is to ask any company that holds personal information about you as to whether they encrypt the data and, if not, why not.  You should also ask about what other security steps they take to preserve the privacy of your information.  Finally, you may wish to consider putting a credit freeze on your credit report which will prevent anyone who does get access to your personal data, such as your name and Social Security number from being able to access you credit report for purposes of utilizing your credit to make a large purchase.  You can find information as to how to put a credit freeze on your credit report by clicking on the link on the right hand side of this page where it reads “credit freezes.”

Scam of the day – January 26, 2014 – FBI warns retailers of future hacks

January 26, 2014 Posted by Steven Weisman, Esq.

Recently the FBI issued a warning to retailers throughout the country warning them that the type of recent hacking of their credit and debit card payment systems that was used against Target and Neiman Marcus can be expected to be used against many more retailers in 2014.  The malware used in these attacks infects point of sale systems (POS) such as credit card swiping devices and, in some instances, cash registers at check-out counters.  This malware, referred to as a “RAM scraper” intercepts the information on the card’s magnetic stripe in the brief moment before the data is encrypted and then transmits the information to the hacker.  This type of malware is presently being sold to identity thieves on the black market for as little as $1,000 or as much as $6,000 for more advanced editions of the malware, which must then be downloaded on to the company’s computer system, most often through sophisticated phishing tactics or an insider co-conspirator.  Presently the retailers do not have security software capable of preventing such attacks.  At the present time they can only attempt to identify the attack as soon as possible in order to then take the steps to remove the malware.  Although Target has gotten most of the publicity for its attack, smaller retailers with less sophisticated systems are probably more at risk and, in fact, may already have had their security breached, but not yet recognized the attack.

So what does this mean to you?

TIPS

You may wish to discontinue using the self-swiping device present at many stores and instead ask the clerk to swipe your card directly through the cash register, which is somewhat more secure.  I say somewhat because the cash registers are also able to be hacked, but they are somewhat less vulnerable and more secure than the credit card self-swiping devices we use in stores.  Perhaps the most important thing you can do is, as I have advised you previously, refrain from using your debit card for shopping because the consumer protection laws regarding debit cards are much weaker than the laws regarding fraudulent use of your credit card.  Potentially the entire bank account to which you have tied your debit card is at risk if you are a victim of a Target-like hacking, not to mention the inconvenience even if you identify the breach immediately.