Scam of the day – February 25, 2014 – Aleksi Kolarov convicted of identity theft

February 25, 2014 Posted by Steven Weisman, Esq.

Although the name of Bulgarian Aleksi Kolarov is probably not familiar to you, it probably should be.  Last Friday, he was convicted of identity theft in federal court in New Jersey.  For years, Kolarov was one of the leaders and operators of the website Shadowcrew.com, a black market website where stolen credit cards, debit cards and bank account information were sold to the approximately 4,000 members of the criminal website.  It has been estimated that Shadowcrew was responsible for the theft of 1.5 million credit cards, debit cards and bank account numbers resulting in fraud losses totaling millions of dollars to the banks issuing the cards and where the accounts were located.  Sentencing is scheduled for May 28th.

TIPS

One of the best things to come out of this case was the international cooperation of law enforcement agencies that it took to bring Kolarov to justice.  Too often today, particular in Russia and China, law enforcement agencies do not cooperate with efforts to arrest international criminals such as Kolarov.  Black market websites still are used to sell stolen credit cards and debit cards.  The credit cards and debit cards stolen in the Target data breach have been available for criminals to purchase on line since December and now as most of those credit and debit cards have been cancelled by the victims, the price of the remaining credit cards and debit cards involved in the data breach that remain unsold has dropped by more than 70% according to Brian Krebs of Krebs Security.  If your credit card or debit card was compromised in the breach and you have still not cancelled the card, you should do so immediately.

Scam of the day – February 24, 2014 – University of Maryland data breach

February 24, 2014 Posted by Steven Weisman, Esq.

A few days ago the University of Maryland disclosed that personal information of more than 300,000 students, faculty and other university employees connected with the university since 1998 was stolen by computer hackers.  In a statement disclosing the data theft, the university said that computer and data security was “a very high priority” the university which is hard to understand because of the lax security that led to the data theft.  Included in the compromised data were names, Social Security numbers, birth dates and other information for all faculty, staff, students and university personnel issued a university identification since 1998.  This information is a veritable treasure trove for hackers who, armed with this information, use it to for purposes of identity theft.  The University of Maryland is by no means alone when it comes to being hacked.  Harvard, Stanford, Cornell, Princeton, Johns Hopkins, the University of Rhode Island,  the University of Arizona, Marquette and more than 50 other colleges and universities have been the victims of data breaches in the last couple of years.  The reason for targeting universities and colleges is simple.  Generally they maintain tremendous amounts of personal information and their record for data security is not good.  Colleges and universities have much personal information that is often easily accessible within the school’s computer systems.  Too often schools have permitted the information to be on unencrypted laptops and flash drives.   In addition many schools do not have sufficient security programs in place to limit access to personal information, which the universities keep in their computers long after it is necessary to be kept, such as Social Security numbers for students who have long since graduated.

TIPS

The schools have got to start giving more than lip service to their commitment to data security. Data breach prevention systems should be implemented that include, but not be limited to updated firewalls, limited access to personal information, purging of unnecessary information  and encryption.  Personal information should not be as open and available as they presently are at this time at many universities.  if you are someone who is a victim of the University of Maryland’s data breach, you should contact the University and accept its offer of a year’s free credit monitoring.  You also should consider putting a credit freeze on your credit report because monitoring only tells you that you have become a victim of identity theft after the fact, a credit freeze can protect you from becoming a victim in many instances.  For information about credit freezes, click on the link on the right hand side of the page where it indicates, “credit freezes.”

Scam of the day – February 23, 2014 – Serious threat to Apple iPhones, iPads and iPods

February 23, 2014 Posted by Steven Weisman, Esq.

A major security defect has been discovered by Apple that if exploited would permit an identity thief to hack into the emails and other communications sent from iPhones, iPads and iPods even if they were encrypted.  This is a potentially devastating flaw as users would believe that their communications were safe because they were using Secure Sockets Layer encryption security to protect their communications.  However, hackers who might gain access through sharing the same wireless network in a public place, such as a coffee shop could exploit this flaw to the extreme detriment of iPhone, iPad, or iPod users who falsely believed that they had taken proper precautions to protect the privacy of their communications and data.  The good news, however is that Apple has come up with a security patch which I provide you with below.  The bad news is that some security experts are now saying that the flaw is also present in Mac OSX, running Apple laptop and desktop computers and as I write this Scam of the day, Apple has not yet come up with a patch for the Mac OSX operating system.

TIPS

If you are an iPhone, iPad or iPod user you should immediately install the critical patch just released to remedy the situation.  Here is the link:  https://www.us-cert.gov/ncas/current-activity/2014/02/21/Apple-Releases-Security-Updates-iOS-devices-and-Apple-TV

Identity thieves and hackers count on people not promptly taking identity theft protection steps necessary to keep themselves safe.   Don’t be a victim.  If you use any of these devices, install the patches as soon as possible.  It is also important to remember that the battle with hackers and identity thieves is ongoing.  At the same time that you are installing a security patch, hackers and identity thieves are busy studying the new patches trying to find flaws.  I will always report to you as soon as new developments occur, so make it a point to check out www.scamicide.com each day.

Scam of the day – February 22, 2014 – The lesson of the massive South Korean data breach

February 22, 2014 Posted by Steven Weisman, Esq.

You may not have heard about the massive credit card data breach that recently was uncovered in South Korea, but it is definitely worth discussing regardless of what country you live in.  Fully 40% of the entire South Korean population had their credit card numbers stolen.  Ironically, the breach has been traced to a rogue employee at the Korea Credit Bureau, a company that provides risk management and fraud detection services.  Itr is alleged that over a year and a half, the employee copied his company’s databases.  Included in the information stolen was identification numbers, addresses and credit card numbers of some of Korea’s largest banks including KB Kookmin Bank, and Nonghyup Bank as well as Lotte Group, a large supermarket chain.  What makes this story particularly intriguing, however is that Korean financial services regulators are punishing these companies for failing to protect their customers’ data.  The banks are now prohibited from issuing credit cards to new customers or making new loans until May as punishment for their lax security.

TIPS

This particular data breach illustrates that data breaches do not always have to be from outside hackers, but can be inside jobs where employees exploit their access to data to steal information that can be used for purposes of identity theft.   It is incumbent upon businesses and governments to provide protection against both inside threats and outside threats.  The technology and protocols to do this are available, yet too many companies and government agencies still neglect to take proper precautions.  Until they do, we the people will always be at risk of identity theft when others hold our personal information.  It is for this reason that you should vigilantly monitor all of your accounts regularly and consider having a credit freeze.  For more information about credit freezes, go to the section on credit freezes on the right hand side of this page or check out “50 Ways to Protect Your Identity in a Digital Age.”

Scam of the day – February 21, 2014 – Telemarketing fraud is still with us

February 21, 2014 Posted by Steven Weisman, Esq.

Although it may seem like telemarketing fraud has been replaced as a source of scams and identity theft by computer-based fraud, according to the National Consumers League, more than 36% of all consumer complaints last year involved telemarketing scams and this figure is an 11% increase from 2012.  The truth is that many times sophisticated computer programs are used in today’s telemarketing scams that enable the scammers to make their calls appear on Caller ID as if they are coming from a legitimate source, such as the IRS through a technique called “spoofing” where your Caller ID is manipulated so that it does not show the real source of the call.  Other times, computers are able to produce millions of illegal robocalls that trick victims into paying a scammer under many different pretenses.  Phony robocalls are actually quite easy to distinguish from legitimate telemarketing calls.  Robocalls are illegal in all instances, so if you get a robocall from Rachel from card Services or anyone else, immediately hang up.  It is a scam.

TIPS

It is important to remember that you can never be sure who is on the other end of a telephone call and if they are legitimate.  For this reason you should never provide personal information or send money in response to any telephone call.  If you do want to take the calls of a telemarketer, ask them to send you written material, which you can then investigate for legitimacy before making any payment.  You also may wish to be more proactive and sign up, if you have not already, for the National Do Not Call List.  Here is the link to go to sign up: https://www.donotcall.gov/

Scam of the day – February 20, 2014 – Health Data Breaches

February 20, 2014 Posted by Steven Weisman, Esq.

The Security company Redspin, Inc. recently released its annual report on data breaches in the healthcare industry and the results were not good.  In 2013 there were 199 major breaches of hospitals, health insurers and others in the healthcare field affecting more than 7 million patients.  In addition, although it was just reported in February, St. Joseph Health System, a five-hospital delivery system in Bryan, Texas was hacked in December of 2013 compromising personal data including the all important Social Security numbers of 405,000 patients and employees.  One of the most disturbing elements of the hacking of these health care providers is that in many cases the breach of security was the result of stolen laptops with unencrypted data.  Astonishingly, federal law only requires health care providers to consider encrypting data when it should be mandatory.

TIPS

This is just another example of the fact that you are only as secure as the place with the weakest security that holds your personal data.  Even if you are doing everything you possibly can to protect the security and the privacy of your personal data, you can still end up as a victim of identity theft due to the negligence and carelessness of people and institutions with which you do business.  I urge you to limit, as much as possible the personal information you provide to businesses and agencies and when you must provide personal information, don’t do so until you have inquired as to the security practices of the company or agency.

Scam of the day – February 19, 2014 – Syrian Electronic Army hacks Forbes.com

February 19, 2014 Posted by Steven Weisman, Esq.

The Syrian Electronic Army (SEA) , about whom I have reported to you many times (you can go to the archives of Scamicide to see these stories) has struck again.  This time its victim is Forbes.com, the website of Forbes Magazine.  For those of you unfamiliar with the Syrian Electronic Army, it is a group of hackers sympathetic to Syrian President Bashar al-Assad.  Forbes was targeted by the SEA because of what it called Forbes’ hatred for Syria.  Along with planting a false story on the Forbes website, the SEA also stole user names and email addresses of Forbes.com customers, raising the possibility of “spear phishing” attacks against Forbes.com’s customers.  The SEA has threatened to make the information available on the Internet to identity thieves.  Identity thieves who send phishing emails and texts often do so in large numbers without knowing the names of the people to whom the phony messages corrupted with keystroke logging malware are sent.  However, in spear phishing the identiy thief knows the name of the intended victim and can make the communication look more legitimate by containing the victim’s name.  In addition, the spear phishing text or email can be made to look as if it comes from Forbes.com or some other entity that is trusted and used by the victim which also can lead the victim to be less skeptical of the message and make the victim more likely to click on links in the message or download attachments to the message corrupted with malware.

TIPS

Again, the lesson is that you are only as secure as the places with the weakest security that hold your personal information.  If you are a subscriber to Forbes.com, you should change your password.  If you use the same password elsewhere, change it too.  For convenience many people make the mistake of using the same password for all of their accounts, which means that when your password is stolen from one place, all of your accounts using that password are in jeopardy.  This is a good lesson for all of us regardless of whether or not you were a victim in this particular data breach.  This hacking once again raises the question as to why major corporate websites, such as the many who have been hacked by the SEA are not doing more to keep their computers secure.  Finally, as I always remind you, never click on links in emails or text messages or download attachments unless you are absolutely sure that they a legitimate and have confirmed this to be so.

Scam of the day – February 18, 2014 – Internet Explorer security flaw

February 18, 2014 Posted by Steven Weisman, Esq.

Internet Explorer is an extremely popular web browser.  Recently, however, a flaw in Internet Explorer 10 was uncovered and exploited by hackers who used the flaw which was used by hackers to insert a link in the website of the website of the Veterans of Foreign Wars that contained infectious code in the website’s Adobe’s Flash software.  In the past similar type attacks originated in China seeking military information in the computers of visitors to similar websites.

TIPS

The newer Internet Explorer 11 is not vulnerable to this attack.  The present attack is limited to Internet Explorer 10 on systems that use Adobe Flash and do not have the Microsoft Enhanced Mitigation Toolkit (EMET).  If you use Internet Explorer you may wish to upgrade to Internet Explorer 11 or install the EMET.  It is always important whenever software vulnerabilities are discovered to install the latest security patches as soon as they are available.  Here is a link to Microsoft’s Vulnerability Note regarding this problem: http://www.kb.cert.org/vuls/id/732479

Scam of the day – February 17, 2014 – Kickstarter hacked – the lesson for all of us

February 17, 2014 Posted by Steven Weisman, Esq.

Over the last couple of years I have often reported to you about data breaches at major companies who have been hacked.  The recent Target hacking although particularly large, was not particularly unusual.  Two days ago, Kickstarter disclosed that it had been hacked.  Kickstarter is a crowdfunding platform that helps creative people raise fund for their projects by appealing to the public for funds.  In the almost four years since it was launched, Kickstarter has helped fund more than 50,000 artistic endeavors.  According to Kickstarter’s CEO, no credit card data of its customers was compromised, however user names, email addresses, mailing addresses, phone numbers and encrypted passwords were stolen.  This information can readily lead to identity theft through a technique called “spear phishing” by which emails and text messages can be sent to the potential victims by name which may make them appear more legitimate.  These texts and emails lure people into either providing personal information under various legitimate appearing pretexts or by getting the victims to click on links or download attachments riddled with keystroke logging malware that will steal all of the information from your computer or smartphone and use it to make you a victim of identity theft.  In addition, people with weak passwords, such as  the popular”123456″ or “password” may have their Kickstarter encrypted passwords easily unencrypted providing access not only to the victim’s Kickstarter account, but possibly other accounts where the victim uses the same password.

TIPS

If you are a customer of Kickstarter, change your password immediately and everyone who uses the same password for all of their accounts should change their passwords to unique passwords for each account.  You can get detailed information as to how to pick an easy to remember, complex password in my book “50 Ways to Protect Your Identity in a Digital Age,” but a simple rule is to use a phrase, capital letters, small letters and symbols, such as “ICan’tRememberit!!!.”  This is easy to remember and hard to break.  Also, make sure that you have the most current, updated anti-malware software and anti-virus software installed on all of your electronic devices including your computer, tablet and smartphone.

Scam of the day – February 16, 2014 – Latest Target information – what it means to you

February 16, 2014 Posted by Steven Weisman, Esq.

Although we have known for some time that the hacking of Target was accomplished through the initial hacking of Fazio Mechanical, a heating and air conditioning company that does business with Target and  had access to Target’s computers for billing and ordering purposes, it was not until recently that we learned that the way that Fazio was hacked was through a common technique called “spear phishing” where the victim receives an email directed to them by name that appears legitimate or promises something enticing, such as free pornography or videos of a newsworthy or otherwise intriguing event. Once the victim clicks on the link in the email or downloads the attachment in the email, malware is downloaded on to the victims’ computer that provides access to the all of the information in the victim’s computer, which in this case included the information necessary to access the Target computer system.  Even though Fazio’s computers were protected by anti-malware programs, either its program was not as good as necessary or it was merely not current with the latest malware threats.  Anti-malware software programs are generally at least thirty days behind the latest malware threats.

Also criticism is now being made of Target’s offer of one year’s worth of free credit monitoring service through Protect MyID.  The problem is twofold.  First, credit monitoring merely helps to inform you that you have already become a victim of identity theft.  It does nothing to prevent identity theft.  But even further Target’s program which is done through the credit reporting bureau Experian only provides you with credit monitoring of your Experian file.  It does not provide you with monitoring of your file with the other two credit reporting agencies, Equifax and Transunion, which makes the monitoring incomplete.  Experian does offer you the additional monitoring for a year, but for a fee that can be as much as $75.

TIPS

The first lesson is that you should never click on links or download attachments unless you are absolutely sure that the links or downloads are legitimate.  Always confirm before you download.  Second, you cannot rely on your anti-malware software to be 100% effective.  Ultimately it is up to you not to download questionable material.  All of that being said, you should make sure that you have anti-malware and anti-virus software on all of your electronic devices and make sure that you keep the software up to date with the latest security patches and updates.

Finally although credit monitoring does offer some benefits, preventing identity theft through pro-active steps such as putting a credit freeze on your credit reports at each of the three major credit reporting agencies is a better way to protect yourself from identity theft in the event your personal information is compromised.  You can find how to put a credit freeze on your credit report by going to the section on “credit freezes” on the right hand side of this page.