Scam of the day – January 13, 2015 – President Obama proposes legislation to combat identity theft

January 13, 2015 Posted by Steven Weisman, Esq.

Yesterday, in a speech at the Federal Trade Commission, President Obama urged the passage of the Personal Data Notification and Protection Act, which would set a national standard requiring companies that have been hacked and suffered data breaches to notify affected customers within thirty days of learning of the breach.  Presently, there is no federal standard although 48 states have varying laws that apply to notifications by companies suffering data breaches.  This was the first of a number of speeches involving cybersecurity that the President will be giving leading up to his State of the Union address in which he is expected to make this topic a major part of his speech.  Although this seems like a good first step toward greater cybersecurity, some consumer advocates are concerned that a new federal standard may not be as strong as that provided by some states and that the federal law could preempt these more protective state laws.

TIPS

Cybersecurity has got to be made a greater priority by both business and government, however, regardless of what is done in this regard by private industry and the government, it is important to remember that if you are looking for a helping hand, the best place to find it is at the end of your own arm.  We cannot solely rely on corporations and government to protect our privacy and security.  We all must do the best we can to protect ourselves from identity theft and maintain our privacy as best we can.  You can find many specific tips on how to do this in my book “Identity Theft Alert” which can be ordered from Amazon by clicking on the link on the right hand side of the page.

Scam of the day – January 12, 2015 – Hackers attack German steel mill

January 12, 2015 Posted by Steven Weisman, Esq.

With all of the attention directed at the hacking of Sony Pictures by hackers associated with North Korea, much less attention was given to perhaps an even more ominous cyberattack done around the same time to a German steel mill.  Unknown hackers gained access to the steel mills computers, as they often do in attacks against major companies, through spear phishing of employees by which they lured unwitting employees to click on links or provide information under the belief that the emails they received were sent by upper management within the company.  Armed with the information gathered through the spear phishing, the hackers gained control of the blast furnaces of the steel mill that contained intensely heated molten metal.  According to BSI the German government’s office of information security, massive damage was done through the hacking although BSI did not specify what physical damage occurred as a result of the hacking.  This is only the second confirmed hacking event where a cyberattack has been used to destroy physical materials and equipment.  You have to go back all the way to 2007, when the Stuxnet malware was used to destroy Iranian centrifuges at a uranium enrichment plant to find a precedent.

TIPS

Many of us have warned governments and private industry of the extreme danger posed by cyber sabotage of essential infrastructure of countries around the world.  It is hoped that in the light of the this threat and the attention brought to hacking by the Sony hacking, that a more concerted effort will be made by both governments and corporations to make their systems more secure.  President Obama has tried unsuccessfully for years to get Congress to act and will highlight cybersecurity in his upcoming State of the Union address.  It is hoped that his words and the words of security experts around the world will be heeded.

Scam of the day – January 11, 2015 – Swiss bank rejects ransom demand after hacking

January 11, 2015 Posted by Steven Weisman, Esq.

Following a pattern I have warned you about in Scams of the Day for more than three years, yesterday the Swiss bank Banque Cantonale de Geneve became a victim of a hacking in which the hackers, a group called Rex Mundi, made public personal information of the bank’s customers including their names, email addresses, phone numbers and account numbers along with copies of customers’ emails to the bank when the bank refused to pay a ransom of ten thousand euros, which is equivalent to about twelve thousand dollars.  It should be emphasized that customers’ accounts were not hacked.  Access to those accounts requires multiple passwords and codes in order to gain access to the accounts and that information was not obtained in the hack of 30,000 emails.

Rex Mundi is a group of hackers from France, Austria and Germany who have hacked other companies in search of ransom, most notably Domino’s Pizza franchises in France and Belgium, which also refused to pay the ransom.

TIPS

The good news is that the information obtained by the hackers did not represent a critical loss to either the bank or its customers and the fact that the hackers were not able to access customers’ accounts is a small testament to the value of the increased security that banks and other companies are employing in an effort to fight cybercrime.  The bad news is that those affected customers may well expect to receive spear phishing communications directed to them by name that appear to come from their bank and even will carry their account number that will be used by the hackers to lure the customers into revealing personal information or trick them into clicking on links to download malware to be used to make the customers victims of identity theft.  As always, you should never supply personal information or click on links unless you are absolutely sure and have confirmed that the communication is legitimate.

Scam of the day – January 10, 2015 – Scam videos of the Charlie Hebdo terrorist attacks

January 10, 2015 Posted by Steven Weisman, Esq.

The fear and concern following the attack by terrorists that attacked the offices of the satirical magazine Charlie Hebdo and a Jewish supermarket in Paris is finally over after 53 hours.  The aftermath of the attacks include the deaths of twelve people at Charlie Hebdo’s offices and four more innocent people at the supermarket.  All three terrorists whose attacks were coordinated are also dead.  Much of the public around the world have been glued to their televisions and computers watching the events unfold.  Among the people whose attention has been focused on these events were scammers who are always looking to capitalize on events that capture the public’s interest.  If patterns follow, you can expect that you will be receiving emails, text messages or social media communications promising “shocking video” of these attacks.  Again, the familiar pattern is that you are told that these are exclusive videos that you can see nowhere else.  We have seen this type of scam following major natural and unnatural disasters in including Tsunamis and plane crashes.  Once you click on the links in the various communications, you end up downloading keystroke logging malware that will steal the information from your computer and use it to make you a victim of identity theft.

TIPS

Regardless of the purported source of any email, text message or social media communication, you can never be sure that the source is indeed who it says it is or that it is legitimate.  Never ever click on links in any form of communication unless you have absolutely confirmed that it is legitimate.  The risk is too high.  Even if your electronic devices are protected by anti-virus and anti-malware software, the best security software is always at least a month  behind the latest viruses and malware.  If your curiosity gets the best of you, limit your search to legitimate news websites and, even then, make sure that you type in the website address correctly so you don’t get misdirected to a phony phishing website that appears to be the legitimate website that you seek, but actually is a scam website that will try to lure you into clicking on tainted links.  Google searches are also a dangerous way to look for “shocking video” due to the fact that merely because a website may turn up high on a Google or other search engine search, does not mean that the website is legitimate.  All it means is that the person creating that website was good at Search Engine Optimization (SEO) which is knowing how to adapt the makeup of a website to place high in the algorithms used by search engines to rank websites for searches.

Scam of the day – January 9, 2015 – Post holiday delivery scam

January 9, 2015 Posted by Steven Weisman, Esq.

Although the holiday shopping season is essentially over, there are still many people who may have ordered gifts at the last minute that are just starting to arrive and scammers are taking advantage of this situation.  Reports are surfacing of people receiving communications purporting to be from national retailers either by email or social media messages in which the people receiving the messages are told that their delivery is ready for pickup or delivery.  The messages and emails often look quite legitimate and carry the logo of the particular retailer from whom the message appears to be sent.  As is an essential part of this type of scam, the email or social media message contains a link which you are advised to click on for more delivery information and that is where the problem starts.  Clicking on the link either will take you to a website that asks for personal information used to make you a victim of identity theft or, even worse, merely by clicking on the link, you will have unwittingly downloaded keystroke logging malware that will steal all of the information from your computer and use it to make you a victim of identity theft.

TIPS

Just as the IRS does not initiate contact with taxpayers by telephone so that if you get a call purporting to be from the IRS you know it is a scam, so do retailers not communicate about deliveries with customers by way of Facebook and other social media.  It certainly is important to keep track of all of your legitimate orders from retailers so if you get such an email message, you can ignore it, knowing you do not have a delivery, but even if you have any question that it may be a legitimate message, you still shouldn’t click on any link without confirming that it is legitimate and the best way to do that is to call or go to the website of the company directly at a telephone number or website address that you know is correct.  Don’t use the phone number or website address provided in the email. Remember, “trust me, you can’t trust anyone.”

Scam of the day – January 8, 2015 – Hackers steal 5 million dollars worth of Bitcoins

January 8, 2015 Posted by Steven Weisman, Esq.

Earlier this week, the British Company Bitstamp was forced to suspend its operation following a hacking of the company in which five million dollars worth of Bitcoins, the electronic currency, was stolen.  Hacking is not unusual in the world of Bitcoin exchanges.  In February of 2014, Mt. Gox, then the largest Bitcoin exchange went out of business following a massive hack resulting in the theft of 437 million dollars worth of Bitcoins.  It should be noted, however, that the amount of Bitcoins stolen in this hacking represents only a small amount of the Bitcoins held by Bitstamp which wisely locks most of their Bitcoins in computers that are not connected to the Internet and therefore not susceptible to hacking.  This is the type of security that companies such as Sony should be doing when trying to protect some of their digital assets and data.

TIPS

Bitstamp has indicated that it is shutting down only temporarily as a security precaution, however, they warned Bitstamp customers not to make deposits to previously issued deposit addresses.  Although Bitcoins continue to grow in acceptance and use, it is important for people using this form of digital currency to be sure that the companies with which they do business in this regard are providing heightened security.

Scam of the day – January 7, 2015 – Latest security updates from the Department of Homeland Security

January 7, 2015 Posted by Steven Weisman, Esq.

Constant updating of the software we all use with the latest security patches and updates is a critical part of avoiding scams and identity theft threats.  Whenever new security updates and patches are issued, we provide access to these so that you can update your software to provide better security on your computers, smartphones, laptops and other electronic devices.  Updating your software with the latest security patches and updates as soon as possible is important because identity thieves and scammers are always finding and exploiting vulnerabilities in the software that we all use.  Delay in updating your software could lead to disastrous results.  However, it is also important to be sure that you are downloading legitimate patches and updates rather than being tricked by an identity thief or scammer into downloading malware under the guise of downloading a security patch or update.  That is why we provide links to the necessary patches and updates as provided by the Department of Homeland Security and the companies directly.  Today’s updates includes an important Facebook security update

TIPS

Here are the links to the latest Department of Homeland Security software updates and security patches: https://www.us-cert.gov/ncas/bulletins/SB15-005

Scam of the day – January 6, 2015 – iCloud security problem fixed

January 6, 2015 Posted by Steven Weisman, Esq.

The security vulnerability with Apple’s iCloud exposed by a hacker who calls himself Prox13 about which I reported to you just the day before yesterday has been promptly fixed by Apple.  According to Prox13, the vulnerability enabled a tool called iDict to be used to hack iCloud accounts effectively avoiding both security questions and two-factor authentication.  What was unusual about this particular vulnerability was that when “white hat” hackers find out about vulnerabilities in the various computer programs we use, they generally contact the company’s directly in order to assist in the orderly remedying of the problem without alerting “black hat” hackers to the vulnerability which they, in turn would be able to exploit.  Prox13 did not appear to be interested in using the tool for bad purposes, however, he went public with his discovery rather than contact Apple directly to warn them of the problem.

TIPS

You may remember that the recent nude celebrity photo hacking dealt with iCloud, however, the fault, in those hackings was not with Apple, but rather with the individual celebrity iCloud users who did not take their own proper security precautions, such as using the very effective dual factor authentication, which would have prevented the hackers from gaining access to the celebrities photos.  This is also a good lesson to all of us to use complex passwords, strong security questions and dual factor identification whenever offered to protect our own security.

Scam of the day – January 5, 2015 – New utility scam

January 5, 2015 Posted by Steven Weisman, Esq.

I have warned you numerous times over the years about scams that start with a phone call that purports to be from a utility company, such as your electricity provider or telephone company, demanding payment of your bill immediately or your service will be terminated.  These calls can be quite disconcerting and adept scammers can even fool your Caller ID through a technique called “spoofing” where the call appears to come from the real company with which you do business.  Now, in a bit of a throwback, reports are surfacing of scammers mailing out electricity bills that look quite legitimate demanding payment specifically be wired.  The ease by which counterfeit copies of bills can be made today, makes this type of scam easy to accomplish.

TIPS

No utility company or other company with which you do business will demand payment by wired funds.  Wired funds are a primary choice of scammers because they are easy and quick to accomplish as well as simple to hide.  If you ever receive a bill appearing from a company that changes the method of payment, you should contact the company by phone at a number that you know is correct to confirm the truth of the situation.

Scam of the day – January 4, 2015 – Every iCloud account in jeopardy of being hacked

January 4, 2015 Posted by Steven Weisman, Esq.

A hacker using the name Prox13 has made public a tool that he says enables anyone to hack into someone else’s iCloud account.  You may remember that it was not long ago that photos of nude celebrities such as Jennifer Lawrence and Kate Upton that had been stored on iCloud were hacked and released to the public.  In the wake of that scandal, Apple set up increased security options people could use to make their accounts more secure.  The tool, which is called iDict purports to exploit a vulnerability in Apple security and is able to bypass account lockout restrictions and secondary authentication security. Apple has not confirmed that its system is vulnerable or that this tool is able to exploit such a vulnerability that may exist, but numerous tweets on Twitter have indicated that indeed the tool does work.  If indeed this report is true, all users of iCloud have reason to be concerned.

TIPS

In response to previous hackings and attempts to hack iCloud, Apple has increased security to stop brute force attacks where the hacker uses a program that guesses large numbers of passwords until it gets the correct password.  Present iCloud security blocks these kind of attacks.  Apple also has a dual factor authentication security option by which a user’s account can only be accessed after he or she has received an authentication code on their smartphone each time a user accesses his or her account.  Had this security option been used by the hackers of the celebrities involved in the celebrity nude photo hacking, their security would not have been breached.  It is a good option for everyone.  However, if indeed iDict is as effective as it is claimed to be, even this security option would not protect you.

One way that people could make their iCloud account safer until Apple finds a cure for this problem is to change the email address attached to the account to one that they use exclusively for iCloud and do not make public because any hacker would need to know the intended victim’s email address in order to hack into his or her iCloud account.