Scam of the day – April 12, 2014 – Heartbleed password reset scams

By  now everyone is aware of the Heartbleed security flaw in the Open SSL  security technology that has been used by two-thirds of the world’s websites to encrypt communications between computer users and these websites.  Where until recently we were under the impression that our passwords as well as all information communicated using this technology including credit card numbers when buying something on these websites were secure and protected, we now learn that this flaw, which has existed for two years permits a hacker to get access to all of this information and use it to make us victims of identity theft.  Experts including myself are advising people to change their passwords although it cannot be emphasized enough that you should not change your passwords until the websites have implemented the security measures necessary to patch this problem.  Fortunately, the software necessary to do just that is available.  However, you should confirm with all websites where you have done business and use a password that the website has indeed updated their security before you change your password because otherwise you may be merely turning your new password over to an identity thief.

A new scam, however has arisen from the Heartbleed affair as identity thieves are sending emails to people posing as legitimate websites, such as Amazon in which the identity thief posing as the legitimate company tells you that you need to change your password and provides a link in the email for you to do so.  The emails look legitimate, but they are phony.  If you click on the links two things can happen and they both are bad.  You will either be prompted to provide personal information that will be used to make you a victim of identity theft or merely by clicking on the link, you will download keystroke logging malware that will steal information from your computer and make you a victim of identity theft.

TIPS

As I constantly advise you, never click on links in emails unless you are absolutely sure that they are legitimate.  In this case, you may get a legitimate email from a company with which you do business prompting you to change your password and to initiate the process by clicking on a link.  However, you have absolutely no way of knowing whether or not the email is legitimate or a phishing scam.  The best thing to do in this situation is to ignore the email and instead go directly to the website of the particular company at an address you know is correct and change your password there.  In this way, you can be sure that you are not providing information to an identity thief.  When Target sent emails to customers with a link to access credit monitoring after its major data breach last year, you could not be sure if the email was from Target or not.  Savvy computer users just went directly to the Target website where they could access the free credit monitoring without the risk of providing information to an identity thief.

Scam of the day – April 10, 2014 – Serious security danger on the Internet of Heartbleed

The term “Heartbleed” sounds serious and it is.  Heartbleed is the name of the recently discovered security flaw in the Open SSL encryption security technology that is used by up to 2/3 of websites on the Internet.  An indication that the website you are communicating with uses Open SSL is the presence of the tiny padlock icon next to the website address.  Another indication of the use of Open SSL being used is the letter “s” appearing after the initial “http” at the beginning of a website address.  The padlock and the “s” indicated to people communicating with websites that your communications were encrypted and safe from hackers.  Now we have discovered that this encryption technology had been cracked by attackers as long as two years ago.  This means that your communications online with your bank and retailers may have been compromised.  Many websites that have used the Open SSL encryption technology including Amazon and Facebook have fixed the problem or are working on it.  There are patches available.

TIPS

The first thing that you should do is to change your passwords at websites you have used that utilized the Open SSL encryption because your password may be in the possession of hackers.   However, do not change your password until you have confirmed with the Website that it has patched the security flaw.   Heartbleed is a good reminder to us all that we should change our passwords on a regular basis as well as have different passwords for every website where we use a password so that if one gets hacked, identity thieves would not have the passwords for all of our other accounts.  It doesn’t have to be a difficult task as just adding or changing a letter or two can do the trick if you have a good, complex password with letters both capital and small as well as figures and signs.  Also, again as we all should be doing, monitor all of your accounts regularly for evidence of fraudulent use.

Here is a helpful link you can go to in order to check and see if the websites you go to were among those affected by Heartbleed.  One word of caution, this is not guaranteed by its creator to be 100% accurate: http://filippo.io/Heartbleed/

For people who have websites that use Open SSL, here is a link to the notice from the Department of Homeland Security with the links to rectify the situation.https://www.us-cert.gov/ncas/alerts/TA14-098A