Scam of the day – November 30, 2015 – Data breach at VTech Learning Lodge

Hong Kong company VTech Holdings Limited has announced that its Learning Lodge app store has been hacked.  The data breach may involve as many as 4.8 million accounts and include personal information on more than 200,000 children which brings a new level of concern about this particular data breach.  Learning Lodge is an app store for  high tech learning games and other educational toys for children.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.

TIPS

Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – January 4, 2015 – Every iCloud account in jeopardy of being hacked

A hacker using the name Prox13 has made public a tool that he says enables anyone to hack into someone else’s iCloud account.  You may remember that it was not long ago that photos of nude celebrities such as Jennifer Lawrence and Kate Upton that had been stored on iCloud were hacked and released to the public.  In the wake of that scandal, Apple set up increased security options people could use to make their accounts more secure.  The tool, which is called iDict purports to exploit a vulnerability in Apple security and is able to bypass account lockout restrictions and secondary authentication security. Apple has not confirmed that its system is vulnerable or that this tool is able to exploit such a vulnerability that may exist, but numerous tweets on Twitter have indicated that indeed the tool does work.  If indeed this report is true, all users of iCloud have reason to be concerned.

TIPS

In response to previous hackings and attempts to hack iCloud, Apple has increased security to stop brute force attacks where the hacker uses a program that guesses large numbers of passwords until it gets the correct password.  Present iCloud security blocks these kind of attacks.  Apple also has a dual factor authentication security option by which a user’s account can only be accessed after he or she has received an authentication code on their smartphone each time a user accesses his or her account.  Had this security option been used by the hackers of the celebrities involved in the celebrity nude photo hacking, their security would not have been breached.  It is a good option for everyone.  However, if indeed iDict is as effective as it is claimed to be, even this security option would not protect you.

One way that people could make their iCloud account safer until Apple finds a cure for this problem is to change the email address attached to the account to one that they use exclusively for iCloud and do not make public because any hacker would need to know the intended victim’s email address in order to hack into his or her iCloud account.

 

Scam of the day – September 2, 2014 – Beware of nude photos of Jennifer Lawrence, Kate Upton and others

News of stolen nude photos and videos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Jenny McCarthy, Rhianna, Avril Lavigne, Hayden Pannettiere, Hope Solo, Cat Deeley, Kayley Cuoco, Kim Kardashian, Scarlet Johannsson and others is sweeping across the Internet.  Although a few of the named celebrities, such as Victoria Justice have denied the accuracy of the photographs, many of the celebrities including Jennifer Lawrence and Kate Upton have confirmed that, much to their chagrin, the photos and videos are real.  Although the exact manner by which these photographs and videos were hacked and stolen is not known at the moment, it appears that they were taken from Apple’s iCloud.  The possibility exists that a vulnerability in Apple’s iCloud security is at the root of the problem, but another scenario is that the fault is with the individuals who took these photographs and videos of themselves.  Anyone who is able to get someone’s email address and password would find it easy to gain access to that person’s iCloud account and download the photographs and videos.  Obtaining an email address is a relatively easy task for any hacker and passwords can be obtained either from other hacked devices or by, as often is the case, by using the “forgot password” link on Apple’s iCloud, as with other accounts.  The answers to the security questions used to obtain the password through the “forgot password” function are generally easy to find for celebrities whose personal information, such as where they went to high school or other information used in security questions is easily found online.

The security flaw, however may also have been with Apple.  A vulnerability with the Find My iPhone  may have permitted hackers to use a brute force attach whereby they would flood the page with computer generated passwords until the correct password was guessed.  This vulnerability has now been patched and brute force attacks will not be effective because repeated failures to enter the correct password will result in the user being locked out.

So what does all of this mean to you?

This hacking presents two separate problems.  The first is that identity thieves will be taking advantage of the public’s interest in these photos and videos.  You will be receiving emails, text messages or social media postings with links that promise to bring you to these stolen photographs that will download keystroke logging malware when you click on the links.  Once this malware is installed on your computer, smartphone or other portable device, your personal information will be stolen and the information will be used to make you a victim of identity theft.

The second problem is the same problem faced by the celebrities whose accounts were hacked.  How do you keep your accounts secure?

TIPS

Don’t give in to the temptation to view these photos and videos online.  Ethically, it is the wrong thing to do.  However, it also is too risky an activity.  You cannot trust any email, text message or social media posting that promises access to these photos and videos.  Many of these will be laced with malware and you cannot know which one’s to trust.  Trust me, you can’t trust anyone.  In addition, identity thieves will be setting up phony websites that promise to provide these photos and videos, but again will only end up installing malware on your computer when you click on links in these websites.  Identity thieves are often adept at search engine optimizing so a phony website might appear high in a search from your web browser.

As for securing your own account, you should use a unique password for all of your accounts so if any of your accounts are hacked, all of your other accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the two-factor identification protocols offered by Apple and many others.  With two-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the two-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.