Scam of the day – September 30, 2017 – Sonic suffers potentially massive data breach

Fast food chain Sonic, which has more than 3,500 locations in 44 states has acknowledged that it had a data breach in its credit card processing systems at an undisclosed number of its restaurants potentially affecting what appears to be at least 5 million credit and debit cards.  As is often the case in massive data breaches, such as this, the hackers are now selling the stolen credit card and debit card numbers along with the zip codes of the card holders on the Dark Web, which is that part of the Internet where criminals buy and sell things.  The website Joker’s Stash is selling five million credit and debit cards for prices of between $25 and $50 per card, depending on various factors including the level of the credit card and whether it is a debit or credit card.  The fact that zip codes are including in the information being sold makes the card more valuable to a criminal who may use the card for fraudulent purposes in the geographical area where the victim lives in order to avoid having the purchase look suspicious, such as in the situation where the card holder lives in New York City and a credit card purchase occurs in Singapore.

Like many credit card and debit card data breaches, this one was made possible due to the fact that Sonic stores affected do not yet use the more secure EMV chip credit card and instead still use the old style magnetic strip credit card.

TIPS

If you have used a credit or debit card at a Sonic restaurant during the last six months, you should carefully review all of your credit and debit card purchases for indications of fraudulent use and if you find such use, report it to your credit card company or, in the case of a debit card, to your bank.

Until businesses that take credit cards switch to the newer EMV chip cards, this story will continue to occur again and again. There is no law requiring companies to switch to the EMV chip cards.  The mandate of retailers to do so is only a trade group regulation.   As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than as an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  Frankly, even if you were not a Sonic customer you should regularly monitor your credit card statements for indications of fraudulent use.

Scam of the day – July 25, 2017 – Online courses for credit card criminals

Online courses are extremely popular in traditional educational settings.  I know this from personal experience as a college professor who teaches courses online in addition to my more conventional classes taught to students in the classroom.  Online courses are now even becoming popular among criminals and scammers.  The security company Digital Shadows is reporting about Russian criminals who are teaching an online course in how to make money through credit card fraud.  The course is a six week course consisting of twenty lectures of between one and two hours for each lecture.  Tuition is approximately $750 payable in Bitcoins or other electronic currencies.  In addition to tuition, the students are also required to pay an additional $200 in electronic currency for course materials.

The course is taught only in Russian and promises that it can teach aspiring criminals how to make as much as twelve thousand dollars per month. The course provides information about where to get stolen credit card information, how to use it to buy goods as well as how to sell the goods and launder the money.

TIPS

The course material is very instructive to all of us as consumers as to how we can more safely use our credit cards.  One important lesson is to use your EMV chip credit card whenever possible as well as to use cards with stronger authentication protocols when buying online.  The course is also a reminder that we should refrain from using our debit cards for retail purchases because the consumer protection laws involved with debit cards are not nearly as strong as those regarding credit cards.  Finally, in the section of the course dealing with laundering money, the course teaches students to hire people desiring to work at home to reship goods purchased through stolen credit cards as part of the money laundering process.  This serves as a strong warning to people to avoid becoming an accomplice to these crimes by getting involved with this type of employment.

 

Scam of the day – March 12, 2017 – Massive credit card identity theft fraud ring busted

Earlier this week law enforcement officials in Queens, New York arrested thirty people accused of operating a credit card identity theft fraud ring in which they are accused of using the fraudulent credit cards to purchase more than 3.5 million dollars of costly electronics and fashion merchandise that would then be sold and turned into cash.  The indictments name Muhammad Rana and Inderjeet Singh as the kingpins of the scam.

The  primary manner by which they are accused of accomplishing the fraud was through identity theft of personal information of their victims that was then used to set up new credit card accounts.  Particularly in the last year since the implementation of EMV chip credit cards, new account fraud, as indicated by research company Javelin in its 2016 Identity Fraud study, has increased 113% over the previous year.

In this case, the Queens District Attorney is alleging that the criminals obtained the personal information of their victims necessary to establish new accounts  such as their names, dates of birth, current and past addresses, Social Security numbers, bank account information and credit information from one of their co-conspirators who worked at a car dealership where he had access to this information provided by potential car buyers.

TIPS

You are only as secure as the places that have your personal information with the weakest security.  Whenever you provide personal information to any entity, you should inquire as to who has access to this information, how it is stored, how it is protected and the policy for deleting such information when it is no longer needed.

In addition, you should regularly monitor your credit reports to identify incidents of identity theft as early as possible.

Scam of the day – August 28, 2016 – Russian hacker convicted of massive credit card theft

Two years ago, I first told you about the arrest of Russian hacker Roman Seleznev who this week was convicted of hacking into small businesses accross the United States including many pizza parlors, stealing credit card information and selling it on the Dark Web to other cybercriminals.  He even had a website in which he instructed would-be cyberciminals about how to use the stolen credit cards.   Seleznev has been incarcerated while awaiting trial for two years and faces a sentence of up to forty years in prison.

TIPS

What does this conviction mean to you and me?  It is more of a reminder of how large the problem is.  Hacking into retailers at point of sale terminals in stores has become a relatively easy task to accomplish and not only is it easy to accomplish, it does not even have to be done at the store.  It can be done totally over the Internet by hackers anywhere in the world.   Although the EMV smart card chip technology mandated for retailers and credit card companies in October of 2015 prevents attacks such as those of Seleznev from being effective, many retailers have still chosen not to comply with the regulations which are trade group regulations and not a government mandate.  Therefore, the most prudent thing for you to do when shopping at a company that does not use your EMV chip card is to first, refrain from using your debit card for retail purchases so that your bank account is not at risk in a hacking attack  It is important to remember that the rules protecting you from liability for fraudulent use of a debit card are not as strong as those that protect you from liability for fraudulent use of your credit card  You also should monitor your credit card’s use regularly to discover any fraudulent use as early as possible.

This story is also a good example that the risk of data breaches is a risk to small businesses as well as large businesses.  Often small businesses are targeted by hackers as the low hanging fruit because they have not taken proper security steps.

Scam of the day – April 30, 2016 – Class action against P.F. Chang’s restaurant chain continues

In June of 2014 I first reported to you about a data breach at P.F. Chang’s China Bistro a major restaurant chain.  A large number of credit cards and debit cards used at P.F.Chang’s restaurants  between March 2014 and May 19, 2014 were compromised.   A class action was filed by John Lewert and Lucas Kosner in 2014 on behalf of themselves and other similarly situated victims of the data breach.  P.F.Chang was initially successful in having the lawsuit dismissed on the ground that Lewert and Kosner had not personally suffered any harm at this time due to the data breach.  However, recently, the Seventh Circuit Court of Appeals revived the lawsuit, ruling in favor of the plaintiffs and allowing the case to proceed because, the court determined, the plaintiffs and others whose data was stolen faced the “concrete” possibility of becoming a future victim of identity theft.

If you were a customer of P.F. Chang’s affected by the data breach, here is a link to the website of the law firms handling the class action to which you can go for more information.  http://www.siprut.com/ and http://www.litedepalma.com/

TIPS

So what does this mean to you?  As I have cautioned you many times, you should not use your debit card for anything other than an ATM card.  Using it for retail purchases potentially puts your entire bank account tied to the card in jeopardy.  By using a credit card, your liability is limited to no more than $50 for fraudulent charges and many companies do not even charge you anything for fraudulent charges.  Everyone should monitor their credit card statements carefully each month to make sure that no fraudulent charges appear and if they do, you should contact your credit card company to have those charges removed immediately and to get a new credit card.

Scam of the day – April 12, 2016 – Progress of switch to smart chip credit cards

Many of you may remember that the apparent deadline for credit card companies to issue new EMV chip credit cards to replace the old style magnetic strip credit cards and for merchants to install new card processing equipment to handle those transactions was October 1, 2015, yet here we are in April of 2016 and according to a recent study by CardHub only 33% of retailers have upgraded at least 90% of their payment terminals.  In addition 30% of American consumers still have not been issued an EMV chip card.  There are many reasons for this failure of both credit card companies and merchants to adhere to the new regulations pertaining to EMV cards, but most prominent is that the deadline date of October 1, 2015 was not a date by which credit card companies and merchants were required to create and use the EMV cards respectively, but rather a date, after which, the credit card companies and merchants failing to create and use the new EMV cards would merely have greater risk of liability in the event of credit card fraud.

EMV stands for Europay, MasterCard and Visa, the companies that created the credit cards with a computer chip that generate a unique, randomly generated token for each transaction thus making the kind of massive data breaches and credit card fraud that we saw in the Target data breach in 2013 all but impossible to achieve.  The rest of the world has been using EMV cards for many years, but the United States, until recently continued to use the old technology of credit cards with magnetic strips on the back that contained account information that was extremely vulnerable to theft through skimmers on processing equipment or data breaches at merchants.

TIPS

The EMV card is not a panacea by any means to protect us from credit card fraud.  The EMV card offers no protection from online credit card fraud where the chip is not used.  In addition, the EMV cards in the United States generally are tied to a signature for verification rather than the more secure use of a PIN which is what the rest of the world does to authenticate use of the card. However, the EMV card still represents a major step forward in the battle against credit card fraud in the United States.  If you do not have an EMV card yet, you should demand one from your credit card company.  You should also encourage the merchants with which you do business to switch over their processing equipment to the new EMV equipment.

Scam of the day – January 31, 2016 – Amazon customer service exploited by identity thief

Amazon customer, Eric Springer was understandably concerned when he got an email from Amazon customer service thanking him for contacting them because Springer had not contacted Amazon customer service.  Unfortunately, an identity thief posing as Springer contacted Amazon for an online chat and merely by providing Springer’s name, email address and verification through a street address of Springer that he had used with Amazon was able to convince the Amazon employee to provide Springer’s real home address and phone number.   The identity thief did not even have to log in to Springer’s account in order to access the customer service representative thereby negating the protections provided by Springer’s password.  The identity thief took the information provided by the customer service representative and was able to parlay it into more information which he then used to trick Springer’s bank into issuing the identity thief a new credit card in Springer’s name.  This is not an isolated incident and it happens at more places than just Amazon.  We all are potential victims of identity thieves who troll for personal information from wherever they can get it and then use that information to make us victims of identity theft.

TIPS

The less information that you share anywhere, the safer you will be.  This even means limiting the places, particularly social media, where you provide your phone number or home address.  If you can use different addresses for different accounts, it is a good thing to do.  Having multiple email accounts can also be a good idea.    Making your shipping address and home address different can also make it a little more difficult for an identity thief.  Finally, make sure that all of the places with which you have financial dealings, such as your bank, credit card company and even retailers, such as Amazon will notify you if unusual transactions occur or changes are made to your account in order to alert you as soon as possible when problems do occur.

Scam of the day – January 16, 2016 – Turkish hacker sentenced to 334 years in prison

While American judges struggle with finding proper sentences for cybercriminals, Turkish judges don’t appear to be having the doubts that American judges in some instances do.  In the United States, the federal Computer Fraud and Abuse Act (CFAA) provides for a maximum sentence of ten years for a first offender and 20 years for repeat offenders, however there are a number of factors that judges are required to consider that could reduce the length of the sentence.  Recently Deniss Calovskis, who was involved in a major computer attack had his sentence set at the mere 21 months he had already served prior to his trial.  Meanwhile in Turkey, Onur Kopcak, who had already been serving 199 sentence for computer crimes which he had been convicted of in 2013, was sentenced to an additional 135 years in prison for hacking the credit card information of 11 people and selling the information to other criminals.

TIPS

One of the reasons for the proliferation of cybercrimes has been that the sentences for major cybercriminals have not been sufficiently harsh to serve as a disincentive to criminals from committing these crimes.  Obviously this is not the case in Turkey.  Other reasons for the dramatic increase in scams and cybercrimes in recent years include the ease with which they can be accomplished from anywhere in the world and the difficulty in apprehending the criminals.  Meanwhile, when it comes to protecting yourself from scams, cybercrimes and identity theft, the best place to look for a helping hand is at the end of your own arm and one of the best ways to do this is by following the basic steps regularly provided here on Scamicide.

Scam of the day – November 24, 2015 – Woman pleads guilty to data breach at Michaels

Some of you may remember the 2011 data breach at Michaels, a national chain of craft stores in which 94,000 debit and credit card numbers were stolen along with the PINs for the debit cards.  Recently, Crystal Banuelos, the apparent mastermind of the scam, pleaded guilty to charges of conspiracy to commit bank fraud and aggravated identity theft.  Sentencing is scheduled for February 23, 2016 in the Federal District Court for New Jersey.  Unlike the notorious data breaches at Target and Home Depot, in this case, Banuelos and her co-conspirators physically went into 80 Michaels’ stores around the country posing as service technicians and swapped out legitimate card processing equipment for machines controlled by them that would capture the credit card and debit card information along with the PINs used with the debit cards and transmit that information electronically to Banuelos, who then used that information to create counterfeit debit cards which they used with the stolen PINs to steal $420,000 from their victims’ accounts through ATMs.

TIPS

While PINs are encrypted in a fashion that makes it all but impossible for hackers of legitimate card processing equipment to capture PINs, the use of their own equipment enabled Banuelos and her cohorts to harvest PINs as well as credit and debit card information.  However, the new EMV chip card processing devices will not be as easily manipulated to steal this information in the future.  Again the lesson for consumers is that you are only as safe as the places with which you do business that have the weakest security so it is important to regularly check your bank account and credit card accounts for evidence of any fraudulent use and report that use as soon as possible.  It is also important to refrain from using your debit card for retail purchases because if your information is compromised, your rights under consumer protection laws are not as strong as if your credit card information is compromised

Scam of the day – April 12, 2015 – Bank telephone scam

The rumor that the first words spoken on the telephone by Alexander Graham Bell were “Watson, come here, I want to see you, and, oh, yes, what is your credit card number” turns out not to be true, although it probably didn’t take long for the telephone to become a tool of choice for scammers and identity thieves.  The latest telephone scam that is popping up around the country begins when you receive a recorded call that purports to be from your bank informing you that your credit card or debit card been frozen.  In order to unlock your account, you are instructed to press “1” on your phone to unlock your account.  Once you press “1” you are instructed to enter your credit or debit card number.  If you do this, you will have succeeded in turning over your credit card or debit card to an identity thief.  Making this scam even more insidious is that in some instances, if you have Caller ID, it will indicate that the call is from your bank.  However, this automated call is never from your bank, it only appears to be so due to a technique called “spoofing.”

TIPS

It is easy to know when you receive a recorded call from your bank regarding your credit card or debit card if it is legitimate.  If you receive such a call, it is a scam because no bank will contact you in this fashion.  In addition, you should never provide your personal information over the phone to anyone whom you have not independently contacted in order to be sure that you are not providing that information to a scam artist or identity thief.  If you receive such a call and have any concern that it might be legitimate, merely call your bank at a number that you know is accurate to confirm that the call was a scam.