Scam of the day – May 27, 2017 – Target pays $18.5 Million to 47 states to settle security breach claims

Many people trace the era of major data breaches by hackers to the massive data breach at Target during the holiday shopping season of 2013. Credit card and debit card data on approximately 40 million Target customers was stolen as well as other information including email addresses of approximately 70 million Target customers.

Recently 47 states and the District of Columbia settled civil charges against Target related to the data breach with Target agreeing to pay 18.5 million dollars to each of these states and the District of Columbia. California will receive 1.4 million dollars which is the largest amount that any state will receive.  None of this money is to returned to consumers.

This settlement is very significant because it is part of an escalating trend of companies whose negligence leads to data breaches being held responsible for the harm caused to consumers.

Pursuant to the settlement, Target will implement a comprehensive security program which will include the use of whitelisting analytic software that helps prevent unauthorized malware programs from being downloaded, segmenting of credit card information from other parts of Target’s computer networks and increased use of encryption.

TIPS

This is a very positive step and, having reviewed in detail the security requirements that Target will be required to implement, I believe these provide a good guide for other companies to use to enhance their data security.

As for all of us as consumers, the best thing we can do is to refrain from using our debit cards from any use other than as an ATM card because the laws protecting us from unauthorized use of debit cards are not as strong as those protecting us from unauthorized use of credit cards.  In addition, whenever possible use your credit card as a chip card rather than as a magnetic strip card for increased security.

Scam of the day – July 5, 2015 – Trump hotel chain hacked

Donald Trump seems to be constantly in the news these days.  Whether it is for declaring his candidacy for President of the United States or for making inflammatory comments, Trump is omnipresent in the media.  However, the latest Trump news event is not one with which he must be pleased.  It has just been disclosed that the Trump Hotel Collection, which includes hotels in Chicago, Honolulu, Las Vegas, Los Angeles, Miami and New York has been hit with a Target-like credit card and debit card data breach that appears to have started at least as far back as February.  As with so many data breaches, it was discovered not by the company hacked but by credit and debit card processing banks that noticed a pattern of fraudulent use and traced the cards back to the Trump hotels.  This type of hacking and data breach is expected to happen again and again as companies still cling to the use of old fashioned credit and debit cards using magnetic strips rather than the more modern smart credit cards with computer chips that create a new one-time authorizing number each time the card is used.

Here is a link to a column I wrote for USA Today in September of 2014 in which I both described how these data breaches occurred and correctly predicted their continuing pattern. http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

TIPS

There is little that we as credit and debit card users can do to protect ourselves from the security vulnerabilities of the companies with which you do business.  One important thing to do is to refrain from using your debit cards except in ATMs.  Using your debit card at retail establishments puts you at much greater risk of expensive identity theft in the event of a data breach at the company with which you are doing business because of weaker consumer protection laws regarding liability for fraudulent use of your debit card.  Although the deadline for companies being required to install smart credit card readers is months away, you should ask your credit card company for a replacement credit card with a computer chip now.  Some stores, most notably Wall Mart are already using the safer smart chip cards.  Whenever you can use the smart credit card, it is important to do so.

Scam of the day – August 29, 2014 – J.P. Morgan and other banks hacked

The FBI is investigating an apparent hacking of banking giant J.P. Morgan and as many as four other banks by what initially appears to be sophisticated hackers from Eastern Europe.  Some are theorizing that the hacking was sponsored by the Russian government in retaliation for sanctions brought against Russia in the wake of its actions in relation to Ukraine.  Much sensitive data was compromised and stolen as a result of the hacking.  The initial investigation appears to be focusing on the exploitation of computer programs used by a J.P. Morgan employee to work from a remote location.  This type of exploitation of remote desktop software such as Microsoft’s Remote Desktop, Apple’s Remote Desktop, Chrome’s Remote Desktop, Splashtop, Pulseway and LogMein that enable the convenience of logging into a company’s computers from an off site location has proven to be a major security flaw that has been continually exploited in company after company for quite a while going back to Target’s hacking last year to the recent UPS hacking.  I have warned people about this flaw for sometime and the FBI has warned American businesses to watch for this.

TIPS

Banks are a frequent target of cyberattacks and American banks have generally done a good job in recent years in protecting data, however, as this latest hacking shows, more needs to be done, particularly in regard to the particular type of malware used in this attack which may be or be similar to the “Backoff” malware I have been warning about.  As for we as consumers, there is little we can do other than to carefully monitor all of our accounts, only use credit cards rather than debit cards for retail purchases and limit the amount of personal information you provide to any company or governmental agency with which you do business.  This will not be the last major hacking exploiting this flaw to occur.

Scam of the day – March 25, 2014 – California DMV data breach

As I write today’s Scam of the day, the California Department of Motor Vehicles still is denying that they have been a victim of a data breach although they have indicated that due to “an abundance of caution” they are initiating an investigation.  The problem is that they have been hacked and their investigation should be focused on finding where the hacking occurred.  As was the case with the hacking of Target’s computers and those of many other companies, the companies themselves rarely are the first to discover that their security has been breached.  What happened with Target and others is what happened here; banks monitoring fraudulent use of credit cards were able to discover a connection between thousands of fraudulently cards and the California Registry of Motor Vehicles.  It appears that these were credit and debit cards used in online transactions as the information stolen was for transactions where the card was not present.  Included in the compromised information were the card numbers, expiration date and the three or four digit security code printed on each card.

TIPS

Once again, I urge you all not to use your debit card for anything other than ATM transactions because not only are the consumer protections available to you if your card is fraudulently used less protective than those that you have when your credit card is fraudulently used, but even if you report the fraudulent use of your debit card immediately, there can be a delay in your being able to access your checking account while the bank investigates the incident.  Also, this case points out the extreme importance of constantly monitoring your credit card statements for improper transactions.  The sooner you report the breach, the more you are protected and the less you are inconvenienced.  This particular breach at the California Department of Motor Vehicles appears to have gone on from August 2, 2013 until January 31, 2014 which is a very long time for such a data breach to have gone on undetected.  Waiting for companies to notify you that a breach has occurred is not a good defense against fraud.

Scam of the day – December 26, 2013 – Debit card PINs may have been compromised in Target hacking

Although at the present time, Target continues to maintain that although 40 million debit and credit card numbers were stolen in the recent second largest retail hacking in American history, the all important PINs for the debit cards that were part of the hacking were not stolen, reports continue to indicate that PINs were indeed among the information taken by the hackers, but that the PINs were encrypted.  Target may be playing semantics with the public by saying that “no unencrypted PIN data was accessed” and that there presently there is no evidence that PINs have been compromised for the hacked debit cards.  It may well be that encrypted PINs among the data stolen.  If so, there should be real concern on the part of debit card holders whose information was compromised because sophisticated hackers have shown the ability to crack encryption of PINs in the past.

TIPS

As I have often advised in the past, retail purchases are much safer when done with a credit card than with a debit card.  If fraudulent charges are made to a person’s credit card, federal law limits the amount of liability to the card holder to no more than $50 and most banks don’t even hold the card holder responsible for any fraudulent charges, however with debit cards, the amount of liability that attaches to the debit card user if he or she does not notice the fraud within two days rises to $500 and if the fraud goes undiscovered for 60 days, there is absolutely no limit on the amount of liability of the debit card holder.  A hacked debit card holder risks losing his or her entire bank account.  And even if he or she does notice the fraudulent activity immediately, the bank account to which the debit card is tied is frozen while the bank investigates the fraud.  Don’t use a debit card for any other use other than as an ATM card.  If you have used your debit card at Target during the affected period of November 27th and December 15th, you should check the activity on your bank account to which the card is tied daily online to look for unauthorized activity and if you find any, report it immediately to your bank.

Scam of the day – December 11, 2012 – Skimmer update

There has been a resurgence of identity theft through the use of skimmers at gas stations in recent days.  Skimmers are small electronic devices that are easily installed by an identity thief on a self service gas pump where the customer inserts his or her credit card.  The skimmer steals all of the information from the credit card which then permits the identity thief to access that information to utilize the victim’s credit card account.  Each skimmer can hold information on as many as 2,400 credit cards.  Gasoline companies are becoming more aware of the problem and are installing replacement gas pumps with better security to prevent the installment of skimmers so it is thought that many identity thieves are installing the skimmers on the older gas pumps while they can.

TIPS

Always look for signs of tampering on any machine through which you swipe your credit card.  If the credit card mechanism appears loose or in any other way tampered, don’t use it.  Also, make sure you keep track of all your credit card bills and report any fraudulent charges immediately.   Customers may not be charged for any unauthorized charges that are more than fifty dollars.  However, debit card customers risk having the bank account tied to their card entirely emptied if they do not report a theft promptly.  For this reason, it is best to restrict the use of debit cards to use at ATM machines.

ATM Scams

Using an ATM is a very convenient way to access your bank account.  Unfortunately, it is also a very convenient way for scam artists to access your bank account as well, often with your assistance.

The primary way ATM’s are compromised is through the use of a small device called a “skimmer” which fits over the slot where you put your bank card.  The skimmer reads the information embedded in your card, which is half the battle to accessing your account.  Often criminals will install cameras by the ATM to read your PIN as you input it into the ATM.    These cameras may even appear to be the security cameras used your bank.  Other times they may even install a keyboard over the regular keyboard to capture your PIN.

TIP

Always check an ATM before using it to see if it appears to have been tampered with and when you input your PIN, shield the keyboard from any cameras or prying eyes.

What is a Credit Score / Credit Report?

Your credit report is one of the most important documents in your financial life.  The information in your credit report as maintained by the three major credit reporting agencies, Equifax, TransUnion and Experian is used to calculate your credit score.  This is used by financial institutions to evaluate your credit worthiness and can affect your ability to get a credit card, mortgage loan or a car loan.  It also can affect the rate that you will be charged on such loans.  Your credit score is also used in many states by companies in making employment hiring decisions.  When you are the victim of identity theft, the effect on your credit score can be devastating.  It is a complicated, frustrating and time consuming task to correct your credit report after you have been the victim of identity theft.

TIP

Make sure that your credit report and your credit score are accurate.  Get a free copy from each of the three major credit reporting agencies once a year by going to www.annualcreditreport.com.