Posts Tagged: ‘credit freeze’

Scam of the day – December 8, 2014 – Continuing saga of the Sony data breach

December 8, 2014 Posted by Steven Weisman, Esq.

By now, everyone is aware of the massive data breach at Sony Pictures Entertainment.  The extent of the attack was unprecedented.  The hackers disabled its internal computer systems as well as stole and then leaked five major movies including the recent Brad Pitt movie, “Fury” and the yet to be released new version of “Annie.”  In addition, and most damaging to those people affected, the hackers also accessed files with personal information of 47,000 Sony employees that included their Social Security numbers thereby placing those employees, including Sylvester Stallone and Judd Apatow in serious danger of identity theft.  One of the troubling aspects to this hacking is that much of the stolen material was easily accessed by opening an unprotected file directory entitled “Password” that contained thousands of Sony passwords to its internal computers, social media accounts and web services accounts.  The North Korean government has been considered by many to be behind this attack, which contains many similarities to similar attacks done by the North Korean government against South Korean businesses and government agencies.  The motive behind the attack has been thought to be in retaliation for the upcoming Sony movie “The Interview” starring James Franco and Seth Rogen which is a comedy involving a CIA plot to assassinate North Korean leader Kim Jon-Un.  Investigators are still trying to determine the actual source of the attack.


Despite Sony’s statements that it did everything in its power to prevent such an attack, such statements seem disingenuous, when you consider the unprotected “Password” computer file, the failure of Sony to limit Internet access to sensitive files and the lack of basic security measures that would have provided much protection against such an attack.  Hopefully, this hacking will serve as a much needed wake up call to companies to increase their security immediately.  As for individual victims of the hacking whose Social Security numbers have been compromised, they should immediately contact the three major credit reporting agencies, Equifax, TransUnion and Experian and place a credit freeze on their credit reports to limit access to their credit reports by identity thieves who may have their Social Security numbers.  You can go to the archives to see how to put a credit freeze on your account.  They should also carefully monitor all of their financial accounts much more often for the first signs of identity theft.

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

November 11, 2014 Posted by Steven Weisman, Esq.

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at teh most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.


Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – October 5, 2014 – More banks hacked by suspected hackers of J.P. Morgan Chase

October 4, 2014 Posted by Steven Weisman, Esq.

With news of the massive data breach at J.P. Morgan Chase in which names, addresses, phone numbers and email addresses of 76 million households and 7 million small businesses were stolen by what appears to be Russian hackers who may or may not be affiliated with the Russian government dominating the news, it seems perfectly appropriate to wish you a happy National Cybersecurity Awareness month.  As frightening as the spectre of a major American bank being vulnerable to vulnerable to such a massive data breach, you may remember that when the story broke last August of the possible data breach at J.P. Morgan Chase, reports were that there were as many as four other banks that had similarly been hacked.  Now, according to a report in the New York Times, that number is actually risen to nine other major financial institutions that may have suffered data breaches at the hands of the same hackers.  Therefore even if you are not a customer of J.P. Morgan Chase, you should be extra vigilant in regard to all of your financial accounts.


Now is the time to implement a eight step approach to protecting yourself from identity theft and data breaches.  The first step is to change your password regularly, such as every six months.  A good password has a mixture of capital letters, small letters, symbols and digits.  Don’t use any word in the dictionary because hackers have computer programs that can guess your password. Instead use a phrase, such as IHate2UsePasswords!!.  This is a very secure password.  You should also have a separate and distinct password for each of your accounts, but you can merely adapt this basic password by adding a couple of distinguishing letters for each account.  For example, you could make this your Amazon password by adding the letters “Am” at the end of your basic password so it reads IHate2UsePasswords!!Am.  This is easy to remember.

You should also use dual factor authentication on your accounts when available.  Dual factor identification provides you with an extra level of security by which more than a password is necessary to gain access to your account.  Generally, when you log in through your password to an account a code is then sent to your smartphone which you then must input in order to access your account.

You also should change the answer to your security question to something completely nonsensical.  Answering a security question is required if you forget your password or if you want to change your password.  Unfortunately the answers to common security questions, such as your mother’s maiden name can be found with a little effort by an identity thief in the many places on the Internet that store personal information.  So instead of the answer to your mother’s maiden name being “Jones,” change it to “Grapefruit.”  No identity thief will find it or guess it and it is silly enough for you to remember.

Don’t click on links or download attachments in any email, text message or social media posting unless you have absolutely confirmed that it is legitimate.  Identity thieves and hackers lure people into clicking on links in such communications that results in the victims downloading keystroke logging malware that can steal all of the information from your computer.

Don’t provide personal information over the phone to anyone whom you have not called.  You can never be sure if the person calling you is legitimate regardless of how compelling the reason he or she gives for you to provide personal information.  Don’t rely on your Caller ID because through a technique called “spoofing” an identity thief can make it appear that his or her call is from the IRS, your bank or some other legitimate entity.  If you think the call may be legitimate, hang up and call the company or agency at a number that you know is real, not the number the caller gives you.

Review all of your accounts regularly and carefully to note the smallest charge that should not be there.  Sometimes identity thieves will put regular reoccurring charges on your credit card or phone bill in the hope that you will not bother to look further into it because the charge is so small.  The earlier you catch identity theft, the easier it is to deal with.

Check your credit report from each of the three major credit reporting agencies every year for evidence of fraud or even mistakes that need to be corrected.  Here is the link to the only official place to get your free credit report

Put a credit freeze on your credit report so that even if an identity thief obtains your Social Security number, he or she cannot gain access to your credit report.  Yesterday’s Scam of the day contains the links to the credit reporting agencies to use to freeze your credit.

Scam of the day – October 4, 2014 – J.P. Morgan update and credit freeze information

October 4, 2014 Posted by Steven Weisman, Esq.

Last Thursday, in a required SEC filing,  J.P. Morgan Chase & Co. reported that the data breach, which we reported to you about when it was first discovered during the summer, was much larger than initially thought.  At the time, J.P. Morgan believed that only a million accounts were compromised, but now, J.P. Morgan is indicated that information on 76 million households and 7 million small businesses was stolen by hackers thought to be from Russia or another Eastern European country.  According to the SEC filing, J.P. Morgan says that the information stolen included names, addresses, phone numbers and email addresses.  At this time J.P. Morgan is saying that they are not aware of fraudulent activities tied to the data breach and that no account numbers, passwords, user IDs or Social Security numbers were stolen.  The data breach apparently began in June and went on until discovered in mid August, which is especially troubling because it provided time for the hackers to cover their tracks for what may have been their true goal.  The hackers did manage to gain access to the entire list of applications and programs used by J.P. Morgan Chase on its computers which could then be evaluated by the hackers for inevitable vulnerabilities that could be exploited at a later time.  Obviously J.P. Morgan is busy trying to protect against this threat.


For customers of J.P. Morgan Chase, now is not the time to run and hide nor take your money out of the bank.  In fact, at the time that the FBI began its initial investigation of this data breach during the summer, it indicated that it was looking into possible data breaches of as many as four other banks as well.  It may well be that we are not yet aware of the breaches that occurred and may still be going on in other banks.  You can expect either the hackers, people who the hackers sell the information they gathered and even totally independent identity thieves to start contacting people through emails, text messages and phone calls purporting to be from J.P. Morgan Chase.  In these contacts, they will attempt to lure unsuspecting victims into providing personal information under various guises or clicking on links to obtain what may appear to be important information.  However, if you provide that personal information all you will do is end up a victim of identity thief.  If you click on the links in emails or text messages appearing to be from J.P. Morgan you may well end up downloading keystroke logging malware that will steal all of the information from your computer that will be used to make you a victim of identity theft.  Trust me, you can’t trust anyone.  Even if your Caller ID appears to show that the call you receive is form J. P. Morgan Chase, scammers are able to make their calls appear to be from J.P. Morgan Chase through a tactic called spoofing.  The best course of action if you receive any purported communication from the bank is to not respond directly, but instead contact the bank independently on your own to find out what the truth is.

This also may be a good time to consider putting a credit freeze on your credit report so that even if someone manages to obtain your Social Security number and other personal information, they will be unable to access your credit report and run up large debt in your name.  A separate credit freeze needs to be established at each of the three major credit reporting agencies to be effective.  Here are the links to the pages at Experian, TransUnion and Equifax where you can put a credit freeze on your report and get some peace of mind.




Scam of the day – September 29, 2014 – Child identity theft

September 28, 2014 Posted by Steven Weisman, Esq.

Last week, Florida became the latest state to enact a law to help combat identity theft of children’s identities.  The new law has the clever acronym of KIDS, which stands for the Keeping ID Safe act.  Under this law, parents of minors are able to open a file with each of the major credit reporting agencies, Equifax, TransUnion, and Experian and then immediately freeze the accounts so that even if an identity thief managed to obtain the child’s Social Security number and other personal information, the identity thief would not be able to access the credit report for purposes of running up large debts using the credit of the child, who generally does not become aware that his or her identity has been stolen until he or she reaches older teen years when he or she might first apply for a car loan or financial aid for college.  Identity theft of children’s identities is a huge national problem.  According to a study by the Carnegie Mellon CyLab, children are more than 51 times more likely to become a victim of identity theft than adults.


If you live in one of the states that has a law such as Florida’s, take advantage of the law, set up a credit report for your children and immediately freeze the account. And while you are at it, you should also freeze your own credit reports as your best precaution against identity theft.  If your state does not have such a law, let your state legislators know that you want them to pass such a law.  I am proposing such a law in my own home state.  As much as possible try to limit the places that have your child’s Social Security number and become familiar with the Family Educational Rights Privacy Act which helps you protect the privacy of your child’s school records and lets you opt out of information sharing by the school with third parties.  Finally, the security company AllClear ID ( provides a free service called ChildScan which not only searches credit records tied to your child’s Social Security number, but also checks employment records, criminal records and medical records to recognize at an early stage if your child has become a victim of identity theft.

Scam of the day – September 7, 2014 – hacked

September 6, 2014 Posted by Steven Weisman, Esq.

The health care industry in general is responsible for more data breaches than any other sector.  The lack of security throughout the health care industry including hospitals and other providers of health care is a huge problem that is only going to get worse as the computers of health care providers continue to be targeted and the personal data that they contain becomes harvested by hacking identity thieves.  From its inception security issues at, the website of the federal government’s health insurance marketplace created pursuant to the Affordable Care Act, commonly referred to as Obamacare have been a source of concern of mine and many other experts in cybersecurity.  Recently, it was disclosed that was indeed hacked although, according to government spokesmen no personal information of consumers in the 36 states that use was compromised.  However, this is of little consolation to the many people who use

When was first launched last October, there were major security concerns about the website and the website was activated even before it met federal standards for security.  Everyone remembers the difficulties that were encountered in the initial use of, however, until now, the federal government had not reported any data breaches although Aaron Albright, a spokesman at the Centers of Medicare and Medicaid Services which operates admits that there are numerous security weaknesses within the system which could lead to hacking that could result in data breaches including weaknesses with the servers including the continued use of manufacturer’s default passwords which could be easily exploited.  In addition, servers have not been subject to regular security scans.


Unfortunately, it is probably only a matter of time before is hacked by identity thieves who will steal personal information stored there.  If you have done business with, you should regularly monitor all of your financial accounts and you may wish to put a credit freeze on your credit report to prevent someone with access to your personal information from using your credit to make large purchases in your name.  You can find instructions as to how to put a credit freeze on your credit reports on the right hand side of this page.

Scam of the day – August 21, 2014 – Community Health Systems data breach update

August 20, 2014 Posted by Steven Weisman, Esq.

A couple of days ago I told you about the massive data breach at Community Health Systems a hospital chain with hospitals in 29 states.  This data breach, which was done by Chinese hackers resulted in personal data on 4.5 million patients of Community Health Systems being stolen.  The data included names, addresses, birth dates and Social Security numbers which puts the affected individuals in serious jeopardy of identity theft.  Community Health Systems is in the process of notifying the affected individuals and offering credit monitoring services.  Now however, Trusted Sec LLC, a security company is indicating that the hacking of Community Health Systems was accomplished by the first known exploitation of the Heartbleed security flaw.  Heartbleed is the name of the security flaw in the Open SSL encryption security technology discovered last April that is used by up to 2/3 of websites on the Internet.  Although the Heartbleed flaw was promptly patched, there was a period during which the users of this technology were left vulnerable and it appears that during this period was when the Chinese hackers managed to steal data from Community Health Systems.  It is not unusual for hackings and data breaches to remain undiscovered for significant periods of time.  This data breach may be the first major data breach connected to Community Health Systems, but it is most likely not going to be the last.


It has been said that the price of liberty is eternal vigilance and that is also important in maintaining your own personal security.  People who did not change their passwords following the Heartbleed security flaw first being uncovered should take this as a wake up call to do so now.  You should also consider putting a credit freeze on your credit report.  You can find instructions as to how to do this in the “credit freeze” link on the right hand side of this page.  This will protect your credit from being accessed by someone who may otherwise have enough personal information of yours to access your credit report in an effort to use your credit.  Finally, you should monitor all of your financial accounts regularly for indications of fraudulent use.  Remember, you are only as safe as the places that hold your personal information and some of them have poor security.

Scam of the day – August 17, 2014 – Data breach at Supervalu stores

August 16, 2014 Posted by Steven Weisman, Esq.

The Supermarket chain Supervalu Inc. has disclosed that it has joined the growing list of major companies suffering a major data breach.  Although the breach apparently occurred between June 22nd and July 17th, it was only disclosed a few days ago.  Supervalu operates stores under a number of different names including Cub Foods, Hornbacher’s, Shop ‘n Save, Shoppers Food & Pharmacy and Farm Fresh.  In addition, the data breach also apparently affected stores that it sold in 2013, but still supplied the information technology services that were the Achilles heel in this data breaches.  Those stores go under the names Albertsons Acme (not necessarily the same one used by Wylie Coyote) Jewel-Osco, Shaw’s and Star Market.  All in all the data breach may have reached as many as 1,000 stores.  It has been confirmed that the breach which, as in the case of the Target data breach occurred at the point of sale card registers included account numbers, expiration dates and cardholder names.


Supervalu has set up a call center for consumers to call for further information.  The number is 855-731-6018.  Additional information may also be obtained by going to Supervalu’s website, and go to the Consumer Security Advisory section where information can be obtained about complimentary consumer identify protection services.  Consumers who may have shopped at any of the affected stores should carefully monitor their credit card account for fraudulent use and if you used a debit card, you should strictly monitor your bank account for evidence of fraud.  Establishing a credit freeze at each of the three major credit reporting bureaus is also a good idea.  You can get information as to how to put a credit freeze on your credit report by going to the Credit Freeze section of Scamicide as listed on the right hand side of this page.  Finally, this should again be a lesson to consumers to not use debit cards for retail transactions.  The risk is too great.

Scam of the day – July 19, 2014 – Houston Astros hacked

July 19, 2014 Posted by Steven Weisman, Esq.

No company is safe from the danger of hacking including, as we recently learned Major League Baseball teams.  The Houston Astros were recently embarrassed to announce that their computers had been hacked by unknown hackers who released information about trade discussions involving the Astros and a number of other Major League Baseball teams including the Miami Marlins with which a trade for All-Star outfielder Giancarlo Stanton was discussed.  The hacking did not appear to be for any reason other than to expose and embarrass the management of the Astros, however that is of little consolation to employees of the Astros whose personal information can also be found in the Astros’ computers and which, if released could lead to identity theft.


This is just another example that no entity including governmental agencies as well as private companies is safe from the danger of hacking.   A recent report by the State of New York indicated that in New York alone there were more than 900 data breaches that exposes personal and financial records of 7.3 million New Yorkers thus making them victims and potential victims of identity theft.  It is important to remember that you are only as safe as the place with the weakest security that holds your personal information so whenever possible do not provide your personal information, such as your Social Security number to everyone who asks for it.  Health care providers do not need your Social Security number although most request it.  Often the only reason that they want it is to make it easier to collect an unpaid bill from you.  The health care industry in general has done a poor job of protecting personal data from hackers.  The place to find a helping hand in protecting your data is at the end of your own arm.  Limit the places that have your personal information as best you can.  When companies request your Social Security number, offer them another identifier for example.  I recently did this with my eye doctor and the doctor agreed.  You may also want to place a credit freeze on your credit report so that even if your Social Security number and other personal information is stolen, the identity thief will not be able to access your credit report.  You can find information as to how to put a credit freeze on your credit report in the credit freeze section on the right hand side of this page.

Scam of the day – July 14, 2014 – Chinese hackers steal information from Federal Office of Personnel Management

July 14, 2014 Posted by Steven Weisman, Esq.

Hacking of American companies by Chinese hackers is not particularly startling as it is going on all of the time, however the federal government is now admitting that back in March Chinese hackers were able to hack into the data bases of the Office of Personnel Management and gain access to personal information on thousands of government workers.  What is particularly troublesome is that the Office of Personnel Management manages a program called e-QIP where federal employees who are seeking security clearances must provide much personal information including personal financial data.  It is not known what the purpose of the hacking was and whether or not it was government sanctioned or not.  What is known is that, just as the hacking into the computers of the United States Department of Energy last week, showed, government databases are just as vulnerable as those of private companies.


So what does this mean to you?

First and foremost if you are someone whose information was maintained by the Office of Personnel Management you should be on heightened alert for identity theft.  You should check your credit report with each of the three major credit reporting agencies, Equifax, TransUnion and Experian.  You also would be wise to put a credit freeze on your credit reports at each of the three major credit bureaus to prevent someone with personal information about you from gaining access to your credit report and utilizing your credit.  You can find a detailed explanation of credit freezes along with instructions for getting one in the right hand column of the first page of Scamicide.  As for the rest of us, this is yet another lesson that you are only as safe from identity theft as the places with the weakest security that hold personal information about you.  Whenever possible limit the amount of personal information held by companies and governmental agencies with which you do business.  Also, do not leave your credit card number on file with any retailer with which you do business regularly.  It may be convenient to do so, but it increases your risk of identity theft if the company is hacked and your data is compromised.