Scam of the day – October 19, 2017 – Congress forces IRS to suspend multi-million dollar Equifax contract

In the Scam of the Day for October 8th, I reported to you about the recent announcement that Equifax, the company responsible through its own negligence for 145 million Americans becoming in serious danger of identity theft for the rest of their lives, was awarded a 7.25 million dollar contract to provide security and fraud detection services to the IRS.  Making the problem even worse was the fact that the contract was a no-bid contract.

Now under pressure from numerous members of Congress the IRS has temporarily suspended the contract while the IRS investigates Equifax’s systems and security.  The suspension of the contract means that taxpayers wishing to set up accounts with the IRS through its Secure Access program which enables taxpayers to access certain online services will be unable to do so.  Taxpayers who already had set up accounts with the IRS to use the Secure Access program, however,  will still be able to use their accounts.

 

TIPS

Relying on the IRS to protect the security of our data is somewhat problematic because the IRS itself has had a number of instances where its security practices have been lacking.  When it comes to protecting ourselves from identity theft there are numerous simple steps we should all take in order to protect ourselves.  I provide them in great detail in my book “Identity Theft Alert.”  However, here are a few of the things we all should do:  Freeze your credit, monitor your credit reports and all of your accounts, use complex passwords, use nonsensical security questions, use dual factor authentication, use security software on all of your devices and keep the software updated with the latest security patches,  never click on links or download attachments unless you have verified that they are legitimate and limit the places you provide your Social Security number as much as possible.  Your doctor, for instance,  may ask for it, but he or she doesn’t need it.

April 22, 2017 – Steve Weisman’s latest column for USA Today

We all know that identity theft is a huge problem, but do identity theft protection services really help protect you?  That was the subject of a recent GAO study as well as my column from today’s edition of USA Today.

https://www.usatoday.com/story/money/columnist/2017/04/22/identity-theft-protection-worth/100554362/

Scam of the day – April 10, 2016 – Sony hacking settlement approved by judge

Last November I reported to you about the tentative settlement of the lawsuit brought by former Sony Pictures Entertainment employees against the company that related to the massive 2014 data breach at Sony in which sensitive personal information including Social Security numbers and health data on thousands of present and former employees was stolen.  The plaintiffs alleged that Sony was negligent in failing to protect their personal information.  I first reported to you about this lawsuit, Corona et al v. Sony Pictures Entertainment in my Scam of the day for March 13, 2015. Now Judge Gary Kausner has given final approval to the settlement.  Under the terms of the settlement, Sony will provide payments of up to $10,000 to  individual employees who suffered identity theft related financial losses related to the data breach up to a total of 2.5 million dollars for all claimants.  An additional 2 million dollars will be set aside to provide up to $1,000 to reimburse affected employees for the cost of their identity theft protection services.  Sony will also provide credit monitoring services through AllClear through December 31, 2017.    To date 18,000 people have signed up for the free credit monitoring services.

The hacking of Sony should be a wake-up call to all companies.  Despite Sony’s assertions that this was an unprecedented attack and that Sony had taken proper data security precautions, the facts do not support those assertions.  The list of Sony’s failings are many.  Data banks were not properly segregated.  The company was particularly susceptible to phishing attacks.  It retained personal information long after it was necessary and it kept an unencrypted file entitled “Passwords” with a compendium of passwords providing ready access to the hackers to sensitive information.  These are just a few of Sony’s failings, however, many of these failings are shared by many companies that hold personal information of all of us.

TIPS

There is little that we as consumers and employees of companies that hold our personal information can do to protect ourselves from data breaches other than to inquire of these companies as to what steps they take to protect the personal information that they hold and to refrain from doing business with companies that do not provide a satisfactory answer.  Additionally, we should try to limit as much as possible the personal information that we provide to such companies.  For instance, your medical care providers do not need your Social Security number although most medical care providers routinely ask for it.  The Sony lawsuit was the first of a wave of lawsuits against companies such as Sony and Ashley Madison that have suffered data breaches that many believe could have been prevented with better security.  Perhaps being held financially responsible for their lax security will serve as an incentive for companies to do a better job of protecting our information.

Scam of the day – November 21, 2015 – Starwood hotels discloses major data breach

Starwood hotels announced today that it has joined a long line of hotels that have suffered a significant data breach involving credit cards and debit cards.  Just in the last year, major data breaches have occurred at The Trump Hotel Collection, Hilton Hotels and the Mandarin Oriental.  The hacking involves fifty-four of its hotels including its Sheraton, Westin and W brands.  According to Starwood, the data breach resulted in the theft of credit and debit card information including card numbers, the names of the card holders, security codes and expiration dates of the affected cards.  The malware used to gather the data, consistent with some of the more recent hotel data breaches, was found in the payment systems at the hotels’ restaurants, gift shops, bars and other retail shops within the various hotels, but not at the front desk card processors.   The hacking started in November of 2014.   This type of data breach is something about which I wrote a column for USA Today a year ago in which I explained the pattern of these data breaches and why they occur.  Here is a link to that column, entitled “Coming Soon:  Another Major Retailer Hacked.”  http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/

Here is a link to the explanation by Starwood of the data breach.  http://www.starwoodhotels.com/html/HTML_Blocks/Corporate/Confidential/Letter.htm?EM=VTY_CORP_PAYMENTCARDSECURITYNOTICE

Here is a link to a list of the affected hotels so that you can determine if you stayed at one of the affected hotels since November of 2014. http://www.starwoodhotels.com/Media/PDF/Corporate/Hotel_List.pdf

As is so often the case in these types of data breaches, Starwood is offering a year of free credit monitoring to those affected by the data breach although it is certainly late to be counting on this to provide significant assistance.  Here is a link to information as to how to apply for the free credit monitoring.  http://www.starwoodhotels.com/Media/PDF/Corporate/Reference_Guide.pdf

The problem continues to be one of weak cybersecurity of many companies coupled with these companies still using credit card and debit card processors for cards with magnetic strips rather than the safer smart EMV chip cards.  Regulations effective October 1st mandate credit card issuers and retailers to switch over to the new smart EMV chip cards or risk increased legal liability, but unfortunately, many companies have not switched over and are not expected to do so for some time.  If smart EMV chip cards had been used at the Starwood hotels, the information stolen in such a hacking would have been worthless, but since they still used the old fashioned magnetic strip cards, Starwood and its customers face financial problems from this data breach.  Target, which learned its lesson the hard way has already switched to the new EMV chip cards as has WalMart.

TIPS

Until credit card issuing companies and brick and mortar stores and businesses that take credit cards switch to the new smart EMV chip cards, this story will, as I predicted a year ago, continue to occur again and again.  As for we, as consumers, the best we can do is to refrain from using our debit cards for anything other than an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  In addition, if you do not already have a new smart EMV chip card, you should demand one from your credit card company.  They are easy to use and they will provide you with much greater security.  If you used a credit card or debit card at any of the above-mentioned Starwood properties since November of 2014 you should carefully monitor your credit card account and bank account for any indication of a problem.

Scam of the day – October 4, 2015 – Scottrade hacked in massive data breach

For the third day in a row our Scam of the day involves a major data breach, which is somewhat ironic since October is National Cyber Security Awareness Month.  Certainly the millions of people affected by the data breaches involving T-Mobile, Experian, Trump Hotels and now Scottrade have become more aware of cybersecurity than perhaps they wished to be.  Discount brokerage firm Scottrade just announced that it was the victim of a massive data breach that occurred between late 2013 and early 2014.  Like so many corporate data breaches, the company itself never discovered the hacking.  Rather, in this case it was the FBI that discovered the data breach in August of 2015.  Approximately 4.6 million customers of Scottrade were and are affected by the data breach. Although we are being told by Scottrade that the data lost was limited to names and addresses, it is still a bit too soon to be truly comfortable that the data breach was indeed limited to this information.  The company waited until now to announce the data breach at the request of the FBI so as not to jeopardize their investigation.  Affected customers are now being contacted by Scottrade.  As is so often the case, Scottrade is offering a year of free credit monitoring to affected customers although since the hacking took place so long ago, this may be a bit late for this type of response to be considered timely.  Here is a link to Scottrade’s webpage containing information about the data breach, which also contains information about how to apply for the free credit monitoring if you were affected by the data breach.  https://about.scottrade.com/updates/cybersecurity.html

TIPS

If you were affected by the data breach and wish to sign up for the free credit monitoring service, you should call AllClearID at 855-229-0083 between 8:00 a.m. and 8:00 p.m. Central Time Monday through Saturday.  However, as I have said many times before, credit monitoring does not protect you from identity theft, it only lets you know sooner that you are a victim.  It is similar to if you were crossing the street and got hit by a truck and someone came over to you lying in the street to tell you that you just got hit by a truck.  A better step to consider is to put a credit freeze on your credit report which is possibly the best thing you can do to help protect yourself from identity theft.  You can find information about credit freezes and how to put one on your credit reports at each of the three major credit reporting agencies by going to the Scamicide archives and typing in “credit freeze.”

If you became a customer of Scottrade after February of 2014, your information was not compromised.

Although Scottrade will be notifying affected customers, so will scammers with emails in which they pose as Scottrade and attempt to lure you into clicking on links or providing information that will put you in danger of identity theft.  Trust me, you can’t trust anyone.   Never click on a link unless you are absolutely sure that it is legitimate.  In the case of Scottrade customers, you are better off calling them directly rather than clicking on a link or providing information in response to an email or text message.

Scam of the day – October 3, 2015 – 15 million T-Mobile customers in danger of identity theft

T-Mobile has announced that personal information on 15 million of its customers has been stolen as a result of a data breach that occurred between September 1, 2013 and September 16, 2015.  The stolen information includes names, birth dates and Social Security numbers.  This type of information can readily be used by a criminal to steal the identities of the people whose personal information was compromised.  Because identity theft can be a devastating crime, this is a major problem if you were a customer of T-Mobile during that time.  It is important to note that it was not T-Mobile’s computers that were hacked.  Rather it was a server used by the credit reporting agency Experian that was hacked to steal this customer information.  T-Mobile used the services of Experian to run credit checks on people applying for T-Mobile services or devices.  A number of questions are brought up by this hacking including why Experian continued to store this personal information long after the determination of creditworthiness had been done.  Also, there are questions about the encryption program Experian used to protect its data because the encryption proved ineffective.

TIPS

T-Mobile is offering free credit monitoring services through ProtectMyID to affected customers for two years.  However, it should always be noted that credit monitoring does not help prevent identity theft, but merely helps you learn sooner when you do become a victim of identity theft.  Somewhat ironically, it should also be noted that ProtectMyID is owned and operated by Experian, the same company responsible for the data breach.  For more information about obtaining the free credit monitoring services if you have were affected by this data breach, click on this link which provides instructions from T-Mobile about signing up for the service. http://www.t-mobile.com/landing/experian-data-breach

Meanwhile, everyone should consider putting a credit freeze on their credit reports to actually help prevent identity theft.   With a credit freeze in place, an identity theft who has your personal information including your Social Security number will be prevented from accessing your credit report to obtain credit or make purchases in your name.   For more information about credit freezes, go to the archives of Scamicide.com and type in “credit freeze.”

Scam of the day – February 19, 2015 – Anthem data breach update

As I reported to you right after it happened earlier this month, Anthem, a major care health care company suffered a data breach that could affect as many as 80 million Americans.  The data stolen included birth dates, Social Security numbers and other information putting the affected victims in extreme danger of identity theft.  Anthem is now offering free identity theft repair and credit monitoring services to current or former members of affected Anthem plans going back to 2004.  This includes customers of Anthem, Inc. companies Amerigroup, Anthem and Empire Blue Cross Blue Shield companies, Caremore and Unicare.  It also includes customers of affiliated Blue Cross and Blue Shield companies who used their Blue Cross Blue Shield insurance in any of the states where Anthem, Inc. does business.  Those state are California, Colorado, Connecticut, Georgia, Indiana, Kentucky, Maine, Missouri, Nevada, New Hampshire, New York, Ohio, Virginia and Wisconsin.

TIPS

Anthem has contracted with AllClear ID to provide two years of identity theft repair and credit monitoring services to affected customers.  Identity repair assistance is available without enrollment by merely calling AllClear ID at 877-263-7995.  Additionally, affected customers may enroll at no charge in the AllClear PRO credit monitoring service during this two year period.  You can enroll either by phone at 877-263-7995 or online at https://anthem.allclearid.com/

Additionally although neither Anthem nor AllClear ID provides this service, if you were a victim of this data breach, it would be advisable to put a credit freeze on your credit reports at each of the three major credit reporting agencies, Equifax, Transunion and Experian.  You can find more information about credit freezes and how to put them on your credit reports at no charge by going to the Scamicide archives.

Scam of the day – September 30, 2014 – U.S. Bancorp fined and ordered to pay customers millions

Headlines last week trumpeted the fining by the Consumer Financial Protection Bureau of U.S. Bancorp 9 million dollars.  U.S. Bancorp was also ordered to return 48 million dollars to customers for illegal billing practices regarding its identity theft products.  The Consumer Financial Protection Bureau (CFPB) alleged that U.S. Bancorp charged its customers for credit monitoring services, but that the customers often did not receive the services promised and paid for.  Before you start judging U.S. Bancorp too harshly, however, it is important to note that the credit monitoring program of the bank was provided by a third party contractor, Affinion Group, which had previously run into similar problems with Capital One and Bank of America.  According to Affinion, this problem was not one of intentionally trying to cheat consumers, but more a matter of customers not being sufficiently told that they would need to submit more detailed information in order to fully activate the credit monitoring services, leaving the customers assuming that they were covered, when in fact, they were not.  Affinion says it has corrected this communications failure by now requiring authorizations for immediate access to credit reports for credit monitoring when customers initially enroll in their programs.  However, this change does not alter the fact that many customers were cahrged for services they either did not agree to or just did not receive.  In some cases the interest payments and fees from these programs resulted in customers going over their credit limit and being subject to bank penalties.  For its part, U.S. Bancorp has agree along with paying the fine to better monitor the third party vendors it uses.

TIPS

If you were directly affected by this, you should contact your local U.S. Bancorp branch.  For the rest of us, the first lesson is to make sure that you fully understand the details of any contract you sign up for.  Specifically as to credit monitoring services, you should make sure you understand what you need to do to activate the services and precisely what services are provided and at what cost.  Remember, credit monitoring services do nothing to actually prevent identity theft; they only help you become aware of the crime earlier.  It is also important to note that no credit monitoring service does anything for you that you cannot do for yourself at much less cost and often free.  For more details as to what you can do to protect yourself from identity theft, I suggest you get a copy of my new book “Identity Theft Alert.”  You can order it from Amazon merely by clicking on the link on the right hand side of this page.

Scam of the day – September 11, 2014 – Important Home Depot update

Home Depot has not confirmed what we knew all along, namely that they had been hit by a massive data breach that may involve as many as sixty million Home Depot customers going back to April 1, 2014.  The hacking of Home Depot followed the same pattern that we first saw in the hacking of Target last year, which was the first in what is already a long line of data breaches including, but not limited to Neiman Marcus, P.F. Chang’s, Goodwill and U.P.S.  As usual, due to the effectiveness of the malware used by what is probably the same Eastern European hackers, it was not Home Depot that first discovered the data breach, but rather banks monitoring credit card usage that were able to find a common denominator in fraudulent use of credit cards and trace it back to Home Depot.  The hackers who accomplished the Home Depot data breach are now selling the stolen credit and debit card information on black market websites in large batches.  Interestingly, along with the credit card numbers and debit card numbers, the hackers also are selling the state and zip code for the particular cards.  This enables the hackers to defeat some fraud detection programs that pick up charges made from areas far from the home of the card holder.   The identity thieves buying the card information can either buy card information for cards in their area and use them there or use them online.

Home Depot has announced that it is providing a year’s free credit monitoring through All Clear ID.  The offer is being made to Home Depot customers who used their credit or debit cards at Home Depot between April 1, 2014 and September 9, 2014.  If you wish to enroll, you can either go to Home Depot’s website www.HomeDepot.com or All Clear ID’s special website www.homedepot.allclearid.com.   It is very important to note that many people will be receiving emails, texts and phone messages purporting to be from Home Depot providing links to supposedly help you apply for the credit monitoring.  Many people will also be called on the phone and asked  by purported representatives of Home Depot for personal information including credit card information in order to enroll in the credit monitoring program.   These emails and text messages are scams designed to get you to download keystroke logging malware that will steal all of your information from your computer to make you a victim of identity theft while the calls are from scammers seeking to have you provide them the information they need to make you a victim of identity theft.

TIPS

Don’t click on links in emails or text messages promising to help you enroll in the free credit monitoring program.  You can’t be sure that the emails or text messages are legitimate.  Don’t provide personal information including credit card information over the phone to anyone you have not called unless you are absolutely sure that they are legitimate.  Instead go directly to the Home Depot website, www.homedepot.com or All Clear ID’s special website for Home Depot hacking victims, www.homedepot.allclearid.com where you can sign up for the credit monitoring service.  The malware used by the Home Depot hackers is still being used against many other companies and we can expect more and more data breaches in the future.  To protect yourself, do not use your debit card for purchases.  Use a credit card  for purchases and monitor your card usage regularly for indications of fraud.

Scam of the day – April 26, 2014 – Tufts Medicare Preferred data breach

Health insurance company Tufts Health Plans has just disclosed that it was a victim of a data breach through which names, birth dates and Social Security numbers of 8,830 of its customers who had purchased Tufts Medicare Preferred Policies, such as its supplemental Medicare coverage and its prescription drug plan.  The data breach is being investigated by federal law enforcement who initially discovered the data breach during the course of another investigation.  Tufts did not disclose how the data breach occurred, but is presently saying that it “was not due to an electronic breach, IT system vulnerability or hacking.”  However, without further details as to how the data breach was discovered, I must admit that I am skeptical of their firm pronouncement that there was no failure of computer security involved.

TIPS

Tufts is offering a year of free credit monitoring to those people affected.  If you have a Tufts Medicare Preferred Policy I urge you to contact your insurer to see if you were one of the people affected by this data breach.  Credit monitoring can be helpful, but it does absolutely nothing to prevent identity theft, it merely enables you to learn that you have become an identity theft victim sooner.  A better thing to do is to put a credit freeze on your credit report so that even if someone has your Social Security number and other personal information about you, they cannot access your credit report and get credit in your name.  On the right hand side of this page you will find a link to information on credit freezes and how to get one.