Scam of the day – December 16, 2016 – Yet another major data breach disclosed at Yahoo

It was just in September that I told you about a massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   However, as I often say, “things aren’t as bad as you think — they are far worse.”  Earlier this week it was disclosed that Yahoo had also been a victim of an earlier data breach in 2013 that was only recently discovered in which personal information on a billion Yahoo customers was stolen. Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords and security questions and answers only some of which were encrypted.

Gaining access to someone’s email account can provide a tremendous amount of personal information that can be leveraged to make that person a victim of identity theft.  This should be a wake up call to everyone, even if you do not use Yahoo email to implement stronger email security measures.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate. In addition, scammers armed with personal information gained through a data breach such as this will be targeting people with spear phishing emails attempting to lure you to click on malware infected links.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

Don’t store sensitive information in your email account where it could be accessed in the event your account is hacked.  You also should encrypt your emails.  There are many simple, free software programs you can use to encrypt your emails.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can better detect unusual activity.

Scam of the day – November 24, 2016 – Disturbing data breach at HUD

Earlier this week, the Department of Housing and Urban Development (HUD) disclosed that it had suffered two data breaches occurring on August 29th and September 14 in which personal information including Social Security numbers of approximately 480,000 people was made publicly available on the HUD website.  No hacking was involved by individuals or nation states.  The data breach was done through the negligence of HUD employees who inadvertently posted the information.  The information has been taken down and, at the moment, there is no evidence that the information has been used for purposes of identity theft.   HUD is investigating the data breach to determine the exact extent of the problem, how it occurred and what to do to prevent such data breaches in the future.

Letters are being sent by HUD to affected individuals and HUD is offering a year of free credit monitoring.

TIPS

Identity thieves will be sending letters appearing to come from HUD about this data breach asking for personal information.  You should not provide such information to anyone who calls you, emails you, text messages you or contacts you by mail.   Here is a link to the official HUD website with contact information if you have questions as to your rights in this matter.  http://portal.hud.gov/hudportal/HUD?src=/contact

This incident again highlights that you are only as secure as the places that have your personal information with the weakest security. Therefore, as much as possible, you should limit the amount of personal information you provide to any company, institution or government agency as much as possible.  However, unfortunately, in many instances, such as with HUD there will be times you need to provide your Social Security and other personal information.  Therefore it is important to protect yourself from identity theft as best you can.  The best thing you can do to protect yourself is to put a credit freeze on your credit report so that even if someone obtains your Social Security number, they will be unable to establish credit in your name.  You can learn how to put a credit freeze on your credit reports by going to the Search the Website section of Scamicide in the top of this page on the right hand corner and type in “credit freeze.”

Scam of the day – October 18, 2016 – Update on Home Depot data breach settlement

As I reported to you last year, in March of 2015 a settlement was reached between Home Depot and the plaintiffs in a class action on behalf of the 56 million victims of Home Depot’s massive data breach which occurred between April and September of 2014.  The settlement provides for a 13 million dollar fund to reimburse victims for out of pocket losses incurred  with an additional 6.5 million dollars being set aside for legal fees and other related expenses.  You are eligible to receive payments through the settlement if you used your credit or debit card at a self checkout lane at Home Depot between April 10, 2014 and September 23, 2014 and your card information was stolen.  You also are eligible for a payment if you received notification that your email address was compromised or if you specifically received a settlement notice informing you that you are a member of the class action.  Payments of as much as $10,000 will be made to claimants who suffered out of pocket losses and unreimbursed charges as a result of the data breach.  In addition, affected shoppers can receive payments of $15 per hour for time spent remedying the problems they encountered as a result of the data breach.

Similar to the major data breach at Target which occurred a year earlier, Home Depot’s computers and credit card processing equipment were hacked when a third party party vendor’s computers were hacked thereby enabling the hackers to steal the passwords necessary for the third party vendor’s to access Home Depot’s computers.  As an additional part of the settlement Home Depot committed to make greater efforts at data security.

TIPS

If you were affected by this data breach, you must file a claim and the deadline for filing a claim is October 29th which is rapidly approaching.  Here is the link to go to in order to file a claim.

https://gilardigateway.com/HomeDepotBreachSettlement/Claimant/UnKnownClaimForm

However, even if you were not a victim of this particular data breach, it is important to remember that we are only as safe as the places with which we do business that have the weakest security. Greater use of EMV smart chip credit cards will reduce the effects of data breaches aimed at gaining credit card and debit card information, but many stores still have not shifted over to the new equipment required to process EMV smart chip credit cards.  However, whenever you can, you should use your EMV chip card.

Also, do not use your debit card for retail purchases.  Limit its use to ATMs.  There are strong laws to protect you from fraudulent use of your credit card, but the laws protecting you from liability in the event of fraudulent use of your debit card are not as strong and you potentially risk losing your entire bank account to which the card is attached.  In addition, even if you report the fraudulent use of your debit card immediately, your bank will freeze your account while it investigates the breach which can be very inconvenient if you need immediate cash or have bills automatically paid from your account.

Scam of the day – June 2, 2016 – Why the massive Myspace data breach is relevant

Many younger readers of Scamicide may not even remember Myspace, but at one time Myspace was the biggest social networking website.  By 2009, however, it was overtaken by Facebook and its users have continued to decline in the years since then.  In 2013, it was bought by Time, Inc which is attempting to revitalize it.  When it was announced earlier this week that more than 360 million usernames and passwords from Myspace were being sold on the Dark Web to cybercriminals interested in turning that information into ammunition for identity thieves, many people were not very disturbed by the news.  But they should be.  Even though the usernames and passwords go back to prior to 2013 and, in many instances, much earlier, the problem is that because a lot of people use the same username and password for all of their accounts, this information could put present and former Myspace users in jeopardy of this information being used to gain access to the victims’ other accounts, such as online banking.

TIPS

A great resource to find out if you have been affected by a data breach is “Have I Been Pawned” which compiles information on data breaches that allows you to find out if your information was contained in particular data breaches.  Here is a link to its website which you can use to find out if the Myspace data breach or other data breaches affect you.  https://haveibeenpwned.com/

Myspace is notifying users and has cancelled the passwords of affected accounts, however, if you do get an email purporting to be from Myspace asking you to input personal information such as passwords or other information, you have probably been contacted by a scammer merely trying to steal your information through spear phishing.  If you do receive and email from Myspace there is no way to be absolutely sure that it is legitimate, so if you believe you may have been affected by the data breach, you should go directly to Myspace’s website to change your username or password. Here is a link to the applicable portion of the Myspace website.  https://help.myspace.com/hc/en-us

Finally, for all of us, this data breach is just another reminder that you should use a distinct and unique password for all of your accounts so that in the event of a data breach at one online service you use all of your online accounts will not be in jeopardy.

Scam of the day – September 23, 2015 – New survey on EMV chip credit cards

As the October 1st deadline approaches for retailers to switch over to using the new EMV credit cards containing a computer chip that creates and encrypts a new number every time the card is used,  a recent poll taken by ACI Wordwide indicates that 59% of American consumers have not yet received a new chip enabled credit card from their credit card companies and only 32% of those people receiving the cards were even aware that the United States was changing to the EMV cards and a large majority of the people receiving the cards did not know that the reason for the switch over is due to the massive data breaches suffered by companies such as Target, resulting in tremendous amounts of credit card fraud through the use by identity thieves of the numbers of the stolen credit cards with the old style magnetic strip.  Unlike credit cards in other parts of the world, American credit cards still mostly use magnetic strip technology that has been around since the 1960s in which information is contained on a magnetic strip on the back of the card.  When the information on this strip is stolen, the identity thief has access to the credit of the victim.  However in more than 80 other countries around the world, the magnetic strip card technology has been replaced with cards embedded with a microchip.  This technology is often referred to as EMV which stands for Europay, MasterCard and Visa, the originators of the card.  With EMV cards, the chip creates and encrypts a new number every time the card is used.  Thus hacking into the data terminals used by the cardholder is a worthless exercise in trying to access the credit card.  Credit card companies and retailers have resisted for cost reasons updating the credit card system in the United States although changes in regulations in regard to liability for fraudulent credit card use will prompt credit card companies and retailers to switch to this technology by October 1, 2015.   Under these new rules, after October 1st if a retailer does not switch its card processing machines over to EMV card processing of sales, in the event of a data breach, the retailer will be held financially responsible for any losses incurred.  Previously, in the event of data breaches, it has generally been the credit card issuing banks that have been held responsible for such credit card fraud.

The October 1st deadline, however, is unlikely to be met by many credit card issuers and retailers.  More than a billion credit and debit cards will have to be switched to the new EMV cards and only 120 million people have already received a new EMV card.  That number is expected to reach 600 million by the end of 2015.  Meanwhile, many retailers have not yet converted their card processing devices to accept the new EMV cards.  Since under the new regulation regarding liability in the event of credit card fraud, the liability passes to the party that is the least EMV compliant, there is much incentive for the credit card companies to issue new EMV cards and for retailers to convert their credit card processing equipment as soon as possible.

TIPS

Some American companies including Target and WalMart have been among the leaders in switching over to EMV processing.  Among the credit card issuing banks, Bank of America and Chase have been active in switching to the new EMV cards.  If you do not have one yet, you should contact your credit card issuer and request that a new EMV card be sent to you.  They are easy to use and can save you a lot of headaches.  EMV cards are not a panacea.  They will do nothing to stop credit card fraud in online purchases, but they will improve the security of credit card use in brick and mortar stores dramatically.

Scam of the day – August 23, 2015 – Ashley Madison class actions

A lawsuit has been filed in Canada against Ashley Madison seeking class action status on behalf of Canadian members of Ashley Madison whose personal information was divulged by hackers recently.  The action is being brought against Ashley Madison for failing to protect the privacy of the data that they compiled and retained regarding its members.  Meanwhile in the United States, the Oklahoma law firm of Abington, Cole & Ellery is also considering filing a class action against Ashley Madison on similar grounds on behalf of American victims of the data breach.

TIPS

For more information about the Canadian class action, you can go to the website of Charney Lawyers, one of the law firms that filed the action by clicking on this link. http://www.charneylawyers.com/Charney/ashleymadisonclassaction.php

For more information about the possible American class action, you can go to the website of Abington, Cole & Ellery by clicking on this link. http://abingtonlaw.com/Ashley-Madison-Data-Breach-class-action-lawsuit.html

As for the rest of us who never had any involvement with Ashley Madison, this data breach should serve as a cautionary lesson that every company or governmental agency is susceptible to data breaches and that we all should try to limit as much as possible the amounts of personal information provided to any entity with which we do business. In addition, because of the likelihood of a data breach, never provide information to a company that you would be embarrassed to be associated with.

Scam of the day – June 18, 2015 – St. Louis Cardinals accused of hacking Houston Astros

Last July I reported to you about the hacking of major league baseball’s Houston Astros.  At that time it was not known who accomplished the hack of the Astro’s databases that contained discussions of player trades, complicated player statistics and scouting reports.  Now the FBI is indicating that the hacking was the work of employees of the St. Louis Cardinals.  Preliminary reports indicate that the motive may have been to set back the work of Astro’s General Manager, Jeff Luhnow, who previously had been an executive in the Cardinal’s organization where he was in charge of scouting and player development.  The hacking does not appear to be particularly sophisticated.  Apparently the Cardinals’ employees behind the hacking merely used the list of passwords that Luhnow and people working under him had used while employed by the Cardinals to gain access to the Astros’ databases.

TIPS

The biggest takeaway for all of us from this story is the danger of using the same passwords for all of your accounts, which unfortunately is a habit that many people have gotten into.  Hackers will often steal passwords of customers from companies when they commit a data breach and then use those passwords for identity theft purposes at banks, brokerage houses and other companies where the victim can suffer substantial financial losses.  The best course to follow is to have a difficult to crack password that is unique for every account.  This is easier than it sounds.  Start off with a phrase, such as IDon’tLikePasswords, which combines capital letters, small letters and a symbol.  Then add a couple of additional symbols at the end of the password so it may read, for example, IDon’tLikePasswords!!! and then you can customize it for each of your accounts.  For example, you could make this your Amazon password by making it IDon’tLikePasswords!!!Ama.  This password strategy provides great security and is easy to remember.

Scam of the day – March 6, 2015 – Security problems with Apple Pay

In the wake the massive data breaches in recent years from Target, Home Depot and others in which credit card numbers of millions of consumers were stolen, many people were very enthusiastic about the launch of Apple Pay in October of 2014.  Apple Pay was represented to be a safer and simpler way to make credit card purchases and it is.   The Apple Pay system permits you to tie your credit card to your iPhone and make payments using your phone and a fingerprint activated payment mechanism.   But nothing is fool proof and we should never underestimate the power of a fool or a hacker.  Lately, there have been increased reports of credit card fraud involving credit cards that are used through the Apple Pay system.  What is occurring is that identity thieves are stealing credit card information and then connecting those stolen credit cards to the identity thieves’ own phones.  They then use the cards through the Apple Pay system to purchase expensive goods that they can then sell for cash.  Ironically, much of the fraudulent credit card use is going on at Apple stores.

The flaw is in the process by which a credit card is tied to the Apple Pay system.  Credit cards are added to Apple Pay when the credit card issuing bank electronically sends to the customer’s smartphone an encrypted version of the credit card.  The bank does this only after confirming that the person requesting their card be added to their phone is the legitimate card owner and this is where the problem is found.  Some banks are merely approving the request to add a credit card to a particular phone without confirming the identity of the person making the request while other banks require that the customer confirm his or her identity merely by providing the final four digits of the customer’s Social Security number.  Identity thieves who are able to obtain both the Social Security number and credit card number of their victims, which is not particularly difficult in many instances, are then able to get the stolen cards tied to the identity thief’s phone and the fraud begins.

TIPS

There is not much that we as consumers can do to totally stop this kind of fraud, but there definitely are steps you can take to reduce your chances of becoming a victim of this type of fraud.  First and foremost, we should all do our best to protect the physical security of our credit cards.  You should also not leave your credit card on record when shopping online at a store which you regularly frequent because this makes you susceptible to identity theft in the event of a data breach at that vendor.  In addition, you should limit, as much as possible, the places that have your Social Security number because you are only as secure as the places with the worst security that hold your personal information.  Many companies still ask for your Social Security number as an identifier and you should refuse to provide this whenever possible.  Finally, if you are going to use Apple Pay, you should confirm with your card issuing bank that they use strong verification procedures when authorizing your cards use through Apple Pay.

Scam of the day – February 6, 2015 – Massive data breach at health insurer Anthem, Inc.

Anthem, Inc, the country’s second largest health insurance company has announced that it has suffered a massive data breach in which personal information on up to 80 million of its customers and staff were stolen including personal information of its President and CEO, Joseph R. Swedish.  Included in the compromised personal information was names, birthdates, medical IDs, Social Security numbers, street addresses and email addresses.  This is a veritable treasure trove of data for identity thieves.  According to Anthem, no credit card data was stolen, however, this is of little consolation to those people who the victims of this data breach as the amount of information that was stolen on each victim is quite sufficient to be translated into making them victims of identity theft.  Once again, this shows that you are only as safe as the places that hold your personal information.

Particularly troubling is the theft of the medical IDs which brings up the possibility of medical identity theft which occurs when someone uses your information to gain access to your medical insurance and which can cause the identity thief’s medical information to be included on the victim’s medical record.  This can result in someone receiving a transfusion of the wrong blood type or other potentially deadly results.  Correcting medical records tainted by medical identity theft is quite difficult.  You can go to the archives of Scamicide for more information about medical identity theft and what you can do about it.

TIPS

At the moment, we do not know how the breach was accomplished, but the FBI and Mandiant a private cybersecurity firm are investigating the breach.  As soon as it is determined how the breach occurred, I will report it to you.  Meanwhile, if you are an Anthem customer, you should assume that you may be affected.  Anthem has set up a website to which you can go for the latest information about the breach.  it is www.AnthemFacts.com.  Anthem has also set up a toll free number for present and past Anthem customers to call for further information.  That number is 1-877-263-7995.   It is important to remember that you may be contacted by an email or text message that appears to come from Anthem asking you for information or to click on links.  Do not do so.  The communications may be from other identity thieves seeking information.  If you have any questions after receiving such an email, you should go directly to the Anthem website www.AnthemFacts.com or call them at the toll free number indicated above.  Also, this is a good time, if you have not done so, to consider putting a credit freeze on your credit report.  You can find out how to do this in the Archives of Scamicide.  Finally, if you are a Anthem customer, you should also start monitoring all of your financial accounts more regularly for any evidence of fraud.

Scam of the day – December 28, 2014 – Hackers release personal information of 13,000 people

Yesterday a group of hackers posted personal information including usernames, passwords and credit card information of 13,000 people on its Twitter account @AnonymousGlobo.  The hackers indicated that they had stolen the information from a large number of popular websites that they listed.  Among the websites listed by the hackers were Amazon, Walmart, PlayStation Network, Xbox Live and a large number of popular pornography sites including Brazzers.  The hackers later wrote “We did it for the Lulz” which is slang for doing it just for their own personal enjoyment and satisfaction.  While we do that much personal information was made public and thus putting the victims in danger of identity theft, we do not know if, indeed, the hackers actually did, as they stated, steal the information by hacking into the particular websites they stated or, alternatively, if they used phishing emails to their thousands of victims luring them to click on links in the emails and download keystroke logging malware that provided through which the victims’ own computers supplied the information to the hackers.  Either alternative is a source for concern.

TIPS

There are a number of lessons to be learned from this hacking.  One is to never leave your credit card information on file with an online retailer with which you do business for the sake of convenience.  It may save you a few seconds the next time you make a purchase with the particular retailer, but it also makes your credit card information vulnerable in the event that the retailer is hacked.  A second lesson is to use different usernames and passwords for each of your online accounts because if you do, as many people do, use the same username and password for all of your online accounts, in the event of a data breach at one company with which you do business, the hackers would be able to get your user name and password for all of your accounts, thereby putting you in greater jeopardy of serious identity theft.  Finally, it is important never to click on links in emails or text messages unless you are absolutely sure that the communication is legitimate and you have confirmed that fact.  Identity thieves are adept at tricking people into clicking on links that contain malware by making the communications look legitimate or even by hijacking the email account of someone you trust.