Scam of the day – July11, 2016 – FBI warns about extortion tied to data breaches

Data breaches have become a modern fact of life as too many places that retain our personal data have been successfully targeted by hackers seeking information from which they can profit.  Often the information is credit card and debit card numbers that can quickly be used to make purchases for goods that are then sold on the black market to convert into cash.  Other times, it is personal information that allows the hacker to access our various online accounts including bank accounts or to use the information to set up new accounts that the cybercriminals can exploit.  None of these scenarios are good for the victims of these data breaches.  Sometimes the fault is with ourselves such as when we use easy to guess passwords or the same password for multiple accounts.  Other times the fault may be with the companies that hold your data that have not instituted proper security measures.

In any event, the FBI has recently noted that now cybercriminals are exploiting data breaches by threatening to  expose the victim’s personal information to others unless the targeted person agrees to pay a ransom in bitcoins which are an easy way to money launder criminal activity.  At the present time the ransoms range from approximately $250 to $1,200.  Here are some of the extortion emails presently being circulated.

“Unfortunately your data was leaked in a recent corporate hack and I now have your information. I have also used your user profile to find your social media accounts. Using this I can now message all of your friends and family members.”

“If you would like to prevent me from sharing this information with your friends and family members (and perhaps even your employers too) then you need to send the specified bitcoin payment to the following address.”

“If you think this amount is too high, consider how expensive a divorce lawyer is. If you are already divorced then I suggest you think about how this information may impact any ongoing court proceedings. If you are no longer in a committed relationship then think about how this information may affect your social standing amongst family and friends.”

“We have access to your Facebook page as well. If you would like to prevent me from sharing this dirt with all of your friends, family members, and spouse, then you need to send exactly 5 bitcoins to the following address.”

“We have some bad news and good news for you. First, the bad news, we have prepared a letter to be mailed to the following address that details all of your activities including your profile information, your login activity, and credit card transactions. Now for the good news, You can easily stop this letter from being mailed by sending 2 bitcoins to the following address.”

Part of the problem is that sometimes, the cybercriminals are bluffing and merely are contacting people after a noteworthy data breach without actually having the information they claim to have.

TIPS

The best way to avoid this problem is to limit the places that hold your personal information as much as you can.  For instance, hospitals do not need to have your Social Security number.  Use complex and unique passwords for each of your accounts and use dual factor authentication whenever possible.  Also, do not store personal information or sensitive photos or videos on your smartphone.  You also may wish to consider limiting the amount of personal information you provide on your social media accounts that can be used against you by being leveraged to gain access to your various accounts or trick you into clicking on links in emails or text messages that may download keystroke logging malware on to your computer, smartphone or other electronic device.  You also should limit the use of your debit card to use as an ATM card because the rules regarding protection from unauthorized use of your credit card provide much more protection than the rules regarding protection from unauthorized use of your debit card.

Scam of the day – January 13, 2016 – The Cybersecurity Act of 2015 explained

Deep in the trillion dollar federal spending bill that President Obama signed into law on December 18, 2015 was the Cybersecurity Information Sharing Act of 2015 (CISA) which establishes a voluntary cybersecurity information sharing program for the public and private sectors to share information about cyberthreats.  This law was, as many are, a compromise version of competing House and Senate versions of the cybersecurity bill.

The sharing of information about cyberattacks, data breaches and hacks by corporations and others with applicable federal agencies is seen by many as a critical step in protecting the public from these types of attacks, however, many companies were hesitant to share information after they had suffered a data breach or other cyberattack for many reasons including concerns about the privacy rights of people whose information would be included in the information provided to the government as well concern about possible liability on the part of the companies.

The new law provides for individuals, companies, groups, state governments and local governments to share with the federal government both cyber threat indicators and defensive measures.  The law specifically indicates that personal information of individuals is to be removed from the data before being shared.  The law provides for the information to be initially provided to the Department of Homeland Security, which will then, in turn, share the information with other appropriate federal agencies and other entities that have appropriate security clearances.  The federal government is specifically prohibited by provisions in CISA from using this information for any purpose other than cybersecurity purposes and the data will not be available to the public through the Freedom of Information Act.  As an incentive to private companies to share this type of information, the law specifically protects them from any liability related to the monitoring of their information systems or the sharing of the information.

TIPS

This law, which is Congress’ first major cybersecurity legislation is indeed a modest start to dealing with a major problem.  The program is purely voluntary and many privacy advocates are concerned that the law does not provide enough protection of personal data and its misuse by the federal government.  Whether the critics are correct is not immediately apparent from the specific wording of the legislation, but will only become known after the law is fully implemented.  However, the importance of Congress finally taking some, albeit small steps toward dealing with a major threat to us all should not be minimized.

Scam of the day – October 21, 2015 – Investment scam update

Late last week, the director of the Securities and Exchange Commission’s Division of Enforcement warned brokerage houses and other financial companies that they risk serious SEC enforcement action if they fail to implement proper cybersecurity plans.  This comes on the heels of the data breach at Discount brokerage firm Scottrade which I told you about in the Scam of the day for October 4th as well as the SEC’s fine of R.T. Jones Capital Equities Management in September for failing to take adequate steps, such as encryption, to protect their customers data.

Like so many cybersecurity problems, this one is not as bad as you think.  It is far worse.  According to an SEC survey, 88% of broker-dealers and 74% of investment advisers suffered cyberattacks in the last year.  Making the problem even worse, according to the SEC, only 15% of broker dealers and 9% of advisers guarantee that they will totally reimburse their customers for losses due to cyberattacks.  In particular, many of these companies have fine print in their contracts that passes the liability on to the customers if the customers are considered negligent in the loss of their data.

TIPS

So what can you do to keep your investments safe?

As always, the first place to look for that helping hand is at the end of your own arm.  Make sure that you use a unique and complex password for your investment accounts.  You can go to the Scamicide archives for instructions as to how to pick a strong and secure password.  Also important is to use dual factor authentication whenever possible so that even if someone manages to steal your password, they will not be able to access your account.  With dual factor authentication, a one-time code is sent to your smartphone whenever you need to access your account.  In addition, you should make sure that all of your electronic devices including your computer and smartphone are protected with the most up to date anti-virus and anti-malware software.  Too many people fail to protect their smartphones with a password or security software.  Finally, monitor your accounts regularly for indications of security breaches.

But what about your investment broker or adviser?  How do you know if they are trustworthy?

Make sure you understand your broker’s policy for reimbursement of customers if a data breach occurs and consider taking your business somewhere else if the answer is unsatisfactory.  Ask them what measures they take to ensure cybersecurity including the use of encryption and dual factor authentication.  Also, find out how they limit access to data to only those people who have a need to see your information.  Finally, find out if they are covered by cyberinsurance.

Scam of the day – August 5, 2015 – Free scan for Hacking Team vulnerabilities

Following the embarrassing hacking and data breach at the Italian spyware company Hacking Team which sells spyware to governments, it has been learned that the release of the 400 gigabytes of files, source code and emails stolen and made public has enabled hackers and identity thieves to use that information to construct malware to exploit the vulnerabilities uncovered by creating zero day exploits which are malware for which there are no known security patches yet developed.  These zero day exploit kits are presently being sold on the black market to hackers and identity thieves around the world.

Now Rook Security, a computer security company is offering a free scan that can identify if your computer has already been infected by one of these new malware programs.  Here is the link to their website and the free scan.  https://www.rooksecurity.com/hacking-team-malware-detection-utility/

TIPS

Everyone should make sure that they have all of their computers, smartphones and electronic devices protected by anti-malware and anti-virus software and that your security software is constantly and automatically updated with the latest security updates.  The failure to update security software when new vulnerabilities are discovered and patched is a major factor in many data breaches and identity thefts.  In addition, the primary way that most data breaches and identity thefts are accomplished with malware is through phishing where victims are lured into clicking on links in emails and text messages containing malware.  The lesson is clear.  Don’t click on links unless you are absolutely sure that they are legitimate.

Scam of the day – June 10, 2015 – Syrian Electronic Army hacks U.S. Army website

Earlier this week, the Syrian Electronic Army (SEA) hacked into the public website of the U.S. Army and defaced it with a political message, Your commanders admit they are training hte people they have sent you to die fighting.”  I have been reporting to you for two years about the hacking group known as the Syrian Electronic Army (SEA) who are vocal supporters of embattled Syrian President Bashar Assad.  In the past they have managed to take over control of the websites of the New York Times, the Washington Post and CNN as well as the Twitter account of the Associated Press where they announced that the White House had been attacked, prompting a substantial, but short lived drop in the stock market.  It does not appear that any critical data was compromised in this latest hack of the U.S. Army’s website, however, it does again show that government and business websites and social media accounts continue to be vulnerable to hacking.

TIPS

The same advice that I give you as individuals, I would give to the U.S. Army and that is to use complex passwords and protect their security.  In addition, most data breaches and breaches of security at websites are as a result of social engineering through phishing emails that lure employees to click on links or download attachments with keystroke logging malware that will enable the hackers to access the information in the target’s computers and thereby gain control of their data and their websites.  The key to avoiding becoming a victim of phishing, which is a lesson we should all learn, is to never click on links or download attachments until you have verified that they are legitimate.  Trust me, you can’t trust anyone.

Scam of the day – February 15, 2015 – President Obama’s Executive Order on cybersecurity

In an effort to help combat cybercrime, President Barack Obama has issued an Executive Order encouraging and promoting information sharing both within the private sector as well as between the private sector and the government.  It has long been known that such information sharing about cyberthreats is an important step in the battle against cybercrime, data breaches and hackers.  The Department of Homeland Security will take the lead in establishing Information Sharing and Analysis Organizations (ISAOs) including setting up voluntary standards for these organizations.

TIPS

Although this is a very promising first step that will undoubtedly aid in the battle against cybercrime, data breaches and hackers, it is only a first step.  When looking for a helping hand to protect yourself from cybercrime and hackings, the best place to look is still at the end of your own arm.  We all must recognize that each of us is responsible for following best practices to protect ourselves as best we can from cybercrime and hackings.  We cannot rely on either government or private industry to do the job for us.  One of the reasons I write Scamicide each day is to arm you with the knowledge you need to protect yourself as best you can from threat of cybercrime and hackings.

Scam of the day – October 24, 2014 – President Obama’s Executive Order regarding credit card security and identity theft

President Obama has signed an Executive Order leading the way for greater protection for Americans from data breaches and identity theft.   He also announced that a number of companies including Home Depot Target,  Walgreen and Walmart are accelerating their move to more secure chip and PIN credit card use at their stores. Although regulations that would encourage retailers to switch to these smart cards no later than October of 2015, these companies are planning on completing the move to smart card readers by January of 2015 with Walmart already leading the way.  Also starting in January Citi and FICO are joining together to make credit scores available free to Citi Bank credit cards.  Already providing free credit scores are Discover, Barclaycard, Pentagon Credit Union and First National Bank of Omaha.  It is hoped that more banks will follow this example.  Under the President’s order the reporting of credit card fraud will be made quicker and easier within two years.  Finally, the President announced that the Department of Justice and the FBI are working to improve greater information sharing between hacked companies and affected consumers with the National Cyber-Forensics and Training Alliance’s Internet Fraud Alert System.

TIPS

The President’s actions are a good first step and they do indicate a greater willingness of businesses to work with the government in order to better protect consumer data.  However, much remains to be done and Congressional action is definitely required to improve the laws necessary to protect consumers from data breaches and identity theft.  However, it is good to see the President taking the lead on this important issue. Meanwhile, the primary responsibility for protecting ourselves from identity theft still rests with all of us as individuals.  I urge you to pick up a copy of my new book “Identity Theft Alert” which provides simple steps you can take to dramatically improve your chances of avoiding identity theft.  You can order the book from Amazon by clicking on the link on the right hand side of this page.  I also urge you to read scamicide.com every day so you can become aware of the latest scams and identity theft schemes.

Scam of the day – July 13, 2013 – Dangers of data breaches

Recently the California Attorney General’s office released its report pertaining to data breaches in California and the results are quite disturbing.  More than 2.5 million Californians were victims of the 131 reported data breaches that occurred in California in 2012.  Similar results would be expected in the rest of the states.  Sensitive information that was stolen included names, Social security numbers, credit card numbers, bank account numbers, medical information and insurance information, all of which could be used to make the victims of the data breaches victims of identity theft.  The worst part of this sad fact is that to a great extent this problem could have been avoided by simply encrypting the data.  Encryption is easy to put in place and is quite effective against data breaches, yet companies, state and federal agencies still do not use it sufficiently.  NASA had two major data breaches in the past year and still does not encrypt its data.

TIPS

So what does this mean to you and me?  First, it means that regardless of how careful we are in taking steps to protect the security of our personal information, we are only as safe as the companies and governmental agencies with which we do business that have the worst security measures in place.  That makes it even more important that you take steps such as putting on a credit freeze to prevent your credit from being misused by someone who may get access to your Social Security number.  You can get information as to how to put on a credit freeze by going to the Scamicide archives or my book ” 50 Ways to Protect Your Identity in a Digital Age.”    You also should use encryption programs, security software and anti malware software and make sure that you keep these programs updated.  As for the companies and governmental agencies with which we do business, it is up to us to demand our legislators enact legislation requiring encryption of data by anyone holding such personal information.  There is even more that can and should be done, but this would be a good start.

Scam of the day – May 5, 2013 – Data breaches at small businesses – what it means to you

Verizon has just released its 2013 Data Breach Investigations Report analyzing data breaches around the world and found that hackers in foreign countries, particularly China, Romania, Bulgaria and Russia are responsible for many of the attacks on businesses large and small resulting in data breaches.  Sometimes the hacks are intended to obtain company secrets while other times the goal is personal information about a company’s customers that can be used to make the company’s customers victims of identity theft.  More and more hackers are targeting small businesses because they are both a treasure trove of information and because many of these companies have lax security making them easy targets for the hackers.  It has been estimated that as much as 80% of the data breaches could be prevented by using two-factor authentication when accessing company computers and their data.  This is not a costly security measure to implement, but most companies still do not do this.

TIPS

As I always tell you, you are only as secure as the company or agency with the weakest security that holds your information.  Therefore it is important that you limit, as much as possible, the companies and agencies that hold personal information about you that can be used to make you a victim of identity theft.  And although it is certainly convenient to leave your credit card number on file with companies with which you do business online rather than input it each time you do business with a particular company online, you are safer not leaving your credit card number in the computers of companies that may be hacked.  You also should inquire of any company that does hold personal information about you as to their security measures to safeguard that information.

Scam of the day – July 13, 2012 – Yahoo data breach and how to protect yourself

Data breaches are a fact of modern digital life.  This week hundreds of thousands of Yahoo users had their usernames and passwords stolen from one of their databases and just within the past month social network sites Formspring and LinkedIn had their databases hacked into resulting in the loss of personal information of millions more people.  It is important to remember that your own personal security is only as safe as the company with the weakest security that holds your information.  But there are things you can do to protect yourself.

TIPS

Do not give your Social security number to companies that request it unless you truly legally must do so.  Your Social Security number is the key to identity theft and can provide access to to your credit report which in turn can provide an identity thief with access to your credit.  Use complex passwords and use different passwords for each of your accounts so that if a breach occurs, not all of your accounts are in jeopardy.  It is easy to pick  a passowrd with numbers and letters and just vary it slightly from account to account.  Put a credit freeze on your credit report so that even if someone gets your Social Security number and name, they cannot get access to your credit report. With a credit freeze, you credit report can only be accessed through a PIN that you keep private.