Scam of the day – September 30, 2017 – Sonic suffers potentially massive data breach

Fast food chain Sonic, which has more than 3,500 locations in 44 states has acknowledged that it had a data breach in its credit card processing systems at an undisclosed number of its restaurants potentially affecting what appears to be at least 5 million credit and debit cards.  As is often the case in massive data breaches, such as this, the hackers are now selling the stolen credit card and debit card numbers along with the zip codes of the card holders on the Dark Web, which is that part of the Internet where criminals buy and sell things.  The website Joker’s Stash is selling five million credit and debit cards for prices of between $25 and $50 per card, depending on various factors including the level of the credit card and whether it is a debit or credit card.  The fact that zip codes are including in the information being sold makes the card more valuable to a criminal who may use the card for fraudulent purposes in the geographical area where the victim lives in order to avoid having the purchase look suspicious, such as in the situation where the card holder lives in New York City and a credit card purchase occurs in Singapore.

Like many credit card and debit card data breaches, this one was made possible due to the fact that Sonic stores affected do not yet use the more secure EMV chip credit card and instead still use the old style magnetic strip credit card.

TIPS

If you have used a credit or debit card at a Sonic restaurant during the last six months, you should carefully review all of your credit and debit card purchases for indications of fraudulent use and if you find such use, report it to your credit card company or, in the case of a debit card, to your bank.

Until businesses that take credit cards switch to the newer EMV chip cards, this story will continue to occur again and again. There is no law requiring companies to switch to the EMV chip cards.  The mandate of retailers to do so is only a trade group regulation.   As for us, as consumers, the best thing we can do is to refrain from using our debit cards for anything other than as an ATM card because consumers whose debit card security has been breached are not protected as much as when a credit card is used for fraudulent purchases.  Frankly, even if you were not a Sonic customer you should regularly monitor your credit card statements for indications of fraudulent use.

Scam of the day – April 12, 2015 – Bank telephone scam

The rumor that the first words spoken on the telephone by Alexander Graham Bell were “Watson, come here, I want to see you, and, oh, yes, what is your credit card number” turns out not to be true, although it probably didn’t take long for the telephone to become a tool of choice for scammers and identity thieves.  The latest telephone scam that is popping up around the country begins when you receive a recorded call that purports to be from your bank informing you that your credit card or debit card been frozen.  In order to unlock your account, you are instructed to press “1” on your phone to unlock your account.  Once you press “1” you are instructed to enter your credit or debit card number.  If you do this, you will have succeeded in turning over your credit card or debit card to an identity thief.  Making this scam even more insidious is that in some instances, if you have Caller ID, it will indicate that the call is from your bank.  However, this automated call is never from your bank, it only appears to be so due to a technique called “spoofing.”

TIPS

It is easy to know when you receive a recorded call from your bank regarding your credit card or debit card if it is legitimate.  If you receive such a call, it is a scam because no bank will contact you in this fashion.  In addition, you should never provide your personal information over the phone to anyone whom you have not independently contacted in order to be sure that you are not providing that information to a scam artist or identity thief.  If you receive such a call and have any concern that it might be legitimate, merely call your bank at a number that you know is accurate to confirm that the call was a scam.

Scam of the day – October 30, 2014 – Gallup poll shows hacking of retail stores is the crime most feared

A recent Gallup poll shows that the hacking of retail stores and the resulting theft of credit and debit card information is the crime that is feared most by Americans – and with good reason.  Identity theft, including the fraudulent use of credit cards by identity stealing hackers accounts for more dollars lost than all other property crimes combined.  Soon we will be heading into the holiday shopping season when credit card shopping both at brick and mortar stores and online will dramatically increase as will the attempts by hackers to steal credit card and debit card information so it is particularly important for everyone to be vigilant when using their credit and debit cards.  The bad news is that there is nothing that we, as individuals can do to reduce the chances of a major data breach at large and small retailers with which we do business, however, the good news is that there is a lot we can do to minimize our exposure.

TIPS

First and foremost, do not use your debit card for any purchases.  Limit its use to ATMs.  The consumer protection laws regarding fraudulent debit card use are not as strong as the laws pertaining to fraudulent use of credit cards.  Potentially, you could lose the entire bank account tied to your debit card if you are not carefully monitoring its use.  In addition, even if you do notify your bank immediately upon promptly noticing fraudulent use of your debit card, your access to your bank account will be frozen while your bank investigates the crime.

Also, when shopping in brick and mortar stores, you may wish to patronize those stores, such as Wall Mart which are ahead of the pack when it comes to transitioning from the old magnetic strip credit cards to the new smart cards with computer chips that would eliminate the risk of your credit card number being captured by a hacker and used for fraudulent purchases.  You also may wish to consider using the new Apple iPay system which also provides greater protection from hackers.

When shopping on line, limit your shopping to the websites of stores that you know are legitimate and make sure that your communications with the website including the providing of your credit card number is encrypted. You can confirm this by looking at the website address and making sure that it begins with “https” rather than merely “http.”  It is important to note that even if you are using a smart card with a computer chip you are not protected from hackers when shopping online because in this instance you are not generating a new number each time you shop.

As we get closer to the holiday season, I will providing you with more tips to avoid holiday scams and identity theft schemes.

Scam of the day – September 6, 2014 – Dairy Queen hacked

Largely lost among the news of recent data breaches at companies such as Home Depot, Supervalu and UPS was the announcement by Dairy Queen that a number of its stores suffered data breaches leaving customers’ credit card and debit card information in the hands of identity thieves.  Unlike Home Depot and Target, for example, Dairy Queen franchises are independently owned, however, the extent of the hacking appears to include stores in Florida, Alabama, Indiana, Illinois, Kentucky, Ohio, Tennessee and Texas.  The discovery of the data breach followed the same pattern as found in recent data breaches against Home Depot and others in that it was banks monitoring fraudulent credit card and debit card usage that found the common link being usage at Dairy Queen franchises.  This is not unusual because it appears that the same, difficult to discover Backdraft malware about which I have warned you repeatedly in the past and about which the Department of Homeland Security warned retailers in a July 31st alert was used.

TIPS

We can expect this scenario to continue to be repeated, however this is no reason to stop using your credit card.  It is reason enough to stop using your debit card for retail purchases because the consumer protection laws for fraudulent use of debit cards are not nearly as strong as those that apply to the fraudulent use of credit cards.  In addition, even if you discover the misuse of your debit card immediately, you will temporarily lose access to your bank account to which the debit card is attached while the bank investigates the crime.  This can delay your access to your own money and can jeopardize automatic payments that you may make from the account, such as mortgage payments.  As for your credit card, you should regularly monitor its use for any unauthorized use and report it to your card company immediately upon discovering any misuse in order to minimize the inconvenience.

Scam of the day – August 15, 2014 – Accused Russian hacker arraigned

In my Scam of the day for July 12th I told you about the arrest in Guam of Roman Seleznev, a Russian accused of hacking into the point of sale systems of the Broadway Grill in Washington DC and retail establishments throughout the country between 2009 and 2011.  Now, Seleznev has been extradited to the United States and he was arraigned in federal court in Seattle a few days ago.   According to his indictment, Seleznev scanned the computers of retailers throughout the United States looking for vulnerabilities which he exploited through malware that he would inject into the computer systems of these vulnerable retailers, which would capture credit card data which Seleznev would then sell online to other criminals.  The Secret Service says that he stole the data from more than 200,000 credit cards and made more than two million dollars selling this card data on black market websites.  Complicating the situation is that Seleznev is the son of a prominent Russian politician.  The Russian government is calling the arrest an illegal kidnapping.

TIPS

What does this arrest mean to you and me?  It is more of a reminder of how large the problem is.  Hacking into retailers at point of sale terminals in stores has become a relatively easy task to accomplish and not only is it easy to accomplish, it does not even have to be done at the store.  It can be done totally over the Internet by hackers anywhere in the world.  Credit card fraud is worse in the United States than in most of the rest of the world because we still have not adopted the smart card technology by which credit cards carry a computer chip that issues a new identifying number every time it is used which makes the stealing of the number used at any particular transaction worthless.  The hacking of point of sale terminals will be an exercise in futility when we finally start using smart cards in large numbers.  However, it is not expected that this will be done in the United States until October of 2015 when, through a change in the rules governing credit card usage, companies, whose point of sale terminals are hacked, will be responsible for data thefts.  Until that time, the best you can do is to refrain from using your debit card for retail purchases so that your bank account is not at risk in a hacking attack.  You also should monitor your credit card’s use regularly to note any fraudulent use so that you can limit the damage.

Scam of the day – August 1, 2014 – Homeland Security warning about retail hackings

Everyone is aware of the epidemic of hackings of major companies, such as Target, P.F. Chang’s, Neiman Marcus, Michaels, Sally’s Beauty Supply and Goodwill Industries and, as I have repeatedly warned you, these hackings will only increase in frequency in the upcoming months.  Yesterday, the Department of Homeland Security issued  a report that details how these hackings occurred and what needs to be done to reduce them.  A major part of the problem is that more and more companies permit both their employees as well as third party contractors to access the company’s computers over the Internet.  There are many legitimate reasons for doing this, but it tremendously increases the chances of major data breaches as employees and third party contractors who may not be following proper security practices are being hacked and, in essence, providing identity thieves and hackers with access to the computers of the targeted companies.  In addition there are some inherent security flaws in the Microsoft and Apple software used by these employees and third party contractors.   Thus the hackers exploit the weakest links, which they are doing quite effectively.

The Department of Homeland Security identified a malicious software which they have called “Backoff” that, when it makes its way on to the Point of Sale credit and debit card processors, is able to steal credit and debit card information, account numbers, expiration dates of credit card and debit cards and PINs.  Backoff is a very evolved type of malware that, to date, has avoided detection by the anti-malware and anti-virus software used by companies today to protect their computers from data breaches and hackings.

TIPS

Corporate America has a lot of things it should be doing, but it is unlikely that these steps will be done in a sufficiently timely manner to stop data breaches in the upcoming months.  A switch to smartcard technology with computer chips in the credit card would render this type of credit card data unusable to identity thieves, but retailers have been extremely slow to adopt this technology.  Requiring employees and third party vendors to use stronger passwords and to change those passwords regularly would help as would the requirement of two-step verification rather than merely using passwords to provide access.  Another important step for companies to do is to limit access to the credit card and debit card processing systems by people having access to other computer systems within the company.   Credit and debit card processing systems should be isolated.

But what can we do?

The most important thing to do is to recognize that data breaches will be occurring.  Everyone should regularly monitor their credit card usage carefully to recognize security breaches as soon as possible and then to report the breach to your credit card company.  In addition, limit your use of your debit card to use as an ATM card.  Do not use it for retail purchases.  The consumer protection laws available to you if your debit card is hacked are not as strong as the laws that protect fraudulent use of your credit card.  In addition, even if you do become aware and report a breach of your debit card security right away, your access to your account will be delayed while your bank investigates the matter.

Scam of the day – July 23, 2014 – New data breach at Goodwill Industries

Most people are familiar with Goodwill Industries, a network of agencies that sell donated clothing and household items at their stores around the country and use the proceeds of the sales to pay for job training and other community service programs.  The parent organization, Goodwill Industries International, Inc. has just announced that it is investigating a data breach involving credit cards and debit cards used to make purchases at Goodwill stores around the country.  They are not confirming that a breach has occurred, but that is only because as was the exact same situation with the recent data breach at P.F. Chang’s and a number of other massive data breaches in the last year, they have not discovered the breach yet.  It occurred.  Their computers have been hacked and data stolen.  The data breach was uncovered by banks who monitor fraudulent credit card use and as with the breach at P.F. Chang’s and others, the banks noted that a common denominator for the fraudulent card use was, in this case, that the cards had been used recently at Goodwill Industries.  You can expect a confirmation by Goodwill shortly.  It appears that the breach occurred at Goodwill stores in at least 21 states including California and New Jersey.  It is not known yet how the data breach was accomplished.

TIPS

No one should use a debit card for retail purchases because the consumer protection laws regarding fraudulent use of the debit card are not as favorable to the consumer as the laws relating to fraudulent use of a credit card.  Additionally, even if you discover that your debit card has been fraudulently used immediately, your account will be closed pending an investigation of the fraudulent use which can tremendously inconvenience you.  If you have used a credit card or debit card at a Goodwill store going back as far as June of 2013 you should monitor your account closely for indications of fraud.

This case also is another indication of the immediate need for the United States to catch up with the rest of the world and start using smart credit cards with computer chips that would eliminate this type of fraud.  Present regulations do not provide an incentive for retailers to use these cards until October of 2015 although some companies like Target, having been already harmed are speeding up the process.

As for we, the public, this is just another reminder that regardless of how careful you are in protecting your financial information, you are only as safe as the places with which you do business that have the worst security systems.

Scam of the day – November 28, 2012 – Check washing

Even paranoids have enemies and regular readers of this blog/website are aware that, due to security issues, I strongly advise against using a debit card for purchases.  I advise that you only use your debit card as an ATM card and even there, you should be careful when doing so to be on the lookout for tampered ATM machines that can steal your information.  You can read earlier posts for more details.  Credit cards carry their own risks and even though federal law limits your liability for unauthorized, fraudulent purchases to no more than $50, a compromised credit card can still cause you problems.  For those of you thinking about making your holiday purchases and other purchases by way of a good old fashioned check, you too should be wary.  It is a very simple thing for identity thieves to steal your check from your mailbox if you put it in an envelope to pay a bill and leave it in your mailbox outside your home.  Identity thieves also break into corner mail collection boxes and steal mail with checks too.  Finally, rogue clerks at stores may steal your checks as well.  It is then a simple thing to take ordinary bleach or other similar liquids to wash clean the name of the person to whom the check is made out as well as the amount of the check and then insert the identity thief’s name and a figure that would make you blush.

TIPS

Fortunately, you are not powerless and the solution, in fact is quite simple.  Instead of writing your checks using a common ball point pen switch to a gel pen which is a common type of pen that you can buy anywhere, but whose ink will not vanish under chemical washes.  Fountain pens also do not use the type of ink that can be readily washed, but the gel pen is simpler and easier to use.  Another important thing to remember is to cross shred your personal documents including checks that you no longer need and are discarding.  Identity thieves go through trash for their treasure including checks that they can use to make counterfeit checks using your account.  Finally check your banks statements promptly after receiving them for signs of theft.  If you do report checking account fraud more than thirty days after receiving your bank statement, the bank does not have to reimburse you for fraudulent, counterfeit checks.

Scam of the day – August 30, 2012 – California man sentenced for identity theft

Recently, Boris Toumasian was convicted of multiple offenses involving identity theft and sentenced to federal prison for a term of five years.  Toumasian, who had worked at a BP gas station, installed skimmers on the gas pumps at the gas station.  For those of you new to this website/blog who might be unfamiliar with skimmers, they are small devices that are used to read and store the information from your credit cards.  In this case, the skimmers were installed over the legitmate card swiping mechanism on the gas pumps at the gas station where Toumasian worked.  Toumasian took the information gathered from the skimmer and transferred it to American Express Gift cards which he then used to make purchases using his victims’ credit and debit card accounts.

TIPS

Sometimes skimmers are used by identity thieves who are employed in legitimate stores, restaurants and other establishments where you would pay by providing your credit or debit card to the employee.  They run your card through the skimmer at the same time that they legitimately charge your card for the service or product purchased.  Other times, skimmer devices are installed over credit card swiping mechanisms such as you would find at an ATM or gas pump.  When you hand your card to a clerk for a purchase, try to watch your card at all times.  When you use your card by way of a card swiping mechanism, look to see if the mechanism appears to have been tampered with in any way.  Also, make sure that you carefully check your monthly credit card statements and bank statements each month to discover as quickly as possible if you have become a victim of identity theft.  Identifying a loss early is particularly important when using a debit card which does not provide the same level of legal protection that a credit card does.