Scam of the day – November 13, 2017 – FTC settles charges with online tax preparation service

Between October of 2015 and December of 2015, cybercriminals were able to hack into the accounts of almost 9,000 customers of legitimate online tax preparation service TaxSlayer Online.  The hackers used the information gathered in the data breach to make TaxSlayer Online’s customers victims of income tax identity theft and obtained phony tax refunds using the names and information of their victims.

The Federal Trade Commission (FTC) brought legal action against TaxSlayer for it failure to secure the data of its customers and other security related violations.  Among the more serious charges were that TaxSlayer Online failed to notify its customers when a change was made of the bank account to which their tax refund would be sent.

TaxSlayer Online has come to a settlement with the FTC pursuant to which it will be taking extensive security steps to prevent such data breaches in the future.

TIPS

This case again emphasizes the fact that we are only as safe as the places with which we do business that have the worst security.  So what should we be doing to help keep ourselves safe?  First and foremost, everyone should use a unique password for each and every online account that you have.  It is not that difficult to do.  In addition, whenever you can, use dual factor authentication.  With dual factor authentication, you receive a one time code by way of your smartphone each time you go to your online account. Although this may seem like an inconvenience.  It is extremely useful and not terribly time consuming.

Scam of the day – October 27, 2017 – Guilty plea in celebrity nude photo hacking case

Earlier this week, Emilio Herrera agreed to plead guilty to hacking the personal information including nude photos of more than fifty celebrities in 2013 and 2014.  Although the names of the specific celebrities whose nude photos were stolen were not contained in the federal complaint, it is believed that among the hacked celebrities was Jennifer Lawrence whose nude photos were stolen and shared on the Internet.

Herrera is the third person to have been independently charged for such hacking.  Edward Majerczyk and Ryan Collins were both charged, convicted and sentenced to federal prison for similar hacking of celebrities personal photos.

While at the initial time that the celebrity photos were stolen from their iCloud and Gmail accounts there were questions about the security of the Cloud and Gmail, eventually it became known that all three hackers used spear phishing emails to their victims posing as as the victims’Internet Service Providers, Apple, Yahoo and Hotmail to trick their victims into providing their user names and passwords to the hackers enabling them to readily access the photos in the Cloud or in their Gmail accounts.

TIPS

There are a number of lessons to be learned from this crime about how to protect our own security.    It is important to resist providing your username and passwords in response to emails and text messages unless you have absolutely and independently confirmed that the request is legitimate, which such requests seldom are.  If you have any concern that such a request might be legitimate, merely call the real company to confirm the legitimacy of the communication.

Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  In some instances, the companies will only send the code to you if your account is being accessed from a different device than you usually use to access your accounts.  Had Jennifer Lawrence and the other hacked celebrities used dual-factor identification, they would still have their privacy.

It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be accurate.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – October 19, 2017 – Congress forces IRS to suspend multi-million dollar Equifax contract

In the Scam of the Day for October 8th, I reported to you about the recent announcement that Equifax, the company responsible through its own negligence for 145 million Americans becoming in serious danger of identity theft for the rest of their lives, was awarded a 7.25 million dollar contract to provide security and fraud detection services to the IRS.  Making the problem even worse was the fact that the contract was a no-bid contract.

Now under pressure from numerous members of Congress the IRS has temporarily suspended the contract while the IRS investigates Equifax’s systems and security.  The suspension of the contract means that taxpayers wishing to set up accounts with the IRS through its Secure Access program which enables taxpayers to access certain online services will be unable to do so.  Taxpayers who already had set up accounts with the IRS to use the Secure Access program, however,  will still be able to use their accounts.

 

TIPS

Relying on the IRS to protect the security of our data is somewhat problematic because the IRS itself has had a number of instances where its security practices have been lacking.  When it comes to protecting ourselves from identity theft there are numerous simple steps we should all take in order to protect ourselves.  I provide them in great detail in my book “Identity Theft Alert.”  However, here are a few of the things we all should do:  Freeze your credit, monitor your credit reports and all of your accounts, use complex passwords, use nonsensical security questions, use dual factor authentication, use security software on all of your devices and keep the software updated with the latest security patches,  never click on links or download attachments unless you have verified that they are legitimate and limit the places you provide your Social Security number as much as possible.  Your doctor, for instance,  may ask for it, but he or she doesn’t need it.

Scam of the day – October 8, 2017 – Equifax awarded security contract by IRS

Sometimes the real headlines are more bizarre and ridiculous than those found in parody news websites, such as the Onion.  The recent announcement that Equifax, the company responsible for 145 million Americans becoming in serious danger of identity theft for the rest of their lives due to the negligence of Equifax, was awarded a 7.25 million dollar contract to provide security services and fraud detection services to the IRS boggles the mind.  Making the problem even worse is that the contract, which was publicly released by the Department of the Treasury on September 30th was finalized after Equifax had notified the world of its incompetence in early September. And if that is not bad enough for you, the contract was a no-bid contract

Former Equifax CEO Richard Smith testifying before Congress this past week explained the failure of Equifax to install security patches for vulnerabilities with Apache software which vulnerabilities were exploited by the hackers was because one person did not properly do his or her job.  The patches had been available for months prior to the data breach.  The failure to install the patches in a timely manner is frankly inexcusable.  For a company of the size and complexity of Equifax, which has the obligation to protect the sensitive personal information of millions of people, to have protocols that permit one person without any oversight or backup to make such a disastrous mistake is frightening.

Here is a link to the Department of the Treasury notice of the IRS contract.

https://www.fbo.gov/index?s=opportunity&mode=form&id=ea6f7d2c319f384e03e24ba0bdfad389&tab=core&_cview=0

TIPS

If ever there was evidence that if you are looking for a helping hand, you can find it best at the end of your own arm, this is it.  There are numerous simple steps we should all take in order to protect our identities.  I provide them in great detail in my book “Identity Theft Alert.”  However, here are a few of the things we all should do:  Freeze your credit, monitor your credit reports and all of your accounts, use complex passwords, use nonsensical security questions, use dual factor authentication, use security software on all of your devices and keep the software updated with the latest security patches,  never click on links or download attachments unless you have verified that they are legitimate and limit the places you provide your Social Security number as much as possible.  Your doctor may ask for it, but he or she doesn’t need it.

Scam of the day – October 5, 2017 – Yahoo data breach update

Not wanting to be outdone by Equifax and its data breach affecting 145 million Americans (sarcasm), Yahoo, which was recently bought by Verizon has just announced that its massive 2013 data breach which it had previously said “only” affected a billion people actually affected all 3 billion of its customers.

Included in the stolen information was names, email addresses, telephone numbers, dates of birth, hashed passwords as well as security questions and answers, only some of which were encrypted.

While no credit card information or Social Security numbers were lost in this data breach, which has been attributed to Russian hackers by the Justice Department, the risk of identity theft from this data breach is significant.

Scammers are already contacting people through phishing emails posing as Yahoo and in an attempt to lure the targeted victims to click on links or download attachments containing malware.  In other instances, the scammers will ask for personal information in an effort to gain information that can be used for purposes of identity theft.  The real Yahoo does not do this.  If you have questions about your Yahoo account, you can contact help.yahoo.com for free assistance.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy. Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.  Yahoo provides for dual factor authentication.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.

Scam of the day – May 6, 2017 – Google Docs phishing scam

A phishing email is presently being sent to unsuspecting victims that urges you to click on a Google Docs link.  A copy of one version of the email is reproduced below. Clicking on the link will turn over your Gmail account to the scammer which not only will give the hacker access to all of your emails, but also your contact list which will enable the hacker to contact your friends with emails that appear to come from you and will be used to lure your trusting friends into clicking on links that can download keystroke logging malware that can lead to identity theft or ransomware.

TIPS

Never click on links or download attachments regardless of from where they may appear to originate unless you have verified that the email is legitimate.  In addition, even people who fell for this scam, would be safe if they used dual factor authentication for their Gmail account which would prevent someone who had your password from accessing your account.  With dual factor authentication, when you go to access your account a special code is sent to your cell phone if the request to access your account comes from a different computer or device that you generally use.  You can sign up for Google’s dual factor authentication by clicking on this link:  https://www.google.com/landing/2step/

Scam of the day – March 4, 2017 – New York financial service company regulations go into effect

In September I first told you about the New York Department of Financial Services new cybersecurity rules for banks and financial services companies doing business in New York. These regulations come in the wake of repeated cybersecurity breaches at many banks and other financial services companies.  While the regulations set minimal standards all institutions must follow, the regulations were written in a manner to encourage companies to go further and not limit security innovation. Among the provisions of the regulations are the establishment of the position of chief information security officer at each company as well as increased use of encryption and dual factor authentication.  In addition, the proposed regulations also carry potential criminal liability for officials of companies not meeting the new standards.  The regulations were originally to go into effect on January 1, 2017, however the effective date was postponed until March 1, 2017.  Financial firms have an additional 180 days to make the changes necessary to comply with the regulations before any enforcement actions will be taken by New York authorities who have also promised a transitional period for compliance with the rules.

TIPS

While these regulations are a good start toward more secure banking, it is still important for all of us to take responsibility for our own secure banking.  First and foremost you should monitor your bank accounts often for indications of any irregularities.  You should be particularly careful when banking with your smartphone or on your computer.  Use a strong password, strong security question and multi factor authentication whenever possible.  Here is a link to a column which I wrote for USA Today with more tips on how to protect yourself when banking online or on your phone.

http://www.usatoday.com/story/money/columnist/2016/02/27/e-banking-tip-moms-maiden-name-say-grapefruit/80756330/