Scam of the day – July 11, 2015 – Charlotte McKinney topless photos hacked

In my Scam of the day for September 2, 2014 I told you about the stealing of nude photos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Kim Kardashian and Hope Solo that were posted online.  Now it has just been reported that model/actress Charlotte McKinney who recently was a contestant on Dancing With the Stars had topless photos hacked which were then posted on Instagram  for a short period of time.    This story has two lessons.  The first is that everyone, regardless of whether or not you are a celebrity should take the steps necessary to protect the security of their photos and other data.  Although we do not yet know precisely how Ms. McKinney’s photos were hacked, it is reasonable to conjecture that they were stolen in the same manner that photos were stolen in last year’s celebrity hacking.  According to FBI records, the hacking had less to do with Apple’s iPhone and iCloud security and more to do with the celebrities falling prey to phishing emails and password resetting that enabled the hacker to gain access to the victims’ iCloud accounts and other times stealing the photos directly from the hacked phones.

In addition to stealing the photographs from Ms. McKinney, the hackers also managed to gain access to her Instagram account to temporarily post the photos before they were taken down.  Anyone who has access to your email address who is able to either guess or steal your password can gain access to your Instagram account.

Using the “forgot password” link on Apple’s iCloud, it appears in last year’s hacking in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the photos were stolen directly from the victims’ smartphones which were hacked.

The second lesson is for people who may be curious about seeing the topless photos of Charlotte McKinney to be very wary of emails, text message, websites or links that promise to take you to those photos, which have already been removed from Instagram.  Trust me, you can’t trust anyone.  Identity thieves will attach malware to links that promise to provide you with the photos.  This malware will steal all of the information from your computer or smartphone and put you in danger of identity theft.  Don’t fall for this scam.

TIPS

All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others when possible although Instagram does not offer this service.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – June 12, 2015 – Major breakthrough in hacking of nude celebrity photos

In my Scam of the day for September 2, 2014 I told you about the stealing of nude photos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Kim Kardashian and Hope Solo that were posted online.  It has taken almost a year, but it appears the FBI has made a major breakthrough in the case following the execution of a search warrant of the home and computers of a Chicago man whose computers had been used to hack approximately 572 iCloud accounts.  The details of the search warrant also confirmed how the hackings were accomplished which had less to do with Apple’s security and more to do with the celebrities falling prey to phishing emails and password resetting that enabled the hacker to gain access to the victims’ iCloud accounts and other times stealing the photos directly from the hacked phones.

Using the “forgot password” link on Apple’s iCloud, it appears in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the phones were hacked directly from where the photos were stolen.

TIPS

There are a number of lessons that we all can learn from how easy it was for the hacker to steal these photos.  All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – May 28, 2015 – Hackers steal personal information from IRS

On Tuesday, many people were surprised when the IRS announced that it was shutting down its “Get Transcript” system which enables taxpayers to get copies of their federal income tax returns from previous years.  People often use this service to get copies of earlier income tax returns for uses such as when they apply for a mortgage or financial aid for college.  The IRS shut down this service because it just became aware that vulnerabilities in the system resulted in hackers attacking the system from mid February until now posing as legitimate taxpayers and getting copies of  income tax returns which could provide information that would enable the hackers to steal the identities of their victims and file phony income tax returns in the names of their victims and claim bogus refunds.  According to the IRS, sophisticated hackers tried to hack the system 200,000 times and were successful in 104,000 of their attempts.

Although many people were surprised at this hacking, Scamicide readers were not among them because here at Scamicide, we exposed this vulnerability in our Scam of the day for April 3, 2015.  Apparently, the IRS doesn’t read Scamicide.  Maybe it should.

The problem with the system is in the authentication process used by the IRS to limit access to this information to the taxpayer who is seeking his or her own income tax returns.  In order to access the income tax returns, the system required the inquirer to provide his or her name, Social Security number, birth date, address and other personal identity verifications, such as what was your high school mascot or when you got a mortgage. The problem is that, in many instances, this information can be gathered by a diligent hacker from public data bases, social media where people provide this information to hackers, and data breaches.

TIPS

If you are one of the 104,000 people affected by this data breach, you will get a letter, not an email, from the IRS and will be offered free credit monitoring services.  These letters will not require you to provide any personal information in response.  Any communication you get that purports to be from the IRS that requests that you provide personal information is not from the IRS, but from another scammer.

A lesson for all of us is to remember to try to protect the privacy of your Social Security number as best you can.  Most identity theft starts with the identity thief obtaining and exploiting the victim’s Social Security number.  Don’t provide it to companies with which you do business unless you absolutely must do so.  Medical care providers routinely ask you to provide this, but they have no need for this and the health care industry has been among the worst in protecting its data from being hacked.

The verification process of using personal identity verification information is fundamentally flawed in today’s world.  Better systems should be used, such as dual factor authentication where a code is sent to your smartphone when you need to access an account.

Scam of the day – April 17, 2015 – Mass email service hacked

Many people may not be aware of SendGrid, but there is a good chance that you have received an email from them.  SendGrid is a mass email service that is used by 180,000 companies worldwide including Uber, Pinterest, Spotify and Foursquare when companies wish to send mass email messages to their customers, such as when a company wants to alert customers to a service update. When you receive an email from SendGrid or other such mass email services, it appears that the message is being sent by the company with which you have an account, but it actually comes from SendGrid or other mass email services.  Last week one of the companies that uses SendGrid had its SendGrid account hacked in an attempt to hack into the company’s account with Coinbase, a Bitcoin exchange.  Although the company, unnamed by SendGrid, had its account with Coinbase hacked,  according to SendGrid no Bitcoins were stolen.  Last year a similar attack aimed at stealing Bitcoins from another SendGrid client, ChunkHost was foiled because, Chunkhost used dual factor authentication, preventing the hacker from accessing the Bitcoins in Chunkhost’s account even after the hackers had managed to steal ChunkHost’s password.  More and more hackers are trying to hack into the accounts of users of mass email services such as SendGrid because it enables the hacker to make his or malware containing message appear to come from a trusted source.

TIPS

Remember my motto, “trust me, you can’t trust anyone.”  Merely because an email or text message appears legitimate or appears to come from a trusted email address is no reason to trust the message and click on links contained in the email or text message or download attachments to such emails or text messages.  The risk is too great.  Never click on links or download attachments unless you are absolutely sure that they are safe and legitimate.  Even if you are protected by the latest security software, you are still not safe because the most updated anti-malware and anti-virus software is always at least a month behind the latest malware.

Scam of the day – March 16, 2015 – Hacking group threatens Kanye West

Anonymous is the name of an association of international hackers who have been characterized by some as cyberterrorists and by others as modern day Robin Hoods.  Since 2003 they have hacked into websites and social media accounts of their adversaries, a group that includes major corporations, such as PayPal and MasterCard and Sony; government agencies of the United States and other countries as well as ISIS and child pornography sites.

Now, through a recently released  video which you can view here https://www.youtube.com/watch?v=tibphZYyODo  they have targeted Kanye West as “a direct message to our brother, Mr. West to teach him a lesson on humility, and responsibility, over his out of control hypocritical and impulsive actions.”  They went on to cite numerous examples of West’s behavior including his recent actions at the Grammy awards when he stormed the stage once again to interrupt Beck’s acceptance speech as he had done at a previous Grammy awards where Taylor Swift received an award West deemed inappropriate.  The 7 minute Anonymous video ended with “Our tolerance with your arrogant and distasteful behavior to gain attention online has reached its end.”

TIPS

In many instances for all of us, our vulnerability to having our electronic lives hacked is beyond our control because so much information that can be used to gain access to our various online accounts as well as to make us victims of identity theft is available in data banks that are accessible either legally or illegally through hacking, however, we do not have to make it easy for hackers and identity thieves.  Using strong passwords, strong security questions, dual factor authentication when possible and limiting the places as much as possible that hold our personal information can help considerably in keeping us safe.  If the celebrities whose nude photographs had used dual factor authentication, their photos would have remained secure.  Also, it is important to keep all of your electronic devices up to date with the latest anti-malware and anti-virus software.

Scam of the day – January 6, 2015 – iCloud security problem fixed

The security vulnerability with Apple’s iCloud exposed by a hacker who calls himself Prox13 about which I reported to you just the day before yesterday has been promptly fixed by Apple.  According to Prox13, the vulnerability enabled a tool called iDict to be used to hack iCloud accounts effectively avoiding both security questions and two-factor authentication.  What was unusual about this particular vulnerability was that when “white hat” hackers find out about vulnerabilities in the various computer programs we use, they generally contact the company’s directly in order to assist in the orderly remedying of the problem without alerting “black hat” hackers to the vulnerability which they, in turn would be able to exploit.  Prox13 did not appear to be interested in using the tool for bad purposes, however, he went public with his discovery rather than contact Apple directly to warn them of the problem.

TIPS

You may remember that the recent nude celebrity photo hacking dealt with iCloud, however, the fault, in those hackings was not with Apple, but rather with the individual celebrity iCloud users who did not take their own proper security precautions, such as using the very effective dual factor authentication, which would have prevented the hackers from gaining access to the celebrities photos.  This is also a good lesson to all of us to use complex passwords, strong security questions and dual factor identification whenever offered to protect our own security.

Scam of the day – January 4, 2015 – Every iCloud account in jeopardy of being hacked

A hacker using the name Prox13 has made public a tool that he says enables anyone to hack into someone else’s iCloud account.  You may remember that it was not long ago that photos of nude celebrities such as Jennifer Lawrence and Kate Upton that had been stored on iCloud were hacked and released to the public.  In the wake of that scandal, Apple set up increased security options people could use to make their accounts more secure.  The tool, which is called iDict purports to exploit a vulnerability in Apple security and is able to bypass account lockout restrictions and secondary authentication security. Apple has not confirmed that its system is vulnerable or that this tool is able to exploit such a vulnerability that may exist, but numerous tweets on Twitter have indicated that indeed the tool does work.  If indeed this report is true, all users of iCloud have reason to be concerned.

TIPS

In response to previous hackings and attempts to hack iCloud, Apple has increased security to stop brute force attacks where the hacker uses a program that guesses large numbers of passwords until it gets the correct password.  Present iCloud security blocks these kind of attacks.  Apple also has a dual factor authentication security option by which a user’s account can only be accessed after he or she has received an authentication code on their smartphone each time a user accesses his or her account.  Had this security option been used by the hackers of the celebrities involved in the celebrity nude photo hacking, their security would not have been breached.  It is a good option for everyone.  However, if indeed iDict is as effective as it is claimed to be, even this security option would not protect you.

One way that people could make their iCloud account safer until Apple finds a cure for this problem is to change the email address attached to the account to one that they use exclusively for iCloud and do not make public because any hacker would need to know the intended victim’s email address in order to hack into his or her iCloud account.