Scam of the day – October 30, 2016 – Hacker of nude celebrity photos sentenced

I first reported to you about a major hacking of nude photos of celebrities on September 2, 2014.   At that time, news of stolen nude photos and videos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Jenny McCarthy, Rhianna, Avril Lavigne, Hayden Pannettiere, Hope Solo, Cat Deeley, Kayley Cuoco, Kim Kardashian, Scarlet Johansson and others was sweeping across the Internet. The photos were taken from  the Apple’s iCloud accounts of the hacked celebrities as well as their Gmail accounts.  A few days ago, Ryan Collins, the hacker who had pleaded guilty to the hacking the accounts was sentenced to 18 months in federal prison.

The manner by which Collins accomplished the hacking was simple but effective.  He sent spear phishing emails to his intended victims that appeared to come from Apple or Google in which under various pretenses he requested the victims’ usernames and passwords, which he then used to access their email accounts and iCloud accounts from where he stole the photos and videos.  Using the same spear phishing tactics two other unrelated hackers in Illinois and Oregon also hacked nude photos of various celebrities with both of these hackers having pleaded guilty.

TIPS

There are a number of lessons to be learned from this crime about how to protect your own security.  You should use a unique password for all of your accounts so if any of your accounts are hacked, all of your other accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.   Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions that can permit a hacker to gain access to your email account.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

It is also important to resist providing your username and passwords in response to emails and text messages unless you have absolutely independently confirmed that the request is legitimate, which such requests seldom are.

Finally, for people considering looking up these nude celebrity photos on line, my advice is simple.  Don’t do it.   Ethically, it is the wrong thing to do.  However practically speaking, it also is too risky an activity.  You cannot trust any email, text message or social media posting that promises access to these photos and videos.  Many of these will be laced with malware and you cannot know which ones to trust.  Trust me, you can’t trust anyone.  In addition, identity thieves set up phony websites that promise to provide these photos and videos, but instead install malware on your computer when you click on links in these websites.  Identity thieves are often adept at search engine optimizing so a phony website might appear high in a search from your web browser.  Merely because a website turns up high in a search engine such as Google does not mean that the website is legitimate.

Scam of the day – November 25, 2015 – Gigi Hadid being blackmailed after apparent hacking

Victoria’s Secret model, Gigi Hadid is reportedly being blackmailed by hackers who allegedly stole photographs of her  from her iCloud account and are threatening to make them public unless she pays a ransom.  Hadid has indicated that she has no intention of paying anything to the hackers.  This case brings back memories of the hacking and release of nude photos of a number of celebrities including Jennifer Lawrence, Kate Upton and Kim Kardashian in September of 2014.  Although presently it is unconfirmed whether her iCloud account actually has been hacked and, if so, how it was done, it is helpful to look back at how the celebrity iCloud accounts were hacked last year.  Using the “forgot password” link on Apple’s iCloud, it appears in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the phones were hacked directly from where the photos were stolen.

TIPS

There are a number of lessons that we all can learn from how easy it was for hackers to gain access to someone’s iCloud account.  And to paraphrase Shakespeare  the fault is most often not “in the stars,” but our own responsibility.   All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is available online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have put in your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol last year, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – July 11, 2015 – Charlotte McKinney topless photos hacked

In my Scam of the day for September 2, 2014 I told you about the stealing of nude photos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Kim Kardashian and Hope Solo that were posted online.  Now it has just been reported that model/actress Charlotte McKinney who recently was a contestant on Dancing With the Stars had topless photos hacked which were then posted on Instagram  for a short period of time.    This story has two lessons.  The first is that everyone, regardless of whether or not you are a celebrity should take the steps necessary to protect the security of their photos and other data.  Although we do not yet know precisely how Ms. McKinney’s photos were hacked, it is reasonable to conjecture that they were stolen in the same manner that photos were stolen in last year’s celebrity hacking.  According to FBI records, the hacking had less to do with Apple’s iPhone and iCloud security and more to do with the celebrities falling prey to phishing emails and password resetting that enabled the hacker to gain access to the victims’ iCloud accounts and other times stealing the photos directly from the hacked phones.

In addition to stealing the photographs from Ms. McKinney, the hackers also managed to gain access to her Instagram account to temporarily post the photos before they were taken down.  Anyone who has access to your email address who is able to either guess or steal your password can gain access to your Instagram account.

Using the “forgot password” link on Apple’s iCloud, it appears in last year’s hacking in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the photos were stolen directly from the victims’ smartphones which were hacked.

The second lesson is for people who may be curious about seeing the topless photos of Charlotte McKinney to be very wary of emails, text message, websites or links that promise to take you to those photos, which have already been removed from Instagram.  Trust me, you can’t trust anyone.  Identity thieves will attach malware to links that promise to provide you with the photos.  This malware will steal all of the information from your computer or smartphone and put you in danger of identity theft.  Don’t fall for this scam.

TIPS

All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others when possible although Instagram does not offer this service.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – October 18, 2014 – Was Dropbox hacked?

Dropbox is a popular service that enables you to store photos, documents and other information in the cloud.  Hackers are claiming that they stole close to 7 million Dropbox usernames and passwords and have posted some of these on Black market websites offering to post more in exchange for bitcoins, the untraceable digital currency.  According to Dropbox, however, the company has not been hacked.   Dropbox says that because people often use the same username and password for multiple accounts, that information was stolen from other, less secure companies and attempted to be used on Dropbox.  According to a Dropbox spokesman, “These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts.  We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now.  All other remaining passwords have been expired as well.”

TIPS

This is another example of why it is a good practice to have separate distinct passwords and usernames for all of your accounts so that if one company where you have your information is hacked, your other accounts are not endangered.  In addition, as always, if the company with which you are dealing provides for dual factor identification, you should take advantage of this to provide added security so that you would not be in danger of having your account taken over even if someone managed to get your username and password.  Dropbox provides for dual factor identification.  If you use Dropbox and haven’t yet added dual factor identification, here is a link to enable you to set it up for your account. https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/

Scam of the day – October 5, 2014 – More banks hacked by suspected hackers of J.P. Morgan Chase

With news of the massive data breach at J.P. Morgan Chase in which names, addresses, phone numbers and email addresses of 76 million households and 7 million small businesses were stolen by what appears to be Russian hackers who may or may not be affiliated with the Russian government dominating the news, it seems perfectly appropriate to wish you a happy National Cybersecurity Awareness month.  As frightening as the spectre of a major American bank being vulnerable to vulnerable to such a massive data breach, you may remember that when the story broke last August of the possible data breach at J.P. Morgan Chase, reports were that there were as many as four other banks that had similarly been hacked.  Now, according to a report in the New York Times, that number is actually risen to nine other major financial institutions that may have suffered data breaches at the hands of the same hackers.  Therefore even if you are not a customer of J.P. Morgan Chase, you should be extra vigilant in regard to all of your financial accounts.

TIPS

Now is the time to implement a eight step approach to protecting yourself from identity theft and data breaches.  The first step is to change your password regularly, such as every six months.  A good password has a mixture of capital letters, small letters, symbols and digits.  Don’t use any word in the dictionary because hackers have computer programs that can guess your password. Instead use a phrase, such as IHate2UsePasswords!!.  This is a very secure password.  You should also have a separate and distinct password for each of your accounts, but you can merely adapt this basic password by adding a couple of distinguishing letters for each account.  For example, you could make this your Amazon password by adding the letters “Am” at the end of your basic password so it reads IHate2UsePasswords!!Am.  This is easy to remember.

You should also use dual factor authentication on your accounts when available.  Dual factor identification provides you with an extra level of security by which more than a password is necessary to gain access to your account.  Generally, when you log in through your password to an account a code is then sent to your smartphone which you then must input in order to access your account.

You also should change the answer to your security question to something completely nonsensical.  Answering a security question is required if you forget your password or if you want to change your password.  Unfortunately the answers to common security questions, such as your mother’s maiden name can be found with a little effort by an identity thief in the many places on the Internet that store personal information.  So instead of the answer to your mother’s maiden name being “Jones,” change it to “Grapefruit.”  No identity thief will find it or guess it and it is silly enough for you to remember.

Don’t click on links or download attachments in any email, text message or social media posting unless you have absolutely confirmed that it is legitimate.  Identity thieves and hackers lure people into clicking on links in such communications that results in the victims downloading keystroke logging malware that can steal all of the information from your computer.

Don’t provide personal information over the phone to anyone whom you have not called.  You can never be sure if the person calling you is legitimate regardless of how compelling the reason he or she gives for you to provide personal information.  Don’t rely on your Caller ID because through a technique called “spoofing” an identity thief can make it appear that his or her call is from the IRS, your bank or some other legitimate entity.  If you think the call may be legitimate, hang up and call the company or agency at a number that you know is real, not the number the caller gives you.

Review all of your accounts regularly and carefully to note the smallest charge that should not be there.  Sometimes identity thieves will put regular reoccurring charges on your credit card or phone bill in the hope that you will not bother to look further into it because the charge is so small.  The earlier you catch identity theft, the easier it is to deal with.

Check your credit report from each of the three major credit reporting agencies every year for evidence of fraud or even mistakes that need to be corrected.  Here is the link to the only official place to get your free credit report https://www.annualcreditreport.com/index.action

Put a credit freeze on your credit report so that even if an identity thief obtains your Social Security number, he or she cannot gain access to your credit report.  Yesterday’s Scam of the day contains the links to the credit reporting agencies to use to freeze your credit.