Scam of the day – July 25, 2017 – Online courses for credit card criminals

Online courses are extremely popular in traditional educational settings.  I know this from personal experience as a college professor who teaches courses online in addition to my more conventional classes taught to students in the classroom.  Online courses are now even becoming popular among criminals and scammers.  The security company Digital Shadows is reporting about Russian criminals who are teaching an online course in how to make money through credit card fraud.  The course is a six week course consisting of twenty lectures of between one and two hours for each lecture.  Tuition is approximately $750 payable in Bitcoins or other electronic currencies.  In addition to tuition, the students are also required to pay an additional $200 in electronic currency for course materials.

The course is taught only in Russian and promises that it can teach aspiring criminals how to make as much as twelve thousand dollars per month. The course provides information about where to get stolen credit card information, how to use it to buy goods as well as how to sell the goods and launder the money.

TIPS

The course material is very instructive to all of us as consumers as to how we can more safely use our credit cards.  One important lesson is to use your EMV chip credit card whenever possible as well as to use cards with stronger authentication protocols when buying online.  The course is also a reminder that we should refrain from using our debit cards for retail purchases because the consumer protection laws involved with debit cards are not nearly as strong as those regarding credit cards.  Finally, in the section of the course dealing with laundering money, the course teaches students to hire people desiring to work at home to reship goods purchased through stolen credit cards as part of the money laundering process.  This serves as a strong warning to people to avoid becoming an accomplice to these crimes by getting involved with this type of employment.

 

Scam of the day – May 28, 2017 – Chipotle data breach update

Today’s scam of the day is an update of the Scam of the day from April 28th when I first wrote about the data breach at Chipotle Mexican Grill. After  a series of food safety problems in 2015, the Chipotle Mexican Grill restaurant chain had recently regained sales, but that could change with the announcement by the company that it had suffered a data breach affecting most of its 2,550 restaurants between March 24th and April 18th. Following an all too predictable pattern, the data breach came about as a result of malware that stole credit card and debit card information from Chipotle’s card processors.  This in great part is due to the fact that Chipotle has still not updated its credit card processing equipment to handle the more secure chip credit cards as required by industry regulations.

Here is a link to Chipotle’s  updated official announcement about the data breach which, if you ate at a Chipotle’s restaurant during the relevant period, also provides a link to inform you if the particular restaurant you went to is affected by the data breach.  https://www.chipotle.com/security

TIPS

As consumers the best thing you can do is to use your EMV chip card whenever possible.  Unfortunately, Chipotle is just one of many retail establishments that still have not updated their credit card and debit card processing equipment to use EMV chip cards.  For further personal protection, don’t use your debit card for retail purchases because the protection from liability that you get regarding fraudulent use of a debit card is not as strong as the liability protection you get when using a credit card. In addition, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.

If you were a customer of Chipotle’s during the affected period, it is a good idea to carefully monitor the charges on your credit card for indications of fraudulent use.

Scam of the day – December 15, 2016 – Deadline for EMV chip cards at gas pumps delayed

MasterCard and Visa recently announced that the deadline for the installation of EMV chip card readers on gas pumps is being delayed three years to October 1, 2020.  Credit card rules required new EMV smart chip credit card equipment be installed by retailers to process these cards by October 1, 2015 in order for the retailer to avoid liability.   Wider implementation of the use of EMV chip cards at retailers has resulted in a dramatic reduction in data breaches and credit card fraud at retailers using this equipment.   However, the deadline for the installation of EMV chip card readers at gas pumps was originally scheduled for October 1, 2017.  Now it is being delayed three years.   Around the country there has been an increase in the use of skimmers installed by criminals at gas pumps.  Skimmers are small electronic devices that are easily installed by an identity thief on gas pumps,  ATMs and other card reading devices.  The skimmer steals all of the information from the credit card or debit card used which then permits the identity thief to use that information to access the victim’s bank account when the skimmer is used on a debit card.  If a credit card is used, the identity thief can use the stolen information to access the victim’s credit card account.  Each skimmer can hold information on as many as 2,400 cards.

TIPS

Always look for signs of tampering on any machine you use to swipe your credit card or debit card.  If the card inserting mechanism appears loose or in any other way tampered, don’t use it.   Debit cards, when compromised through a skimmer put the customers at risk of having the bank accounts tied to their cards entirely emptied if the theft is not promptly reported and even if the victim reports the theft immediately, the victims lose access to their bank accounts while the matter is investigated by the bank.  Skimmers at ATMs are often coupled with a thin, clear electronic device that goes on top of the keyboard to capture the victim’s PIN to enable the identity thief to access the account of the victim whose account number was captured through the skimmer.  Debit cards should not be used for purchases at gas pumps or for other retail purchases because the legal liability laws related to stolen debit card information are not as protective to consumers as the laws relating to fraudulent credit card use.  Although the deadline for installation of EMV chip card readers in ATMs passed in October, few ATMs have made the switch to EMV chip card equipment.

Scam of the day – December 5, 2016 – Online credit card fraud increasing

Anti-fraud company Iovation is reporting that credit card fraud for online shopping during the first shopping weekend of the holiday shopping season that began on November 25th increased by 20% over last year and 34% over 2014.  This is not surprising because safer EMV credit cards with a chip that issue a new authorizing code every time the card is used cannot use the chip capability when shopping online,  leaving them more vulnerable to hackers accessing the victim’s credit card number which can then be used by the criminal for online purchases.  Victims may become victims of this type of identity theft through either security weaknesses in their own devices or at websites where they shop.

TIPS

This year 55% of online shoppers used their smartphones and other portable devices to make their online purchases and while many people have security software installed and regularly updated on their computers, many people do not take the same type of precautions with their smartphones or other portable devices, leaving them in greater danger of being hacked.  The key is to protect all of your devices with security software and keep it updated to protect you from the latest strains of malware as well as to prevent the malware from ever being installed on your devices.  The best thing you can do to prevent the malware from becoming installed on your devices is to never click on links in emails or text messages unless you have absolutely confirmed that the communication and the link are genuine.  Clicking on tainted links in specifically tailored spear phishing emails and text messages are still the most common method that malware is spread.

It is also important when shopping online to use your credit card rather than your debit card.  The consumer protection laws are stronger in regard to credit cards than debit cards and the inconvenience of having your debit card hacked is much greater than the problems you encounter when your credit card is hacked.

Scam of the day – November 25, 2016 – Holiday scams

Today is Black Friday, one of the biggest shopping days of the year and the kickoff to the 2016 holiday shopping season.  There are many scams that attempt to turn our holiday awareness into scams.  They include malware contaminated e-cards, phony charitable solicitations and, of course a myriad of shopping related scams.  Over the next few weeks, I will be warning you about these scams and telling you what you can do to protect yourselves.

TIPS

For those people shopping in the malls and stores around the country today, remember to use your credit card  instead of your debit card. While federal law limits the amount for which you are liable when fraudulent charges are made using your credit card to no more than $50, with a debit card, if you do not recognize that your account has been compromised right away, the identity thief could potentially empty the entire bank account tied to your debit card.  In addition, even if you do notice the fraudulent use immediately, your account will be frozen while the bank does its investigation into the matter, thereby limiting your access to your funds.

Also, if you are using your credit card in a store that is not equipped to take the EMV chip credit card, be on the lookout for skimmers, which are small devices that a criminal uses to steal your credit card information by swiping the card through a portable skimmer before running it through the store’s credit card processing equipment.  In addition, some skimmers are surreptitiously installed on the credit card equipment of the stores and other times, the store’s processing equipment has been hacked to steal this information as your card is being processed. Keep an eye on your credit card every minute that the clerk has it in his or her possession to make sure that he or she only swipes it through the store’s credit card processor and doesn’t do that extra swipe through a skimmer.  Also, check your credit card account balance periodically online to detect if there have been any security breaches.  Don’t wait for your monthly statement.

Scam of the day – October 13, 2016 – Vera Bradley stores hacked

Luggage and handbag manufacturer, Vera Bradley announced yesterday that its retail stores suffered a data breach in which credit card numbers, customer names, card expiration dates and verification codes for customers who used credit and debit cards at its stores between July 25th and September 23rd were stolen by criminals who hacked into the company’s payment processing equipment.  Vera Bradley was notified of the data breach by law enforcement on September 15th.  Generally, breaches like this are discovered when a pattern for stolen credit cards being sold on the Dark Web where criminals buy and sell stolen credit cards indicates a common source or when the card issuing banks notice a pattern of fraudulent use traceable back to a single common denominator, namely the victims all shopped at a particular store.  Vera Bradley could have avoided this data breach had it switched over to EMV chip cards instead of continuing to use the old-style magnetic strip credit cards which are so much more susceptible to theft through data breaches.

Unlike most companies that suffer such data breaches, Vera Bradley is not offering free credit monitoring at this time.

TIPS

If you were a customer at a Vera Bradley store between July 25th and September 23rd, you should go online right away to monitor use of your credit card or debit card.  It is a good policy not to use your debit card for retail purchases because you have less protection under the law for unauthorized use.  Further, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.  Use your EMV chip card whenever possible and even if you were not a shopper at Vera Bradley, you should regularly monitor your credit card statement online so that you can discover any fraudulent use early.  Finally, be wary of any emails or text messages you may get that appear to be from Vera Bradley that require you to provide personal information.  Scammers often take advantage of data breaches such as this to send phishing emails to lure people into providing personal information they can use to make you a victim of identity theft.

For more information about Vera Bradley, you can go directly to its website at http://www.verabradley.com/

Scam of the day – July 8, 2016 – Wendy’s suffers another data breach

Fast food hamburger chain Wendy’s which announced in February that it had discovered “reports of unusual activity involving payment cards” at some of its restaurants and was investigating the matter in order to determine the full extent of the apparent data breach, later announced in May that it indeed had been hacked and that credit and debit card numbers, expiration dates and other card information had been stolen. Then on June 9th, Wendy’s announced that it had discovered another separate hacking and data breach that had been going on since the Fall of 2015 that managed to steal credit card and debit card numbers, but not names of affected customers from 1,025 Wendy’s franchises in the United States.  Wendy’s has posted an interactive website where you can input the state and city or town of the Wendy’s franchise you may have gone to during the last year and it will tell you if it was one of the restaurants affected by the data breach.  Here is the link to the interactive website: https://payment.wendys.com/paymentcardcheck.html

Wendy’s still uses the old fashioned magnetic strip credit cards which are much easier targets for hackers than the EMV chip cards which have been required to be used by companies since October of 2015.  The rules requiring companies to switch to the new smart cards carry no specific penalty, but in the event of a data breach can result in the company not using the EMV chip cards to be responsible for the costs of fraudulent use of stolen card information.  It should also be noted that although October 1, 2015 was the deadline for retailers to switch to EMV smart card processing for credit cards and debit cards to avoid liability in the event of a data breach, the deadline for ATMs and gas station pumps to switch to the EMV smart cards is not until October 1, 2017.

TIPS

As consumers the best thing we can do is to use your EMV chip card whenever possible.  Stores such as WallMart and Target have switched to the new cards.  If you have not yet received a new EMV chip card from your credit card company, contact them and get one as soon as possible.  It still is a good idea to not use your debit card for retail purchases because the protection from liability that you get regarding fraudulent use of a debit card is not as strong as the liability protection you get when using a credit card. Further, even if you report fraudulent use of your debit card immediately to your bank, your bank account to which the card is tied will be frozen and inaccessible to you while the bank investigates the matter.

If you were a customer of Wendy’s since 2015, it is a good idea to carefully monitor the charges on your credit card for indications of fraudulent use.  Wendy’s is offering affected customers fraud consultation and identity restoration services for a year at no cost.  For instructions as to how to enroll for those services, you should call Wendy’s at 866-0845.

It is also important to note that Wendy’s will not be contacting customers to tell them about this program and will absolutely not be contacting you requesting personal information, such as your credit card number so if you receive a call, text message or email purporting to be from Wendy’s asking for such personal information, you should not provide any such information because it is a scam.

Scam of the day – June 4, 2016 – New EMV chip card scams

Although October 1, 2015 was the deadline for retailers and credit card issuing companies to switch over to using the new EMV credit cards containing a computer chip that creates and encrypts a new number every time the card is used, a recent study shows that 30% of Americans still don’t have an EMV chip enabled card.  Ingenious scam artists, the only criminals we refer to as artists, are taking advantage of the situation by contacting people by email posing as their credit card company and prompting them to either provide personal information in response to the email or click on a link in the email in order to update their account to get a new smart EMV chip card.  If you provide personal information to the scammer, you will end up becoming a victim of identity theft.  If you click on the link, you may also download keystroke logging malware that will steal your information from your computer or smartphone and use it to make you a victim of identity theft.

But individual consumers are not the only ones being targeted by EMV chip card scams.  Merchants are also being contacted by phone by scammers posing as employees of MasterCard or Visa who tell the merchant that the merchant’s credit card processing equipment is not compatible with the latest changes to the credit card processing requirements necessary to use the EMV chip cards, but that the credit card processing equipment can be reprogrammed at no cost to the merchant to bring it into compliance.  However, if the merchant cooperates with the reprogramming of the credit card processing equipment what will happen is that each transaction will be redirected to an account of the scammer, which results in double billing to the consumer and major problems for the merchant.

TIPS

So how do you know as a consumer if you receive an email purporting to be from your credit card company that it is legitimate?

First check the address of the email sender.  If it appears to come from someone or some company wholly unrelated to your credit card issuer, it is a scam.  Many scammers use hijacked email accounts that become a part of a network of controlled computers referred to as a botnet to send out their emails so that it is difficult to trace the scams back to the scammer.

Merely because the email appears legitimate, is written in proper English and even carries the logo of your credit card company does not mean that it is legitimate.  It is easy to copy the logo of a company on to an email.  If you get an email from your real credit card company it will generally be addressed to you specifically by name rather than a generic greeting of “Dear Cardholder.”  In addition, the email to you will generally reference your account by including the last four digits of your account.  However, even paranoids have enemies so if you do get an email that appears legitimate, but you still have concerns, merely call the company at the number found on the back of your credit card to confirm that the email is legitimate.

As for merchants, you cannot trust a phone call purporting to be from your credit card processing company even if your Caller ID indicates that the call is from MasterCard or Visa.  Caller ID can be tricked through a technique called “spoofing” to make a scammers call appear to be legitimate.  Never provide sensitive information to anyone over the phone who calls you unless you have verified that the call is legitimate.  In the case of a call from your credit card processing company telling you to reprogram your credit card terminals, you should hang up and call your credit card processing company at a telephone number that you know is legitimate in order to determine whether the original call was a scam.