Scam of the day – May 27, 2017 – Target pays $18.5 Million to 47 states to settle security breach claims

Many people trace the era of major data breaches by hackers to the massive data breach at Target during the holiday shopping season of 2013. Credit card and debit card data on approximately 40 million Target customers was stolen as well as other information including email addresses of approximately 70 million Target customers.

Recently 47 states and the District of Columbia settled civil charges against Target related to the data breach with Target agreeing to pay 18.5 million dollars to each of these states and the District of Columbia. California will receive 1.4 million dollars which is the largest amount that any state will receive.  None of this money is to returned to consumers.

This settlement is very significant because it is part of an escalating trend of companies whose negligence leads to data breaches being held responsible for the harm caused to consumers.

Pursuant to the settlement, Target will implement a comprehensive security program which will include the use of whitelisting analytic software that helps prevent unauthorized malware programs from being downloaded, segmenting of credit card information from other parts of Target’s computer networks and increased use of encryption.

TIPS

This is a very positive step and, having reviewed in detail the security requirements that Target will be required to implement, I believe these provide a good guide for other companies to use to enhance their data security.

As for all of us as consumers, the best thing we can do is to refrain from using our debit cards from any use other than as an ATM card because the laws protecting us from unauthorized use of debit cards are not as strong as those protecting us from unauthorized use of credit cards.  In addition, whenever possible use your credit card as a chip card rather than as a magnetic strip card for increased security.

Scam of the day – Mary 19, 2017 – WiFi networks at Mar-a-Lago vulnerable

A recent report by ProPublica and Gizmodo has found security vulnerabilities in the WiFi networks at Mar-a-Lago, the resort often visited by President Trump as well as a number of other Trump destinations including the Trump National Golf Club in New Jersey, Trump International Hotel in Washington D.C. and Trump National Golf Club in Virginia.  According to the report, “Our inspections found weak and open WiFi networks, wireless printers without passwords, servers with outdated and vulnerable software and unencrypted login pages to back-end databases containing sensitive information.”  As would be expected the White House is not commenting on this report other than to indicate that these locations follow cybersecurity best practices.  However, the important lesson to us all is to remind us that public WiFi is never secure. However, with some precautions it can be made safer.

TIPS

Whatever electronic device you are using to connect to a WiFi network, whether it is a computer, laptop, tablet or smartphone should be equipped with security software.  In addition, you should use encryption software so that your communications are encoded.  You also should go to your settings and turn off sharing.  In addition, you should make sure that your firewall is current and turned on.  Finally, and perhaps most importantly, you should consider using a Virtual Private Network (VPN) which enables you to send your communications through a separate and secure private network even while you are on a public network.

Scam of the day – March 4, 2017 – New York financial service company regulations go into effect

In September I first told you about the New York Department of Financial Services new cybersecurity rules for banks and financial services companies doing business in New York. These regulations come in the wake of repeated cybersecurity breaches at many banks and other financial services companies.  While the regulations set minimal standards all institutions must follow, the regulations were written in a manner to encourage companies to go further and not limit security innovation. Among the provisions of the regulations are the establishment of the position of chief information security officer at each company as well as increased use of encryption and dual factor authentication.  In addition, the proposed regulations also carry potential criminal liability for officials of companies not meeting the new standards.  The regulations were originally to go into effect on January 1, 2017, however the effective date was postponed until March 1, 2017.  Financial firms have an additional 180 days to make the changes necessary to comply with the regulations before any enforcement actions will be taken by New York authorities who have also promised a transitional period for compliance with the rules.

TIPS

While these regulations are a good start toward more secure banking, it is still important for all of us to take responsibility for our own secure banking.  First and foremost you should monitor your bank accounts often for indications of any irregularities.  You should be particularly careful when banking with your smartphone or on your computer.  Use a strong password, strong security question and multi factor authentication whenever possible.  Here is a link to a column which I wrote for USA Today with more tips on how to protect yourself when banking online or on your phone.

http://www.usatoday.com/story/money/columnist/2016/02/27/e-banking-tip-moms-maiden-name-say-grapefruit/80756330/

Scam of the day – November 26, 2016 – Naval records at Hewlett Packard hacked

In an all too familiar story, it has just been disclosed that personal information including names and Social Security numbers of 134, 386 present and former Navy employees was compromised in a hacking of a laptop of a Hewlett Packard employee.  Hewlett Packard had this information through a contract on which it was working for the U.S. Navy.  Further details of the hacking have not been released, but the fact that such a hacking occurred leads to concerns that the pattern established years ago in hacking of NASA laptops in which the laptops were not password protected and the data contained therein was unencrypted is repeating itself.

TIPS

The continuing negligence of many companies and government agencies in not properly protecting sensitive personal data that can readily be used for purposes of identity theft is disappointing and startling.  There are many simple security steps that are easily taken, such as password protecting laptops and other electronic devices as well as encrypting sensitive data and the use and updating of security software that should be done by all companies and government agencies without exception.

The lesson, however, is one that we should also practice in our own lives.  We as individuals are regularly targeted by identity thieves so al of us should protect each of our electronic devices with a unique password, sensitive data should be encrypted and stored in the cloud or in a portable hard drive, dual factor authentication should be used whenever possible, install and update security software on all of your electronic devices and don’t click on links in emails or text messages unless you have absolutely confirmed that they are legitimate.  These are just a few of the simple protocols we should all follow to decrease the chances of our becoming victims of identity theft.

Scam of the day – September 28, 2016 – Apple iOS 10 vulnerable to hacking

The Russian security firm, Elcomsoft has discovered  a major security flaw in the iOS 10 used to operate Apple’s iPhones that enables hackers to more readily get through the iPhone’s security system and access data stored on a PC or Mac computer.  This is a significant security flaw and Apple has acknowledged its existence and is busy working on a solution.  As soon as a security update for the iOS 10 is released, I will report on it to you.

TIPS

Meanwhile if you have an iPhone using the iOS 10 operating system, you should make sure your PC or Mac where you store data from your phone is protected with a strong and unique password.  You should also encrypt all of the data stored on your computer to further protect its security.

Scam of the day – September 24, 2016 – Massive Yahoo data breach

Today’s Scam of the day will be a bit longer than usual, but the added length is necessary to discuss the recent announcement of the massive data breach at Yahoo affecting as many as five hundred million people, making it the largest data breach in history.   Yesterday, Yahoo announced that it had been the victim of a data breach that began two years ago.  Yahoo has attributed the attack to what it called a “state-sponsored actor” and indicated that the compromised information included names, email addresses, telephone numbers, birth dates, encrypted passwords and security questions.  The good news is that no bank account, credit card or debit card information appears to have been involved in the data breach.  However, the information that was stolen is more than sufficient to be utilized for spear phishing emails specifically tailored for purposes of identity theft.

The first indication that there was a problem occurred in June when word of stolen Yahoo data started to be discussed in online forums on the Dark Web where cybercriminals communicate as well as buy and sell stolen data.  Later, in August large batches of stolen Yahoo customers’ data began being sold on a black market website on the Dark Web called TheRealDeal.  Now that the data breach has been confirmed, Yahoo is contacting affected customers, however it is important to remember that scammers are going to also be contacting people through phishing emails attempting to lure people into clicking on links that will download keystroke logging malware that will steal information to be used for purposes of identity theft or to trick people into providing personal information directly in response to the email. Official Yahoo emails will display the Yahoo icon and will not ask you to click on links, download attachments or provide personal information.

TIPS

As I have suggested many times in the past, you should have a unique password for each of your online accounts so that in the event of a data breach at one online company with which you do business, your accounts at your bank and other online accounts are not in jeopardy.  Although Yahoo has indicated that the passwords stolen were hashed, which is a form of encryption, there is still concern that these passwords could still be cracked.  Go to the June 7, 2016 Scam of the day for tips about how to pick strong passwords that are easy to remember.

This is also a good time to check your credit reports with each of the three major credit reporting agencies for indications that your identity may have been compromised. You can get your free credit reports by going to www.annualcreditreport.com   Beware of going to other sites that appear to offer free credit reports, but actually sign you up for costly services.  And while you are at it, you should consider putting a credit freeze on your credit reports at each of the three major credit reporting agencies so that even if an identity thief does manage to steal your personal information, he or she cannot access your credit report to open new accounts.  For more information about credit freezes and links on how to set them up go to the Scam of the day for June 27, 2016.

Whenever possible use dual factor authentication for you accounts so that when you attempt to log in, a one-time code will be sent to your smartphone to insert in order to get access to your account.  For convenience sake you can set up dual factor authentication so that it is only required if you are logging in from a different computer or device than you normally use.

Security questions are notoriously insecure.  Information such as your mother’s maiden name, which is the topic of a common security question can be readily obtained by identity thieves.  The simple way to make your security question strong is to use a nonsensical answer for the question, so make something like “firetruck” the answer to the security question as to your mother’s maiden name.

As always, don’t click on links or download attachments in any email or text message you get unless you have absolutely confirmed that it is legitimate.  Any email you may get purporting to be from Yahoo will not contain links or attachments and will not ask you to provide personal information.  For help directly from Yahoo on this matter go to https://help.yahoo.com/kb/helpcentral

Since you can never be sure if a company is going to be subjected to a data breach, try and limit the personal information you provide to all companies.  Don’t leave your credit card number on file for convenience sake and don’t provide your Social Security number unless you absolutely must do so.  Many companies ask for this information although they have no real need for it.

As for the companies themselves, they should be utilizing encryption to protect stored data as well as utilizing modern analytics programs that can detect unusual activity.

Scam of the day – August 18, 2016 – Major data breach at health care provider

Recently a Ukranian hacking group called “Pravyy Sector” managed to hack into the server of the Central Ohio Urology Group, which includes twenty-four clinics and posted online literally hundreds of thousands of files that included massive amounts of personal information that could be exploited for identity theft and other illegal purposes.  While you may not be a patient of Central Ohio Urology Group and therefore may not consider this to be a serious matter, but it is very serious because it is just another example of the pervasive lack of security in the health care industry.

As I warned everyone in my USA Today column in which I made my cyberpredictions for 2015, the health care industry is tremendously vulnerable to data breaches and we can expect these data breaches to continue.  Here is a link to that column.  http://www.usatoday.com/story/money/personalfinance/2014/12/20/cyber-hack-data-breach/20601043/

An audit of health care companies and insurers showed that more than 81% of these companies have suffered a data breach in the last two years alone and that number only relates to the data breaches that have been discovered.  There may have been more that remain undiscovered.   The health care industry is the perfect storm for data breaches.  It is a highly digitized industry that has massive amounts of personal information that it shares with numerous offices and institutions and yet has not, in many instances instituted the necessary security precautions to protect the information stored.

The potential consequences of medical company data breaches can be tremendous to affected individuals.  The medical records of an identity thief accessing your medical insurance can become intermingled with your medical records such that you can mistakenly receive improper treatment, such as a potentially deadly blood transfusion of the wrong blood type.  Other information such as your Social Security number which may be stored by a health care provider can be stolen and used for purposes of more traditional identity theft. Finally, the vulnerability of the computer systems of health care providers has made them prime targets for successful ransomware attacks.

TIPS

The health care industry has got to recognize that it is a prime target of hackers and identity thieves.  Encryption of all data should be the rule and not the exception for health care providers.  Authorization authentication to access records from both on-site and particularly off-site should be enhanced.  As for us as the patients, we should limit the amount of personal information given to health care providers if they do not have a need for it.  Health care providers do not need our Social Security numbers.  Don’t give it to them.  We also should demand that they institute better data security measures.

Scam of the day – July 26, 2016 – Real estate closing scam

On January 20th’s Scam of the day, I first told you about an intricate email scam targeting people involved in the sales of residential real estate that has increased over the past year both in the United States and the UK.  I mention it again today because of recent reports of this scam occurring in the small town of Dewey Oklahoma where Lacey Monday became a victim of the scam.  The scam begins with the hacking into the email account of one of the parties involved with a residential real estate conveyance.  This can be either the buyer, seller, lawyers, title company, real estate agent or banker.  In Lacey Monday’s case it was her title company whose email was hacked.  Unfortunately, hacking into email accounts is a relatively easy thing for a skilled identity thief to do.  The hackers then monitor the communications regarding the progress of the sale of a particular piece of real estate and when the time is right,  generally posing as one of the lawyers, title company or bank mortgage officer, the scammer will email the buyer, telling him or her that funds necessary to complete the sale need to be wired to the phony lawyer’s, title company’s or banker’s account provided in the email.  Everything appears normal so unsuspecting buyers too often are wiring the money to the cyberthieves who then move the funds from account to account to make it difficult to trace the funds.  In Lacey Monday’s case, she lost $25,000 to this scam.  The fact that this scam can occur in small towns as well as large cities show how these types of scams are a threat to you regardless of where you live.

TIPS

Even if you are not involved in buying or selling a home, it is always a good idea to protect your email account from being hacked.  This means having a strong password and security question.  You can find information about how to pick strong passwords and security questions here in the Scamicide archives as well as in my book “Identity Theft Alert.”  Maintain good anti-virus and anti-malware software on all of your electronic devices including your computer as well as your smartphone and keep your security software up to date with the latest security patches as soon as they are made available.  Don’t click on links in emails or text messages that may contain malware that can steal your personal information from your electronic devices and remember, your security software is always at least thirty days behind the latest malware.

Don’t use public wifi for any financial or business purposes.  Use a virtual private network to encrypt your data when using your electronic devices in public.  Never provide personal information in response to an email regardless of how legitimate it may appear until you have independently confirmed that the email is legitimate.  Finally, whenever you are asked through an email or text message to wire funds as a part of a real estate or other business transaction, don’t do so until you have confirmed that the request and the account to which you are being asked to wire the funds are legitimate.  Appearances can be deceiving so always confirm.  It may seem a bit paranoid, but remember, even paranoids have enemies.

Scam of the day – November 30, 2015 – Data breach at VTech Learning Lodge

Hong Kong company VTech Holdings Limited has announced that its Learning Lodge app store has been hacked.  The data breach may involve as many as 4.8 million accounts and include personal information on more than 200,000 children which brings a new level of concern about this particular data breach.  Learning Lodge is an app store for  high tech learning games and other educational toys for children.

The adult customer information compromised in the data breach includes names, email addresses, encrypted passwords, security questions and answers, IP addresses and mailing addresses.  Although the passwords were stolen in their encrypted form, VTech used older, less secure encryption algorithms, which can be readily cracked by sophisticated cybercriminals.  This means that the customers whose data was stolen are in particular danger if they, like so many people do, use the same password for multiple accounts.

In addition, the potential for exploitation of the children’s data stolen brings a new wrinkle to this data breach.  Children’s names and birth dates could be tied to their parents through the stolen information thereby establishing a new avenue for identity theft and fraud.  Spear phishing using this information, whereby malware containing emails could be made to appear legitimate, pose a real threat to the victims of this data breach.

TIPS

Once again, people are becoming vulnerable to identity theft due to the lack of proper security measures by a company with which they do business.  However, the failure of people to protect themselves by using unique, distinct passwords for each of their accounts substantially contributes to their risk of identity theft.  The lesson is to remember that you should always have a distinct and unique password for each of your online accounts.  It should be a complex password so that it cannot be broken by simple brute force attacks that use millions of guessable combinations such as any word in the dictionary or such common passwords as 123456.  One good way to pick a complex password is to pick a phrase, such as “I Don’t like passwords” and turn it into the basis for a password by making it IDon’tLikePasswords.  This password is already complex in that it has words and a symbol.  Now add a couple of symbols at the end of the password so it may read IDon’tLikePasswords!!! and you have an easy to remember, but strong password.  Now you can just adapt it for each of your online accounts with a few letters to identify the account.  Thus, your Amazon password can be IDon’tLikePasswords!!!Ama and you have a strong, but easy to remember password.

Scam of the day – October 21, 2015 – Investment scam update

Late last week, the director of the Securities and Exchange Commission’s Division of Enforcement warned brokerage houses and other financial companies that they risk serious SEC enforcement action if they fail to implement proper cybersecurity plans.  This comes on the heels of the data breach at Discount brokerage firm Scottrade which I told you about in the Scam of the day for October 4th as well as the SEC’s fine of R.T. Jones Capital Equities Management in September for failing to take adequate steps, such as encryption, to protect their customers data.

Like so many cybersecurity problems, this one is not as bad as you think.  It is far worse.  According to an SEC survey, 88% of broker-dealers and 74% of investment advisers suffered cyberattacks in the last year.  Making the problem even worse, according to the SEC, only 15% of broker dealers and 9% of advisers guarantee that they will totally reimburse their customers for losses due to cyberattacks.  In particular, many of these companies have fine print in their contracts that passes the liability on to the customers if the customers are considered negligent in the loss of their data.

TIPS

So what can you do to keep your investments safe?

As always, the first place to look for that helping hand is at the end of your own arm.  Make sure that you use a unique and complex password for your investment accounts.  You can go to the Scamicide archives for instructions as to how to pick a strong and secure password.  Also important is to use dual factor authentication whenever possible so that even if someone manages to steal your password, they will not be able to access your account.  With dual factor authentication, a one-time code is sent to your smartphone whenever you need to access your account.  In addition, you should make sure that all of your electronic devices including your computer and smartphone are protected with the most up to date anti-virus and anti-malware software.  Too many people fail to protect their smartphones with a password or security software.  Finally, monitor your accounts regularly for indications of security breaches.

But what about your investment broker or adviser?  How do you know if they are trustworthy?

Make sure you understand your broker’s policy for reimbursement of customers if a data breach occurs and consider taking your business somewhere else if the answer is unsatisfactory.  Ask them what measures they take to ensure cybersecurity including the use of encryption and dual factor authentication.  Also, find out how they limit access to data to only those people who have a need to see your information.  Finally, find out if they are covered by cyberinsurance.