Posts Tagged: ‘hacking’

Scam of the day – March 1, 2016 – Kohl’s cash loyalty program scam

March 1, 2016 Posted by Steven Weisman, Esq.

Many of you are probably familiar with Kohl’s, a national department store chain.  Like many companies, it has a loyalty program.  Kohl’s loyalty program which is called “Kohl’s Cash” credits registered Kohl’s customers with ten dollars for every fifty dollars that customers spend at the store which can then be used for subsequent Kohl’s purchases.  Recently a number of Kohl’s customers Kohl’s Cash accounts were hacked and the hackers used the customers’ credit cards which were also registered with Kohl’s Cash to order large and expensive items that were then delivered to the Kohl’s customers whose accounts were hacked.  Although this might initially seem puzzling as to how a hacker could profit from the scheme, the effectiveness of the scheme becomes more apparent when you realize that what the hackers are really after is the Kohl’s cash generated by the purchases.  The Kohl’s cash is emailed to the hacker who has changed the account’s email address when he or she hacked into the account and upon receiving the Kohl’s cash credits use them to buy other products which he or she can then sell on the black market.  The reason the hackers initially order large sized items is to make it more inconvenient for the hacked customers to return the unordered merchandise to the store, which would cancel the corresponding issuance of Kohl’s cash on the transaction.

It does not appear that Kohl’s as a company has suffered a data breach as much as it appears that it is the accounts of individual Kohl’s customers whose accounts were hacked because the hacker had access to or was able to guess the customers’ passwords.


This scam again highlights the importance of having strong, unique passwords for each of your online accounts.  Often companies with weak security are hacked and the hackers steal passwords accessed in the data breach to access other accounts of the victims of the data breach when the same passwords are used.  Other times it is the victims themselves who have had their data stolen directly from their computer, laptop, smartphone or other electronic device when they have unwittingly downloaded keystroke logging malware, most often as a result of phishing that lured the unsuspecting victim into clicking on a link containing the malware.  Thus it is important to use strong, unique passwords for each of your accounts as well as maintain up to date security software on all of your devices as well as refrain from clicking on links in emails or text messages unless you have absolutely confirmed that the email or text message is legitimate.

Scam of the day – January 13, 2016 – The Cybersecurity Act of 2015 explained

January 13, 2016 Posted by Steven Weisman, Esq.

Deep in the trillion dollar federal spending bill that President Obama signed into law on December 18, 2015 was the Cybersecurity Information Sharing Act of 2015 (CISA) which establishes a voluntary cybersecurity information sharing program for the public and private sectors to share information about cyberthreats.  This law was, as many are, a compromise version of competing House and Senate versions of the cybersecurity bill.

The sharing of information about cyberattacks, data breaches and hacks by corporations and others with applicable federal agencies is seen by many as a critical step in protecting the public from these types of attacks, however, many companies were hesitant to share information after they had suffered a data breach or other cyberattack for many reasons including concerns about the privacy rights of people whose information would be included in the information provided to the government as well concern about possible liability on the part of the companies.

The new law provides for individuals, companies, groups, state governments and local governments to share with the federal government both cyber threat indicators and defensive measures.  The law specifically indicates that personal information of individuals is to be removed from the data before being shared.  The law provides for the information to be initially provided to the Department of Homeland Security, which will then, in turn, share the information with other appropriate federal agencies and other entities that have appropriate security clearances.  The federal government is specifically prohibited by provisions in CISA from using this information for any purpose other than cybersecurity purposes and the data will not be available to the public through the Freedom of Information Act.  As an incentive to private companies to share this type of information, the law specifically protects them from any liability related to the monitoring of their information systems or the sharing of the information.


This law, which is Congress’ first major cybersecurity legislation is indeed a modest start to dealing with a major problem.  The program is purely voluntary and many privacy advocates are concerned that the law does not provide enough protection of personal data and its misuse by the federal government.  Whether the critics are correct is not immediately apparent from the specific wording of the legislation, but will only become known after the law is fully implemented.  However, the importance of Congress finally taking some, albeit small steps toward dealing with a major threat to us all should not be minimized.

Scam of the day – December 18, 2015 – Congress close to passing cybersecurity legislation

December 18, 2015 Posted by Steven Weisman, Esq.

For years Congress has been debating much needed cybersecurity legislation without much success.   Now it appears that a cybersecurity bill that includes provisions previously approved by the House of Representatives and the Senate will be included in the omnibus spending bill which is close to passage and needed to maintain the funding of the federal government.  The essence of the cybersecurity proposal is the sharing of information by businesses and the federal government about technical aspects of cyberthreats such as hacking attacks and malware.  Much of the opposition by businesses to this type of legislation over the years has been the concern of businesses that such sharing could make them vulnerable to lawsuits.  In response to this concern, the new proposed legislation provides for protection from certain types of lawsuits, such as lawsuits based upon violations of electronic privacy protections. Meanwhile there continues to be opposition to the proposed law, deemed “The Cybersecurity Act of 2015” by some privacy advocates who believe the proposed law does not do enough to protect personal information when data is shared pursuant to the newly proposed law.  However, supporters of the bill, including President Obama have said that the protections of corporations from liability in data sharing will only apply if the companies remove personal information when sharing cyberthreat information.


I believe that this law is a major step forward in the battle against cybercrime and will help enable companies and the federal government do a better job in fighting the numerous cyberthreats faced by the government and private industry today.  It should also be noted that these threats come not just from cybercriminals and identity thieves, but also from foreign governments and terrorist groups such as ISIS.  It is expected that this law will be passed before the end of the year.  I will keep you updated as to the bill’s progress.

Scam of the day – August 23, 2015 – Ashley Madison class actions

August 22, 2015 Posted by Steven Weisman, Esq.

A lawsuit has been filed in Canada against Ashley Madison seeking class action status on behalf of Canadian members of Ashley Madison whose personal information was divulged by hackers recently.  The action is being brought against Ashley Madison for failing to protect the privacy of the data that they compiled and retained regarding its members.  Meanwhile in the United States, the Oklahoma law firm of Abington, Cole & Ellery is also considering filing a class action against Ashley Madison on similar grounds on behalf of American victims of the data breach.


For more information about the Canadian class action, you can go to the website of Charney Lawyers, one of the law firms that filed the action by clicking on this link.

For more information about the possible American class action, you can go to the website of Abington, Cole & Ellery by clicking on this link.

As for the rest of us who never had any involvement with Ashley Madison, this data breach should serve as a cautionary lesson that every company or governmental agency is susceptible to data breaches and that we all should try to limit as much as possible the amounts of personal information provided to any entity with which we do business. In addition, because of the likelihood of a data breach, never provide information to a company that you would be embarrassed to be associated with.

Scam of the day – October 12, 2014 – Dairy Queen latest data breach victim

October 12, 2014 Posted by Steven Weisman, Esq.

Dairy Queen announced a few days ago that it had become the latest company to become a victim of a major data breach at 395 of its stores by way of the infamous “Backoff” malware downloaded on to the computer systems of the affected stores by first hacking into a third-party vendor of Dairy Queen that had access to the Dairy Queen computers.  Although the data breach was only recently discovered, the actual breach occurred in August and September.  The information stolen as a result of this data breach included the names of customers, their credit card and debit card numbers as well as the expiration dates of their cards.  This is the same malware and same method of implanting the malware that was first used on a large scale in the Target data breach and repeated in numerous other data breaches since then.  In fact, I wrote a column for USA Today on September 27th entitled “Coming soon:  Another major retailer hacked” in which I provided a fill-in-the-blank format for the stories of future data breaches in which I predicted exactly how they would occur in the future which is precisely what happened at Dairy Queen.  Here is a link to that column:


As I so often say, you are only as safe as the places you do business with who have the weakest security.  Despite government warnings last July to retailers about the dangers of the “Backoff” malware, thousands of retailers have still not taken the necessary steps to protect their computer systems.  All that we can do is to refrain from using debit cards for retail purchases and only use credit cards.  The laws protecting you from fraudulent use of debit cards are not as strong as those that pertain to fraudulent use of credit cards.  Also, since there is always a time lag from the time that the data breach actually occurs and when the company realizes that it has been hacked, it is important to regularly monitor your credit card statements for fraudulent purchases.

Scam of the day – August 11, 2014 – Identity thief sentenced – what it means to you

August 11, 2014 Posted by Steven Weisman, Esq.

Recently, Turkish citizen Alper Erdogan was sentenced to more than nine years in prison and ordered to pay more than a million dollars in restitution after being convicted of aggravated identity theft, conspiracy to commit computer hacking and conspiracy to commit credit card fraud.  Erdogan did not do the actual hacking, but did sell the credit card numbers to other identity thieves.  Often the people who do the hacking of major companies such as Target do not use the stolen credit card numbers themselves, but rather sell them through the Internet to other identity thieves on black market websites.  One such website is called McDumpals, which humorously has a McDonald’s restaurant theme and shows a caricature of Ronald McDonald pointing a gun at the viewer of the screen next to the words “I’m swipin it”   Often payment on these illegal websites is made by bitcoins so that the payments cannot be traced.


One good element of this case is the international cooperation involved in the investigation and prosecution of Erdogan who was extradited by the Republic of Georgia to stand trial in the United States, although it should be noted that it did take almost two years after Erdogan was indicted in Florida for the extradition to occur.  The bigger lesson is that once again, people became victims of identity theft because the United States still is lagging behind the rest of the world in issuing and using smart credit cards with computer chips that create a new number each time the card is used.  The United States largely continues to use outdated magnetic strip credit card technology that is extremely susceptible to identity theft.  It is not expected that retailers and others who process credit cards will switch over to the smart cards until October of 2015 when new regulations will prompt the switch.  In addition, it is important to remember that you are only as safe as the places with the weakest security that hold your personal information, such as a credit card so, don’t leave your credit card on record with an online retailer for convenience sake and monitor your credit card usage regularly so you can report any fraudulent charges as soon as possible in order to avoid problems.

Scam of the day – July 24, 2014 – StubHub hacking – what it means to you

July 24, 2014 Posted by Steven Weisman, Esq.

Six people including both Russian and American citizens were indicted yesterday in New York for hacking into 1,600 StubHub accounts and stealing more than 1.6 million dollars in tickets.  StubHub is a website where people can buy and sell sports and entertainment tickets.  Although the accounts hacked were StubHub accounts, it appears the fault was not that of StubHub, but rather of individual StubHub customers whose passwords and user names were obtained through hacking of other companies or through the use of keystroke logging malware programs unwittingly downloaded, most likely through phishing emails to the victimized consumers.


For those people who used the same user name and password for all of their accounts, this hacking is another example of why you should not do so.  Using the same user name and password puts you in danger in all of your online accounts if merely one of your online accounts is hacked.  The better course of action is to use a different user name and password for every account that you use.  Although this may seem like a complicated thing to do, it need not be so.  Just adding a couple of letters describing the account to your password can provide you with much added security.  So for example if you used the basic, safe password of “IHatePasswords123!” which is a strong password and then added a few letters to describe the particular account such as a StubHub password of “IHatePasswords123!StubHb” you would have a difficult to break, but easy to remember password. As for protecting yourself from downloading keystroke logging malware by which you unknowingly download malware that provides access to all of the personal information on your computer the key thing to remember is to never click on a link or download an attachment unless you are absolutely positive that it is legitimate and you have independently confirmed its legitimacy.  Also, you should maintain your anti-malware and anti-virus software up to date with the latest security patches.

Scam of the day – June 23, 2014 – Duke University Press data breach

June 23, 2014 Posted by Steven Weisman, Esq.

Duke University has announced that its Duke University Press has suffered a data breach.  Although no financial information was stolen, usernames and encrypted passwords were stolen.  However even though the passwords were encrypted, it is not uncommon for sophisticated hackers to use software programs to decipher passwords that are not particularly strong.  This is just the latest hacking of an institution of higher learning.  In just the last four months, personal information on more than 750,000 students was stolen in data breaches at Iowa State University, University of Maryland, North Dakota University and Indiana University.


Again, the advice to follow, if you were a victim of the Duke University Press hacking is to change your passwords immediately.  It also is a good time to consider changing your passwords for all of your password protected accounts and making them strong enough to withstand hackers’ decryption software.  A good password will be a combination of lower case letters and higher case letters, figures and symbols.  In order to make the passwords memorable, you can use a phrase, such as “IDon’tLikePasswords**” you can also adapt the password to different accounts, such that you make your Amazon password “IDon’tLikePasswordsAMA**.”  In this way you can establish easy to remember, but difficult to decipher passwords.

Scam of the day – June 14, 2014 – FAA orders Boeing to install computer security on all 737s

June 14, 2014 Posted by Steven Weisman, Esq.

On March 22nd in my Scam of the day I told you about the possibility that the missing Malaysian airliner may have had its computers hacked.   During the flight, two essential communication and location systems were turned off while the aircraft continued to fly.  Investigators appear to be focusing on the pilots or someone else on board physically turning off these systems.  But the systems could have been turned off by a hacker remotely sabotaging the plane.  In 2012, Boeing, the manufacturer of the Boeing 777 which was used on Flight 370 applied to the Federal Aviation Administration to make modifications to its onboard data systems because, according to federal records, “data network and design integration may result in security vulnerabilities from intentional or unintentional corruption of data systems critical to the safety and maintenance of the airplane… This may enable the exploitation of network security vulnerabilities and increased risks potentially resulting in unsafe conditions for the airplanes and occupants.”

Now the Federal Aviation Administration is ordering Boeing to make modifications to the computers on its 737 aircraft to prevent hackers from taking over control of the important inflight computers.  The order of the FAA requires Boeing to “ensure that the airplanes’ electronic systems are protected from access by unauthorized sources external to the plane.”


Computers are more and more imbedded in almost everything we use including cars, aircraft, refrigerators, thermostats, ovens and many other devices that make up what is now referred to as the Internet of things.  It is important to remember that once a computer is linked to the Internet, it is capable of being hacked and exploited unless proper security systems are in place.  This problem is likely to get worse until it gets better so it is up to all of us to look into the security of the computerized devices that we use that make up the Internet of things.

Scam of the day – May 29, 2014 – Car hacking

May 28, 2014 Posted by Steven Weisman, Esq.

I have been warning you about the danger of the Internet of Things which refers to the increasing use of computer technology in things that formerly did not involve computers or communication through the Internet, such as refrigerators, thermostats and cars.  Too often the developers of these cutting edge computer programs used to make these various products more intelligent and useful have neglected to sufficiently concern themselves with the security of these programs resulting in new vulnerabilities that are now and will even more in the future be exploited by hackers.

Cars are more and more computerized and this has resulted in an increasing number of car thefts due to exploiting of the electronic key systems of the cars.  In London, for example almost half of the cars stolen last year were hacked by car thieves using cheap electronic devices that will open a locked car in less than ten seconds.  Other electronic devices can even take over the car’s diagnostic unit, permitting hackers to control the car’s lights, locks, steering and braking systems.


At the moment car manufacturers have not installed security systems to prevent the opening and stealing of cars through remote entry by a hacker, however, this is something that we all should both be aware of as a potential problem and notify our car manufacturers as to our displeasure that they have not acted sufficiently to prevent this type of problem.  Certainly, no one should ever leave anything of value in a car feeling secure that the car is locked.