The Russian security firm, Elcomsoft has discovered a major security flaw in the iOS 10 used to operate Apple’s iPhones that enables hackers to more readily get through the iPhone’s security system and access data stored on a PC or Mac computer. This is a significant security flaw and Apple has acknowledged its existence and is busy working on a solution. As soon as a security update for the iOS 10 is released, I will report on it to you.
Meanwhile if you have an iPhone using the iOS 10 operating system, you should make sure your PC or Mac where you store data from your phone is protected with a strong and unique password. You should also encrypt all of the data stored on your computer to further protect its security.
Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft. Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is. A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website. Other times, the phony email itself contains a request for personal information. Startlingly, the study showed that at teh most effective of these phishing websites up to 45% of people targeted provided the information requested. Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name. This type of phishing is called spear phishing. Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.
Never click on links or download attachments unless you are absolutely sure that they are legitimate. Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer. Never provide personal information on websites unless you have confirmed that it is legitimate.
If your email account is compromised here are the steps to take:
1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.
Dropbox is a popular service that enables you to store photos, documents and other information in the cloud. Hackers are claiming that they stole close to 7 million Dropbox usernames and passwords and have posted some of these on Black market websites offering to post more in exchange for bitcoins, the untraceable digital currency. According to Dropbox, however, the company has not been hacked. Dropbox says that because people often use the same username and password for multiple accounts, that information was stolen from other, less secure companies and attempted to be used on Dropbox. According to a Dropbox spokesman, “These usernames and passwords were unfortunately stolen from other services and used in attempts to log in to Dropbox accounts. We’d previously detected these attacks and the vast majority of the passwords posted have been expired for some time now. All other remaining passwords have been expired as well.”
This is another example of why it is a good practice to have separate distinct passwords and usernames for all of your accounts so that if one company where you have your information is hacked, your other accounts are not endangered. In addition, as always, if the company with which you are dealing provides for dual factor identification, you should take advantage of this to provide added security so that you would not be in danger of having your account taken over even if someone managed to get your username and password. Dropbox provides for dual factor identification. If you use Dropbox and haven’t yet added dual factor identification, here is a link to enable you to set it up for your account. https://blog.dropbox.com/2014/10/have-you-enabled-two-step-verification/
I always share scams and identity theft schemes aimed at me because I know that if I am being targeted so are you. Recently I received an email that purported to be from my email system administrator telling me that my email mailbox had exceeded its storage limits. This scam is a particularly dangerous one because, as all good scams do, it has a grain of truth and appears to be legitimate. Many of us, myself included, do not delete many emails that are not important to keep and if you do truly exceed your email mailbox size, it can effect your ability to send or receive emails. In that instance, you will receive a warning from your system’s administrator telling you to move items to your folders and to delete items. The phony email request purporting to be from your system’s administrator will tell you to respond to the email with your account user name and your password in order to increase the size of your mailbox and restore its availability. If you do, you will turn over control of your account to a scammer who can go through your emails and take information that can make you a victim of identity theft as well as hijack your account to send out emails to your friends and correspondents that will appear to come from you, but will be loaded with malware that will catch your friends and correspondents unaware. That scam is called spearphishing where your email address is hijacked and emails are sent to your friends that look like they are coming from you.
Your real systems administrator will never ask for your user name and password. If you do get such an email and you think that it may be legitimate, contact your system’s administrator at an email address or telephone number that you know is accurate to inquire as to the status of your account. Any email that you get that asks for you to turn over your user name and password is undoubtedly a phishing scam.
Following up on the “scam of the day” of July 13th which dealt with data breaches at Yahoo, LinkedIn and others, you should be aware of a class action that has been filed in the U.S. District Court for the Northern District of California on behalf of all LinkedIn users. According to the lawsui,t LinkedIn violated its own user agreement as well as industry standards by not fully encrypting its users’ personal information and by failing to store that information on separate servers from users’ passwords. Additional allegations of lax security were also made. I will keep you informed as to the progress of this class action.
Don’t merely depend on the companies with which you do business to protect your personal information. You should do the best you can to keep your information secure online. Don’t store your credit card numbers on the websites of companies with which you do business online. Put a credit freeze on your credit report to keep it safe even if a company with your information is hacked. Don’t give out your Social Security number unless you absolutely must and use different and complex passwords for every company with which you do business online so that if one company is hacked, the identity thief does not have your password for everywhere else.
Data breaches such as occurred this week with Yahoo, which shockingly did not even encrypt the data of its users often lead to even more scams through the use of the email addresses of the hacked individuals to send out phishing emails to unsuspecting victims who see an email from a trusted source that may contain a link that they click on to and unwittingly download malware such as keystroke logging programs that can steal all of the information off of your computer, such as your Social Security number, passwords, credit card numbers and more. The risk of these types of phishing scams always increases following a large data breach such as the recent Yahoo, Formspring and LinkedIn data breaches.
Always check with any website or company that will have information about you as to their own security. Also do not store credit card numbers with companies that you do business with online. It may be convenient for you to do so, but it exposes you to greater risk if there is a data breach. Finally, never click on any link in an email even one from a friend until you have confirmed that it is legitimate by contacting the friend directly to make sure that it was he or she that sent it. And even then you may wish to consider where they got the link to make sure that they are not unwittingly passing on malware to you.
Data breaches are a fact of modern digital life. This week hundreds of thousands of Yahoo users had their usernames and passwords stolen from one of their databases and just within the past month social network sites Formspring and LinkedIn had their databases hacked into resulting in the loss of personal information of millions more people. It is important to remember that your own personal security is only as safe as the company with the weakest security that holds your information. But there are things you can do to protect yourself.
Do not give your Social security number to companies that request it unless you truly legally must do so. Your Social Security number is the key to identity theft and can provide access to to your credit report which in turn can provide an identity thief with access to your credit. Use complex passwords and use different passwords for each of your accounts so that if a breach occurs, not all of your accounts are in jeopardy. It is easy to pick a passowrd with numbers and letters and just vary it slightly from account to account. Put a credit freeze on your credit report so that even if someone gets your Social Security number and name, they cannot get access to your credit report. With a credit freeze, you credit report can only be accessed through a PIN that you keep private.
Skimmers are small devices that can read a credit or debit card and capture the information on the card for scam artists. They may be installed on an ATM or a gas pump or any other device into which you directly swipe your credit card or debit card. They may also be used as a portable device by a criminal clerk or waiter who takes your card and not only runs it for the legitimate charge for whatever you are purchasing, but also runs it through the skimmer to capture the information to steal access to your credit card or debit card.
As much as possible, when giving your credit or debit card to a clerk or waiter, watch the card to make sure that it is not swiped through a skimmer as well as through the legitimate credit card processing machine. Many restaurants now bring the card processing apparatus to you at your table to avoid this type of criminal activity.
And while you are at it, you should consider using your debit card less because unlike a credit card, the laws that protect you in the event of fraudulent use of the card are greatly limited. While your liability for fraudulent use of your credit card is limited by law to no more than fifty dollars, your potential liability for fraudulent use of your debit card that you do not catch in a timely fashion could be the emptying of the checking account to which your debit card is attached.
Using an ATM is a very convenient way to access your bank account. Unfortunately, it is also a very convenient way for scam artists to access your bank account as well, often with your assistance.
The primary way ATM’s are compromised is through the use of a small device called a “skimmer” which fits over the slot where you put your bank card. The skimmer reads the information embedded in your card, which is half the battle to accessing your account. Often criminals will install cameras by the ATM to read your PIN as you input it into the ATM. These cameras may even appear to be the security cameras used your bank. Other times they may even install a keyboard over the regular keyboard to capture your PIN.
Always check an ATM before using it to see if it appears to have been tampered with and when you input your PIN, shield the keyboard from any cameras or prying eyes.