Scam of the day – July 11, 2015 – Charlotte McKinney topless photos hacked

In my Scam of the day for September 2, 2014 I told you about the stealing of nude photos of more than a hundred celebrities including Jennifer Lawrence, Kate Upton, Kim Kardashian and Hope Solo that were posted online.  Now it has just been reported that model/actress Charlotte McKinney who recently was a contestant on Dancing With the Stars had topless photos hacked which were then posted on Instagram  for a short period of time.    This story has two lessons.  The first is that everyone, regardless of whether or not you are a celebrity should take the steps necessary to protect the security of their photos and other data.  Although we do not yet know precisely how Ms. McKinney’s photos were hacked, it is reasonable to conjecture that they were stolen in the same manner that photos were stolen in last year’s celebrity hacking.  According to FBI records, the hacking had less to do with Apple’s iPhone and iCloud security and more to do with the celebrities falling prey to phishing emails and password resetting that enabled the hacker to gain access to the victims’ iCloud accounts and other times stealing the photos directly from the hacked phones.

In addition to stealing the photographs from Ms. McKinney, the hackers also managed to gain access to her Instagram account to temporarily post the photos before they were taken down.  Anyone who has access to your email address who is able to either guess or steal your password can gain access to your Instagram account.

Using the “forgot password” link on Apple’s iCloud, it appears in last year’s hacking in many instances, the hacker answered the security questions and was able to reset the victims’ passwords and gain access to their iCloud accounts.  In other instances, the photos were stolen directly from the victims’ smartphones which were hacked.

The second lesson is for people who may be curious about seeing the topless photos of Charlotte McKinney to be very wary of emails, text message, websites or links that promise to take you to those photos, which have already been removed from Instagram.  Trust me, you can’t trust anyone.  Identity thieves will attach malware to links that promise to provide you with the photos.  This malware will steal all of the information from your computer or smartphone and put you in danger of identity theft.  Don’t fall for this scam.

TIPS

All of us can be targets of hacking and we need to protect ourselves.  You should use a unique password for all of your accounts so if any of your accounts are hacked, the rest of your accounts are not in jeopardy.  Make sure the password is a complex password that is not able to be guessed through a brute force attack.  Check out my book “Identity Theft Alert” for advice as to how to pick a secure and easy to remember password.    Also, even if you are not a celebrity, you would be surprised how much information is online about you that can be used to come up with the answer to your security questions.  It is for this reason that I advise you to use a nonsensical answer to your security question, such as the answer “Grapefruit” for the question of  what is your mother’s maiden name.  Also, take advantage of the dual-factor identification protocols offered by Apple and many others when possible although Instagram does not offer this service.  With dual-factor identification, your password is only the starting point for accessing your account.  After you have inputted your password, the site you are attempting to access will send a special one-time code to your smartphone for you to use to be able to access your account.  Had Jennifer Lawrence and the other hacked celebrities used the dual-factor identification protocol, they would still have their privacy.  It is also important to note that merely because you think you have deleted a photograph or video from your smartphone, that may not be the truth.  Smartphones save deleted photographs and videos on their cloud servers such as the Google+service for Android phones and the iCloud for iPhones.  However, you can change the settings on your smartphone to prevent your photos from automatically being preserved in the cloud.

Scam of the day – December 28, 2014 – Hackers release personal information of 13,000 people

Yesterday a group of hackers posted personal information including usernames, passwords and credit card information of 13,000 people on its Twitter account @AnonymousGlobo.  The hackers indicated that they had stolen the information from a large number of popular websites that they listed.  Among the websites listed by the hackers were Amazon, Walmart, PlayStation Network, Xbox Live and a large number of popular pornography sites including Brazzers.  The hackers later wrote “We did it for the Lulz” which is slang for doing it just for their own personal enjoyment and satisfaction.  While we do that much personal information was made public and thus putting the victims in danger of identity theft, we do not know if, indeed, the hackers actually did, as they stated, steal the information by hacking into the particular websites they stated or, alternatively, if they used phishing emails to their thousands of victims luring them to click on links in the emails and download keystroke logging malware that provided through which the victims’ own computers supplied the information to the hackers.  Either alternative is a source for concern.

TIPS

There are a number of lessons to be learned from this hacking.  One is to never leave your credit card information on file with an online retailer with which you do business for the sake of convenience.  It may save you a few seconds the next time you make a purchase with the particular retailer, but it also makes your credit card information vulnerable in the event that the retailer is hacked.  A second lesson is to use different usernames and passwords for each of your online accounts because if you do, as many people do, use the same username and password for all of your online accounts, in the event of a data breach at one company with which you do business, the hackers would be able to get your user name and password for all of your accounts, thereby putting you in greater jeopardy of serious identity theft.  Finally, it is important never to click on links in emails or text messages unless you are absolutely sure that the communication is legitimate and you have confirmed that fact.  Identity thieves are adept at tricking people into clicking on links that contain malware by making the communications look legitimate or even by hijacking the email account of someone you trust.

Scam of the day – December 4, 2014 – Which online shopping websites are the safest?

Shopping online is not limited to Cyber Monday.  Many of us are fond of the ease and convenience of online shopping, not to mention the considerable savings we sometimes achieve.  However, there is always a question about the safety of the online shopping experience.  Recently, the password management company, LastPass did a security comparison of ten popular online retailers and rated them for security considering the following factors:

1.  Password requirement

2.  Assistance in setting up a strong password

3.  Use of a security question

4.  Simplicity of security question

5.  Automatic encryption of data

6.  Storage of  personal data

The optimum score would be by a company that required a password, provided assistance in evaluating the strength of your password, required a security question asking for information not readily available to an identity thief, automatically used encryption for transfer of data and stored the least information necessary.  At the top of LastPass’ list was the Apple App Store, eBay and Macy’s.  At the bottom of their list was JC Penny and Sears.

TIPS

The best place to find a helping hand is, as always, at the end of your own arm.  When shopping online, you should always make sure that a password is necessary and that you use a strong password.  You can find information about setting up a strong password in the archives of Scamicide.  Security questions are always a good idea and an even better idea is to make a nonsensical answer to your security question which will turn a weak security question, such as your mother’s maiden name into a strong security question.  For example, if your mother’s maiden name is “Smith,” make the answer to the question “Grapefruit.”  No one will find that answer by doing research.  Never provide credit card information unless the transaction is encrypted which you can determine by looking for “https” rather than merely “http” at the beginning of the website address line.  Finally, regardless of how convenient it may be, don’t leave your credit card stored with the retailer for future use. Insert the credit card anew each time you purchase something.  Leaving your credit card information with the retailer just makes you more vulnerable in the event of a data breach of the retailer.

Scam of the day – October 10, 2014 – Increasing threat of smartphone hacking

Hacking of smartphones was in the news recently with the revelation by Lacoon Mobile Security that the Chinese government through a phishing scam lured democracy protestors in Hong Kong into downloading a malware ladened app on to their smartphones that enabled the Chinese government to monitor the communications of protestors.  In this instance, smartphone users in Hong Kong were responding to a message on WhatsApp that read “Check out this Android app designed by Code4HK for the coordination of OCCUPY CENTRAL.”  Those responding to the message and clicking on the link provided ended up downloading malware that enabled the Chinese government to monitor the smartphone users’ communications as well as provide access to all of the personal information stored on the phone.  Code4HK is the name of a group of computer programmers who have been working with the pro-democracy movement in Hong Kong, but had nothing to do with this software or message.  As we all become more and more dependent upon our smartphones, use them for sensitive financial transactions and store more personal information on them, they have become an increasing target for hackers and identity thieves.  Security company McAffee has said that the incidences of mobile malware increased 197% just between 2012 and 2013.

TIPS

The key to protecting the security of your smartphone from the threat of malware is to not downloading the malware in the first place.  One important rule to follow is to not install apps only from legitimate vendors.  Most carriers will also provide security software for your smartphone as well as an app that will scan your smartphone for malicious apps you may have unwittingly downloaded.  Check with your carrier as to what security software and apps are available to you on your particular smartphone.  Never click on a link in an email, text message or other communication unless you have absolutely verified that it is legitimate.  The risk of downloading malware is too great.  Protect your smartphone with a strong password, install security software and encryption software as well as anti-malware programs such as the app Lookout which has a feature that continually scans your smartphones for viruses and malware.

Scam of the day – July 24, 2014 – StubHub hacking – what it means to you

Six people including both Russian and American citizens were indicted yesterday in New York for hacking into 1,600 StubHub accounts and stealing more than 1.6 million dollars in tickets.  StubHub is a website where people can buy and sell sports and entertainment tickets.  Although the accounts hacked were StubHub accounts, it appears the fault was not that of StubHub, but rather of individual StubHub customers whose passwords and user names were obtained through hacking of other companies or through the use of keystroke logging malware programs unwittingly downloaded, most likely through phishing emails to the victimized consumers.

TIPS

For those people who used the same user name and password for all of their accounts, this hacking is another example of why you should not do so.  Using the same user name and password puts you in danger in all of your online accounts if merely one of your online accounts is hacked.  The better course of action is to use a different user name and password for every account that you use.  Although this may seem like a complicated thing to do, it need not be so.  Just adding a couple of letters describing the account to your password can provide you with much added security.  So for example if you used the basic, safe password of “IHatePasswords123!” which is a strong password and then added a few letters to describe the particular account such as a StubHub password of “IHatePasswords123!StubHb” you would have a difficult to break, but easy to remember password. As for protecting yourself from downloading keystroke logging malware by which you unknowingly download malware that provides access to all of the personal information on your computer the key thing to remember is to never click on a link or download an attachment unless you are absolutely positive that it is legitimate and you have independently confirmed its legitimacy.  Also, you should maintain your anti-malware and anti-virus software up to date with the latest security patches.

Scam of the day – June 23, 2014 – Duke University Press data breach

Duke University has announced that its Duke University Press has suffered a data breach.  Although no financial information was stolen, usernames and encrypted passwords were stolen.  However even though the passwords were encrypted, it is not uncommon for sophisticated hackers to use software programs to decipher passwords that are not particularly strong.  This is just the latest hacking of an institution of higher learning.  In just the last four months, personal information on more than 750,000 students was stolen in data breaches at Iowa State University, University of Maryland, North Dakota University and Indiana University.

TIPS

Again, the advice to follow, if you were a victim of the Duke University Press hacking is to change your passwords immediately.  It also is a good time to consider changing your passwords for all of your password protected accounts and making them strong enough to withstand hackers’ decryption software.  A good password will be a combination of lower case letters and higher case letters, figures and symbols.  In order to make the passwords memorable, you can use a phrase, such as “IDon’tLikePasswords**” you can also adapt the password to different accounts, such that you make your Amazon password “IDon’tLikePasswordsAMA**.”  In this way you can establish easy to remember, but difficult to decipher passwords.