Scam of the day – May 27, 2017 – Target pays $18.5 Million to 47 states to settle security breach claims

Many people trace the era of major data breaches by hackers to the massive data breach at Target during the holiday shopping season of 2013. Credit card and debit card data on approximately 40 million Target customers was stolen as well as other information including email addresses of approximately 70 million Target customers.

Recently 47 states and the District of Columbia settled civil charges against Target related to the data breach with Target agreeing to pay 18.5 million dollars to each of these states and the District of Columbia. California will receive 1.4 million dollars which is the largest amount that any state will receive.  None of this money is to returned to consumers.

This settlement is very significant because it is part of an escalating trend of companies whose negligence leads to data breaches being held responsible for the harm caused to consumers.

Pursuant to the settlement, Target will implement a comprehensive security program which will include the use of whitelisting analytic software that helps prevent unauthorized malware programs from being downloaded, segmenting of credit card information from other parts of Target’s computer networks and increased use of encryption.

TIPS

This is a very positive step and, having reviewed in detail the security requirements that Target will be required to implement, I believe these provide a good guide for other companies to use to enhance their data security.

As for all of us as consumers, the best thing we can do is to refrain from using our debit cards from any use other than as an ATM card because the laws protecting us from unauthorized use of debit cards are not as strong as those protecting us from unauthorized use of credit cards.  In addition, whenever possible use your credit card as a chip card rather than as a magnetic strip card for increased security.

Scam of the day – May 1, 2017 – Hackers leak “Orange is the New Black”episodes and more

After Netflix refused to pay a ransom to a hacker known as thedarkoverlord, the hacker posted nine episodes of the popular Netflix original series, “Orange is the New Black on a publicly available file sharing website on Saturday.  The hacker had already posted the season 5 opening episode on Friday as an indication he was serious in his threat.

The stolen episodes were obtained through hacking of Larson Studios, a post production digital mixing company that worked on “Orange is the New Black.”  This is just the latest example of a trend of hackers going after bigger targets through vulnerable companies working with the bigger company.  The 2013 massive data breach of retailer Target was achieved through accessing Target by initially hacking an HVAC company that worked with Target and had access to Target computers to monitor heating and air conditioning systems at Target stores.

Thedarkoverlord has performed a number of other ransomware attacks including one in which it hacked a small Indiana charity from which it demanded a ransomware of 50 bitcoins that the charity refused to pay and had its data destroyed.

This story is far from over with thedarkoverlord already claiming to have stolen unreleased shows of ABC, Fox, National Geographic and IFC.

TIPS

Ransomware continues to be a growing threat to individuals, large and small companies as well as government agencies, all of which have been targeted by ransomware.  Ransomware malware is readily available for unsophisticated cybercriminals to purchase on the Dark Web.  While in the past, the typical manner in which it has been used was to encrypt the data of the target and refuse to release the data back to the victim unless a ransom was paid, the scam has evolved to also include threats of making stolen data public as was done in this instance.

Some older strains of ransomware can be defeated through software that can recover data encrypted by older ransomware programs.  In 2016 through the efforts of international law enforcement organizations and private security companies, the website No More Ransom was launched on which victims of ransomware can go to get decryption tools for many strains of ransomware for free.  Thousands of people have utilized this tool to decrypt their files after a cyber attack  without having to pay a ransom.  Unfortunately, however, there are some newer forms of ransomware for which there are no known decrypting tools developed yet.

The key to not becoming a victim of a ransomware attack is to prevent it in the first place.  Generally, the malware is installed unwittingly by victims when they are lured through phishing and spear phishing emails to click on links infected with the malware.  Never click on links in emails or text messages regardless of how legitimate they may appear until you have verified that it is legitimate.  You should also install anti-phishing software.

It is also important to not only have anti-malware software installed on all of your electronic devices, but to make sure that you update the security software with the latest security patches and updates.  Many victims of ransomware have fallen victim to strains of ransomware for which there are already security software available to thwart it.   Finally, always back up your computer’s data daily, preferably in two different ways in order to protect your data in the event you do become a victim of ransomware.

Finally, it is important to note that a recent study done by Spiceworks found that of small to medium businesses who paid a ransom after being hacked, 45% did not get their data restored.  Apparently there is no honor among some thieves.

Scam of the day – March 12, 2016 – Hackers steal 81 million dollars from Bangladesh bank

Early last month cybercriminals hacked into Bangladesh’s central bank and managed to steal approximately 81 million dollars, however, it could have been worse.  If it weren’t for a spelling error, the theft could have approached a billion dollars.   Although the investigation into this crime is still in its early stages, it appears that as with so many types of cybercrimes, this one started with social engineering spear phishing which lured bank employees to unwittingly download the malware used by the hackers to infiltrate the bank’s computers and obtain not just the passwords and cryptographic keys used for electronic fund transfers, but also the emails of bank employees so that they could copy and adapt the emails by which they made their transfers appear legitimate.    Armed with this information, the cybercriminals sent dozens of account transfer requests from the Bangladesh central bank to the Federal Reserve Bank of New York where the Bangladesh central bank has accounts containing billions of dollars.  The account transfer requests processed by the Federal Reserve Bank of New York electronically sent about 81 million dollars to accounts in the Philippines where the funds were transferred multiple times including transfers to Philippine casinos in an effort to launder the money.

Four transfer requests totaling approximately 81 million dollars were processed in this cyber bank heist when the fifth transfer request to a supposed Sri Lankan non-profit organization aroused suspicion with Deutsche Bank, a routing bank in the transaction due to the misspelling of “foundation” as “fandation” prompting  a closer investigation of the transfer request.  At the same time, the Federal Reserve also became suspicious at the large number of transfer requests being made to private entities instead of banks, halted the remaining transfer requests and contacted the Bangladesh central bank.

TIPS

All businesses and governmental agencies have got to do a better job at cybersecurity in general.  In particular, greater attention has to be paid to the dangers of social engineering spear phishing which has been at the root of the almost all of the major data breaches at both companies like Target and governmental agencies, such as the Office of Personnel Management.

Scam of the day – December 3, 2015 – Target settlement approved

The massive data breach during the 2013 holiday season at Target was the first of a series of data breaches that continue unabated to this day with little end in sight.  While millions of Target customers were inconvenienced by the theft of their credit card or debit card information, banks that issued those cards and had to replace the stolen cards suffered financial losses involved with replacing the stolen cards as high as 400 million dollars.  Five of these banks, Umpqua Bank, Mutual Bank, Village Bank, CSE Federal Credit Union and First Federal Savings filed a class action in federal court on behalf of themselves and other affected banks seeking payment from Target for the losses they incurred as a result of the data breach.  I have been reporting to you over the last couple of years as to the progress of this lawsuit.  Yesterday, a preliminary settlement was approved by the court.  Under the terms of the settlement, Target will pay up to 20.25 million dollars to the affected banks and credit unions as well as pay 19.11 million dollars to reimburse issuers of MasterCards.  An earlier settlement reached with MasterCard issuers in April of 2015 was rejected by the members of the class as being too low.  Target has already settled with issuers of Visa credit cards, agreeing to pay 67 million dollars.  As for individual customers whose credit and debit card information was stolen, Target settled a class action brought on their behalf for 10 million dollars.  However, Target’s troubles are not entirely over.  It still is being investigated by the Federal Trade Commission and a number of state attorneys general regarding the data breach as well as also being sued by its own stockholders.

TIPS

This is a significant settlement.  In the past, retailers were not held responsible for the occasional data breach occurring in the processing of credit and debit card transactions, but this has changed as data breaches have moved from being an occasional event to a major and costly occurrence.   This settlement may well serve as the impetus for a major change in how retailers conduct business in general and in particular what security steps they will need to take in order to avoid financial responsibility for future data breaches.  Coupled with regulations shifting responsibility for data breaches to retailers who fail to switch to new smart credit cards with computer chips, this settlement may signal a new paradigm for company electronic security.  As for consumers, the best course of action continues to be to use your chip credit card, if you have one and refrain from using your debit card for retail purchases because the laws regarding liability for fraudulent charges are more advantageous to consumers when using credit cards rather than debit cards.

Scam of the day – September 14, 2015 – Federal government unveils new cybersecurity plan

It is no secret that the federal government, as evidenced by the recent hacking of the Office of Personnel Management (OPM) in which personnel data on 22 million people was stolen, is a target of hackers, both nation-state and ordinary (or perhaps not so ordinary) criminals.  The OPM data breach was initiated as was the Target data breach and 90% of all data breaches through a phishing email.  A phishing email is an email sent by the hacker that appears to be legitimate and lures the victim at the targeted company or agency to click on a link or download an attachment that contain malware that enables the hacker to steal the information contained in the victim’s computer system.  It is fascinating in almost all major data breaches, the most complex and sophisticated malware is downloaded on to the victim’s computer through the simple trickery of phishing.  Here is a link to a column I wrote about this last year.  http://www.usatoday.com/story/money/personalfinance/2014/10/18/malware-data-breach-phishing/17458411/

In response to the OPM and other data breaches, William Evanina, the Director of the National Counterintelligence and Security Center has announced a new campaign to raise the awareness of federal workers to the dangers of phishing and specifically targeted phishing emails referred to as spear phishing.

TIPS

Phishing and spear phishing represent threats not just to companies and governmental agencies, but to all of us as individuals as well.  Identity theft is often accomplished through individuals being targeted by phishing or spear phishing emails who unwittingly click on links or download attachments that contain keystroke logging malware that enables the identity thief to steal all of the information including passwords, credit card numbers, Social Security numbers and other personal information from the victim’s computer and use that information to make that person a victim of identity theft.  Other types of malware, such as ransomware, which encrypts and locks all of the data in your computer, followed by a threat to destroy your data unless you pay a ransom, is generally downloaded through clicking on a link or downloading an attachment from a phishing email.

The key to avoiding becoming a victim is to never click on a link or download any attachment unless you have absolutely confirmed that the link or attachment is legitimate.  Even if the link is contained in an email from someone you know and trust, it is possible that their email may have been hijacked so you must always be a bit skeptical.  It may seem a bit paranoid, but remember that even paranoids have enemies.

Scam of the day – August 22, 2015 – Target and Visa settle data breach dispute

Visa and Target have come to an agreement by which Target will pay 67 million dollars to settle claims brought by Visa card issuers for losses suffered as a result of the massive data breach at Target in 2013 that affected more than 40 million customers.  Unlike a similar proposed settlement about which I reported to you in Scams of the day in April and May 2015, this settlement was approved by the major Visa card issuers.  A proposed settlement between Target and MasterCard was negotiated between the parties that would have paid MasterCard more than 19 million dollars to settle all claims by the MasterCard issuing banks against Target.  However, a condition of the settlement was that 90% of the banks involved had to approve the settlement and this did not happen.  The banks that rejected the settlement believed that the 19 million dollar settlement was far too low considering that the banks lost about 160 million dollars consisting of 79 million dollars in fraudulent purchases and 88 million dollars to reissue replacement cards.  This rejection of the settlement send the case back to the Federal District Court in Minnesota where that case is scheduled to go to trial unless a settlement more agreeable to the injured banks is reached.

TIPS

The same vulnerability to hacking of the credit and debit card processing equipment that was used in the Target hacking still exists today in most retailers who have been slow to adapt smart card technology and you can expect criminals to increasingly exploit this vulnerability.  The problem is essentially caused by the fact that the United States still uses outdated magnetic strip technology for the most part on credit and debit cards rather than the smart computer chip cards used throughout most of the rest of the world.  Regulations prompting companies to switch to the smart computer chip cards do not go into effect until October of 2015 and even then there is expected to be a further delay in implementing the new cards, which some credit card companies are already issuing and the switch to the card processing machines required to process the new cards.

So what should we as consumers do in the meantime?

First of all, never use your debit card for retail purchases.  Federal law does not provide the same level of consumer protection from liability that you get with the use of a credit card.  Second, you should get a new smart chip card as soon as possible and use it whenever possible. WalMart has already installed the new card readers and is processing the new smart cards.   These new cards also have magnetic strips so you can still use the same card through the old style credit card processors if the store where you are shopping does not yet have card readers capable of processing the sale using the computer chip.

Scam of the day – May 29, 2015 – Banks reject Target data breach settlement

In April 27th’s Scam of the day I reported to you about a proposed settlement between Mastercard and Target in regard to claims related to the massive data breach at Target in 2013.  A proposed settlement was negotiated between the parties that would have paid MasterCard more than 19 million dollars to settle all claims by the MasterCard issuing banks against Target.  However, a condition of the settlement was that 90% of the banks involved had to approve the settlement and this did not happen.  The banks that rejected the settlement believed that the 19 million dollar settlement was far too low considering that the banks lost about 160 million dollars consisting of 79 million dollars in fraudulent purchases and 88 million dollars to reissue replacement cards.  This rejection of the settlement send the case back to the Federal District Court in Minnesota where the case is scheduled to go to trial unless a settlement more agreeable to the injured banks is reached.

TIPS

The same vulnerability to hacking of the credit and debit card processing equipment that was used in the Target hacking still exists and you can expect criminals to increasingly exploit this vulnerability.  The problem is essentially caused by the fact that the United States still uses outdated magnetic strip technology for the most part on credit and debit cards rather than the smart computer chip cards used throughout most of the rest of the world.  Regulations prompting companies to switch to the smart computer chip cards do not go into effect until October of 2015 and even then there is expected to be a further delay in implementing the new cards, which some credit card companies are already issuing and the switch to the card processing machines required to process the new cards.

So what should we as consumers do in the meantime?

First of all, never use your debit card for retail purchases.  Federal law does not provide the same level of consumer protection from liability that you get with the use of a credit card.  Second, you should get a new smart chip card as soon as possible and use it whenever possible. WalMart has already installed the new card readers and is processing the new smart cards.   These new cards also have magnetic strips so you can still use the same card through the old style credit card processors if the store where you are shopping does not yet have card readers capable of processing the sale using the computer chip.

Scam of the day – April 27, 2015 – MasterCard settlement with Target being challenged

The massive data breach caused by the hacking of Target in 2013 which compromised the security of as many as a hundred million credit and debit cards resulted in banks incurring millions of dollars in costs to replace the credit and debit cards put at risk by the data breach.  Although Target is still negotiating with Visa in regard to the amount that Target will reimburse Visa for these costs, Target announced recently that it had reached a settlement with MasterCard to pay nineteen million dollars to cover the costs of reissuing new cards for those people affected by the data breach.

Now a small group of banks has brought legal action to block the settlement which they allege is unfair to the banks that suffered losses as a result of having to reissue debit and credit cards.  Charles Zimmerman, one of the lawyers representing the group of banks challenging the proposed settlement has said the settlement “provides paltry restitution for the substantial losses suffered.”  A motion for a preliminary injunction to prevent the settlement will be heard today in federal court in Minnesota.

TIPS

Regardless of the outcome of this motion hearing or any settlements between the credit card companies, Target and the credit card issuing banks, consumers are well aware that the best place to find a helping hand when it comes to security while shopping is at the end of their own arms.  Part of the reason that we have had so many major retail data breaches in the last couple of years is that the United States still uses magnetic stripe technology from the 1960s rather than the modern computer chip credit cards used primarily throughout the rest of the world that is not susceptible to the type of mass retail hacks that we have seen at Target, Home Depot and others.  With the new chip cards, a new number is created for every transaction for which the card is used, making it worthless for a hacker to steal the credit card’s number from a card processing machine.  Regulations go into effect in October of 2015 that will require retailers to implement such smart card chip technology or be held financially responsible for all losses incurred using the magnetic stripe cards, which is why we will see retailers scrambling to meet the October 2015 deadline.  Meanwhile, some stores such as WallMart have already installed the machines to use the new smart chip cards.

So what should consumers do?

First of all, never use your debit card for retail purchases.  Federal law does not provide the same level of consumer protection from liability that you get with the use of a credit card.  Second, you should get a new smart chip card as soon as possible and use it whenever possible.  These new cards also have magnetic strips so you can still use the same card through the old style credit card processors if the store where you are shopping does not yet have card readers capable of processing the sale using the computer chip.

Scam of the day – November 11, 2014 – New study on effectiveness of phishing

Phishing, as you probably know, is the term for the tactic used by scammers and identity thieves who pose as a legitimate company, government agency or some other person or entity you trust and lure you into providing personal information that can either be used to make you or someone you know a victim of identity theft.  Recently, Google and the University of California, San Diego completed a study that showed just how effective phishing is.  A common phishing technique is to send an email to someone with a link directing them to a phony, but legitimate appearing website.  Other times, the phony email itself contains a request for personal information.  Startlingly, the study showed that at tHE most effective of these phishing websites up to 45% of people targeted provided the information requested.  Sometimes, the scammers are merely looking to take over your email account so that they can send targeted emails to people on your email list that appear to come from you and may be directed to your friends by name.  This type of phishing is called spear phishing.   Phishing is a tremendously effective scam technique and was at the core of the hacking of Target, Home Depot and many other companies and people.

TIPS

Never click on links or download attachments unless you are absolutely sure that they are legitimate.  Even if they appear to be in an email or text message from a friend, you cannot trust the communication because your friend’s account may have been hijacked by an identity thief or scammer.  Never provide personal information on websites unless you have confirmed that it is legitimate.

If your email account is compromised here are the steps to take:

1. Change your password on your email account. If you use the same password for other accounts, you should change those as well.
2. Change your security question. I often suggest that people use a nonsensical security question because the information could not be guessed or gathered online. For instance, you may want the question to be “What is your favorite color?” with the answer being “seven.”
3. Report the hacking to your email provider.
4. Contact people on your email list and let them know you have been hacked and not to click on links in emails that may appear to come from you. You have already done this.
5. Scan your computer thoroughly with an up to date anti-virus and anti-malware program. This is important because the hacker may have tried to install a keystroke logging malware program that can steal all of the information from your computer.
6. Review the settings on your email, particularly make sure that your email is not being forwarded somewhere.
7. Get a free copy of your credit report. You can get your free credit reports from www.annualcreditreport.com. Some other sites promise free credit reports, but sign you up for other services that you probably don’t want or need.
8. Consider putting a credit freeze on your credit report. You can find information about credit freezes here on Scamicide.

Scam of the day – November 8, 2014 – Latest Home Depot hacking developments

Home Depot has announced that in addition to the information on millions of debit cards and credit cards that were stolen by hackers in its recent data breach which had gone undetected for months before being discovered in early September, the hackers also stole the email addresses of 53 million of its customers.

So what does this mean to you and me?

It means that we can expect to receive phishing emails that appear to come from Home Depot, some of which may even be directed to us by name.  This type of precise phishing is called spear phishing and it is an effective tool of identity thieves in luring us to provide personal information or to click on links or download attachments in official looking emails.  Unfortunately, if you provide the personal information requested under some guise in the email, this information will be used to make you a victim of identity theft and if you click on the link or download attachments in the emails, you will download keystroke logging malware that will steal your personal information from your computer and use it to make you a victim of identity theft.

Home Depot also disclosed for the first time that the way their computers were hacked was by initially hacking into third party vendors with lax security and using their usernames and passwords to gain access to the computers and data of Home Depot.  This was the same tactic used in the Target hacking and many other data breaches.  In fact, in a column I wrote for USA Today in September http://www.usatoday.com/story/money/personalfinance/2014/09/27/hacking-target-home-depot-credit-card/16221427/ I described the techniques used by hackers to infiltrate the computers of targeted companies through such third party vendors or others using offsite access to the computers of the targeted companies.  I mention this not to toot my own horn, but to tell you that the problem has not been solved and we will be seeing this pattern followed in future major data breaches time and time again.

TIPS

The takeaway from Home Depot’s announcement that identity thieves may have your email address is to be even more vigilant in regard to not clicking on links or downloading attachments in emails regardless of how legitimate they may look.  The risk is too great.  You can well expect that you may receive an email that appears to come from Home Depot and it may have a link for you to click on for either more information about the risk to you of the data breach or even to gain you access to free credit monitoring.  Such a legitimate email was sent by Target to its affected customers after its major data breach.  However, you cannot be sure that the email is legitimate so don’t click on the link or download any attachments.  Rather, if the message appears to you to be legitimate, merely go directly to Home Depot’s real website where you will find the real information.  When Target sent an email with a link to free credit monitoring, I ignored the email, went to the Target website and enrolled there for the free credit monitoring.