The 12 Scams of Christmas for 2017

steal Christmas

Scammers make a killing during the holiday season. While you spend your time thinking of ways to bring holiday joy to others, they spend their time thinking up ways to steal from you. The saddest part about this is that the ghosts of Christmases past keep visiting Christmas present.

With that, I give you this year’s 12 scams of Christmas.

  1. The Gift Card Scam

While definitely a ghost of Christmas past, this still works so scammers still do it. It’s pretty simple. The thief records the numbers displayed on a gift card, and then calls the company that issued it to find out if it has been activated, which occurs when the card is purchased. The problem here is one of timing. If you buy a gift card early in the shopping season, it’s more exposed to fraud. That said, recipients of gift cards often take a while to use them.

Tip: If you are going to purchase a gift card, do it as close to Christmas Day as possible, and encourage the recipient to use it as soon as possible.

  1. Sneak Attacks on Your Credit

With the non-stop news of data breaches involving credit card numbers, many of us are walking around with compromised payment cards that can be used by a scammer, and there is no more perfect time of the year for them to try than Christmas. The usual warning signs of an account takeover, or a fraudulent charge, may be harder for financial institutions to spot, since Christmas gifts often don’t conform to a cardholder’s buying patterns.

Tip: Sign up for transaction alerts from your bank or credit card issuer that notify you any time there is activity on your accounts.

  1. Fake Charities

While it’s not exactly the way it plays out in our nation’s malls and shopping districts, Christmas is traditionally a time for contemplation and charitable giving—something captured very well in Charles Dickens’s classic, “A Christmas Carol.” So if you want to give during the holiday season, it’s crucial to make sure the appeal is real.

Tip: Before responding to an online appeal, visit the website by typing in the organization’s URL manually, or by using search to find the link. If you are still unsure, call. If you are still uncomfortable, use Charity Navigator or contact the Office of the Attorney General in your state to confirm the organization’s authenticity.

  1. Temporary Holiday Jobs

Holiday jobs are a good way to make some extra money, and there are a lot of them, but bear in mind there are myriad scammers out there who may offer fake jobs to harvest your very real personally identifiable information—the most valuable of which being your Social Security number.

Tip: Don’t give your Social Security number to anyone unless you absolutely have to, and don’t provide it before you confirm you’re dealing with a representative of a real organization that has offered a job to you. Never send your information digitally unless you know the recipient uses proper security protocols. (You may not be using secure tech either, so try to be conservative about what you send digitally.)

  1. Phishing, Vishing and Smishing

You might receive a phone call, a text or an email. It doesn’t matter what the delivery system is, it’s a fraud but it won’t necessarily look like one. It could look like a sales promotion from a brand you like, or an offer on a deal that seems too good to be true, or even just “pretty good.” Scam artists can be very nuanced. Be on the alert before you act on any offer.

Tips: Check to see the URL matches exactly, and that you never provide any personal information on any web page unless the URL is secure and starts with “https.” Email links should always be considered suspect.

  1. True Love

The holidays can be lonely, and catphishers know that. Love scams are the worst, as they prey on the emotions in the most exploitative ways disarming the heartstrings with an eye to loosening purse strings. The money lost can be considerable, and the upset unfathomable.

Tip: As corny as it seems, be careful with your heart and don’t give it away to just anyone. If you feel like you’re falling for someone and they somehow can never make an in-person appearance, don’t send them money to do so. You can do better.

  1. Hotel Scams

You might fall victim to the restaurant flyer scam, the menu for a non-existent eatery shoved under the door resulting in an order that gets you robbed, or it could be the front desk scam where you get a call after check-in asking for another credit card number because “the one you provided was rejected.”

Tip: Assume the worst when in unfamiliar territory, and be on guard when traveling. Always distrust. Always verify.

  1. Fake online shops

This is a tough one, but here’s the deal… Bargain? Amazing prices on things that should cost a lot more than they are asking on a fake online shop is alluring, which is why people fall for them all the time. Pop up shops are cool, but they may not always be legit.

Tip: Look at the About Us page and call the designated contact number. If there is no number, think twice before making a purchase. Also pay attention to detail. Are there spelling errors in the copy? Bad-looking stock photos? Look for trouble.

  1. E-Cards

We all appreciate the sentiment behind an e-card, but that should not outweigh the risk of malware that can take a computer hostage or record every keystroke so that your most sensitive credentials for financial accounts can be stolen. E-cards are a popular form of fraud among scam artists, and you should be very cautious when you receive one.

Tip: Email, call or text the sender and ask if they sent an e-card. In this environment of constant attack, they will understand (and if they don’t, your Christmas present to them can be forwarding this column).

  1. E-voucher scams

This scam is built for people old enough to remember a physical, printed voucher, which, presented in person at a brick and mortar store, would get you a discount. They were basically a coupon. E-vouchers are fine if they come in the form of a number sequence, discount code or keyword, but anything else should be considered suspect.

Tip: Be on the lookout for grammar or spelling errors. Always type in the URL of the site for which you have an e-voucher, and enter the code or number there. If it comes by way of text or email and it involves a link, don’t click through. 

  1. Fake Shipping Notifications

What could be worse than a message from your favorite e-tailer letting you know that the must-have item you ordered is out of stock or was sent to the wrong address. Another oldie but goodie among thieves is a notice informing you that the “Item has been delivered” when it hasn’t been.

Tip: Never click any link associated with this type of communication. Always log onto the e-tailer site for more information, or pick up your phone and call.

  1. Wish list scams

Online wish lists are a bad practice that should be discouraged. In theory, the online wish list creates a place where friends and relatives can find out what you want for Christmas, which many find preferable to guesswork. Beyond being horribly transactional, the practice opens the list-maker to phishing attacks, since scam artists will automatically know what interests you.

Tip: If you must post a wish list online, custom set the privacy on the post so that only particular people can see it, and don’t include any personally identifiable information.

At Christmas it’s always better to give the gift, than be the gift that keeps on giving to identity thieves.

If your personal information does fall into the hands of a scammer, be sure to monitor your credit for signs of identity theft. You can do so by viewing your free credit report snapshot, updated every 14 days, on Credit.com.

 

Image: iStock

The post The 12 Scams of Christmas for 2017 appeared first on Credit.com.

How the Uber Hack Could Get You Robbed This Christmas (Again)

hacked

News that Uber got hacked and 57 million records were compromised may not seem like an overt threat after this year’s constant mega breaches—but it is. A recent study suggests that even something as “harmless” as a breach involving names, phone numbers, and email addresses can lead to account takeover.

The study, entitled “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was backed by Google and conducted in partnership with the University of California, Berkeley, and the International Computer Science Institute.

While the title may sound boring, the takeaway is terrifying: Account takeover isn’t happening the way many people think.

What Is Account Takeover?

The first thing you need to know about account takeover is this: It’s an incredibly serious matter.

Account takeover is a form of fraud. A criminal attempting account takeover may target your bank account, your credit card accounts, or any other financial service where you do business. Once a criminal has control of an account, you will be robbed.

It’s easy to understand how your Social Security number can be used to defraud you, not to mention the time-suck of setting the record straight with whatever companies composed part of the digital “crime scene.”

Since the days of the rotary telephone, our Social Security numbers have acted as virtual skeleton keys to our financial realities. It was the way we proved that we were the right person to access our money at a bank or to be granted credit. For a long time criminals have found creative ways to use that same key to rob people—whether through the creation of new credit accounts or through account takeover.

Stolen credentials come in many forms, and they are not equal by any means. The importance of the Google study hinges on this new reality: Social Security numbers aren’t the worst threat to your accounts based on current statistics. And herein lies the kernel of what matters most in the study.

Account takeover can also zero in on your email.

How you can be robbed if a criminal has control of your email account? Think about how many of your active online accounts will send a link to reset your password via email—and then continue reading after you stop hyperventilating.

In a world where most of the day-to-day transactions we make are digital but two-factor authentication has not been universally adopted, the control of your email account by a third party may create an even greater vulnerability to fraud than the possession of your Social Security number.

Why Uber Matters (and Doesn’t)

The Uber hack was discovered more than a year before it was reported, and the company paid the hackers $100,000 to keep the incident under wraps. That such things aren’t considered serious crimes in the US is something to ponder, but that’s not the reason the hack matters.

The longer your information is “out there” unbeknownst to you, the longer you are unwittingly exposed to all stripes of crime—including account takeover.

There are many ways you can be attacked, but with the Uber hack, email would be the way in. The phishing ruse can be anything. Social engineering, or the art of tricking people into doing what you need them to do so you can rob them, can be endlessly creative.

Because the Uber hack included names and phone numbers in addition to email addresses, affected consumers may have spent the past 12 months being exposed to the more insidious threat of spearphishing and fraud via vishing (voice phishing).

In spearphishing attacks, the fraudster does a little research. For instance, using an Uber customer’s phone number, they may locate a Facebook account, and, from there, identify close friends and family. The criminal sends a spoofed email from what he or she guesses will be a trusted sender with a link that downloads keystroke-logging malware and thus puts the recipient one login away from account takeover. A majority of people use the same passwords at different sites, which means the fraudster will likely have access to multiple accounts once they determine one password.

Some questions you should always ask:

  • Is it the right time of the month? (Your banks and other accounts usually send statements on the same day every month.)
  • Does it make sense? (Has your cousin ever sent you a cute animal video before?)
  • Can you trust those links? (A general rule of thumb now that spoofs are impossible to detect is to distrust all links, always, and type URLs to wherever you need to go.)

And of course, check the email address behind the display name on any email you receive before replying, and never be shy about asking a sender if they sent you something.

Another thing you should do whenever possible: Enable two-factor authentication. But bear in mind that even if you do everything right you may still be compromised. Unfortunately, there is no silver bullet. There is only vigilance and the three Ms (minimize your exposure, monitor your security, and manage the damage), which I discuss in my book, Swiped.

The violation of privacy associated with the takeover of an email account is disturbing, but it is nothing compared to the potential life disruption it can cause. Now more than ever, you need to be exceedingly careful about the links you click on in email and the calls you take—because you truly never know who’s on the other end.

If you fear you have been the victim of fraud, check your credit report for suspicious activity. You can get your free credit report at Credit.com.

Image: istock 

The post How the Uber Hack Could Get You Robbed This Christmas (Again) appeared first on Credit.com.

Tips for Buying Safe Connected Devices This Cyber Monday

phone-bill

Keeping up with news alerts about cybersecurity flaws in consumer electronics is a lot like picking up spilled jelly beans one at a time with a plumber’s wrench. Even if you figure out how to do it and have endless patience, a few will skitter out of sight.

Assume for the moment that, unlike most people, you think a lot about cybersecurity and you do your homework before buying a connected device. (I know. This is a truly ridiculous proposition. But let’s just say it’s the case.)

As you prepare for Cyber Monday, make cybersecurity part of the purchase process. What does your thinking about cybersecurity look like? What form does it take? Perhaps you like to use a search engine to see if there have been any obvious problems associated with the product, service, or device you’re considering. And by problems, I mean specifically cybersecurity and privacy issues.

This simple action can save you from a time-consuming hassle later. Security lapses abound. It’s your job to know about them.

Your Role in Cybersecurity

If you think this sort of research is too hard, relax. It’s easy. A simple search using the name of the item in question as well as terms like “compromise,” “privacy,” and “breach” is a good place to start.

For example, maybe you’re thinking about giving someone a credit monitoring gift that protects them from fraud. You might do the following searches:

  • “Equifax hacked”—About 901,000 results (0.58 seconds)
  • “Experian hacked”—About 128,000 results (0.63 seconds)
  • “TransUnion hacked”—About 62,800 results (0.37 seconds)

Now, bear in mind, many of the search hits on Experian and TransUnion (both of which offer sophisticated monitoring programs) come by way of obligatory mentions in the coverage of the Equifax compromise.

You’re Still Not Safe

Let’s say you get a connected cam to monitor an aging parent. There are some basics to consider. You’ve got to assume, for example, that Mom may not want to be the star of a Russian reality TV show called something along the lines of “Stupid Americans I Have Hacked.” But you also have to assume it could happen.

If you did your homework right, you know there’s been a problem with many plug-and-play webcams involving the use of manufacturer default passwords.

Checking for known security issues or a history of poor security is important, but there is still more work to be done before Cyber Monday to make sure you’re not giving someone a gift that robs them blind, opens them up to public ridicule, or simply embarrasses them.

The Most Important Question

That camera with seemingly perfect security you got your mom could become a live feed to her own version of The Truman Show for an avoidable reason: the cam wasn’t patchable. This means that when a security flaw is discovered, there is no way to protect the cam because it cannot receive security patches.

You’ve read privacy policies online and have made sure the product you’re thinking about doesn’t get significant revenue by selling data collected from this or that smart device, but the item also needs to be patchable.

Many companies do a very good job. Contrary to the folklore about planned obsolescence at Apple, the company is excellent at supporting older devices and operating systems, and it is a top player when it comes to security patches.

Let’s focus on gadgets. If the connected device you’re considering is not properly maintained after the launch of later generations of that product or a related service, keep looking for a device that does.

And ask, Is this connected device patchable?

This Cyber Monday, the only way to find those errant jelly beans mentioned above is to do the requisite research.

While nobody has the time to read every news item about product security, with the holiday shopping season upon us, it’s imperative to think about cybersecurity basics.

Data breaches and other compromises are the third certainty in life, right behind death and taxes. The simplest way to avoid falling prey to products and services that offer shabby or nonexistent cybersecurity? Don’t buy them.

If you fear your information has been compromised through an unsecure device, review your credit report for any suspicious activity. You can get your credit report for free through Credit.com.

Image: istock

The post Tips for Buying Safe Connected Devices This Cyber Monday appeared first on Credit.com.

Can You Hack-Proof Your Personal Email Address?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

How would you feel if the digital “you” were deleted? The common wisdom in cybersecurity circles is that if you think it can’t happen to you, it probably will. Consider Mat Honan’s story.

“First my Google account was taken over, then deleted,” Honan wrote. “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” Honan’s AppleID was used to remotely delete all the data on his iPhone, iPad, and MacBook.

“My accounts were daisy-chained together,” Honan confessed. Sound familiar? Most people have to authenticate via daisy-chain. Even if you have everything segregated and use multi-factor authentication, chances are good that your personal email address is used to log in to most of the places you go online.

If a hacker gains access to your personal email account and, like most people, you’re lax when it comes to personal cyber hygiene, it could be game over for you—not only with regard to your data, but for whatever assets and accounts you manage online.

Can Your Personal Email Be Hack-Proofed? 

The short answer is no. Hacks and data breaches are the third certainty in life, right behind death and taxes. In fact, the most likely reason you haven’t been hacked yet is that there is a staggering number of sitting ducks out there. Needless to say, however, there is no safety in numbers. Hackers become more efficient all the time. 

While there is no silver bullet to our collective vulnerability, brothers Steve and Robert Yoskowitz think they might be able to help with Joinesty, a Chicago-based digital security startup that recently released an interesting Chrome extension.

Like LastPass and other password managers, Joinesty allows users to change passwords for everything they access online. Login credentials are automatically generated and easy to manage.

What makes Joinesty different is that they also let users create unique email addresses (to be forwarded in real time or delivered in daily digest form) for everything they access online, thereby shielding their personal email address from prying eyes.

In addition to email management, Joinesty lets users know about deals that are available at over 7,500 merchants in real time.

“The feature injects into Google so users can see what deals are available within their search results,” CFO and co-founder Steve Yoskowitz told me. “As cybersecurity and privacy become everyday and every-person concerns, we are trying to create an environment of security appealing to a demographic which may not know how much they need it, while targeting the interactions and online behavior that expose users the most.”

Before you decide that Joinesty is an advertising vehicle disguised as a cybersecurity solutions company, I asked about revenue, which is subscription based. Users can choose between monthly or annual subscriptions at $6.99 a month or $41.99 a year.

“The pillars of the Joinesty brand are trust, transparency, and simplicity,” Yoskowitz told me.  “We structured every aspect of our platform around these pillars, including our revenue model.”

Why Personal Email Addresses?

Nobody needs a disquisition on the dangers of using the same password for different accounts and services, though the number of consumers who still do it is alarming.

Instead, how about a quick lecture: According to one recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts. The most popular password in 2016 was “123456.” For less than $1,000, hackers can buy a machine that has the capacity to test billions of passwords per second. Effect: You are vulnerable. Password managers work, so use one. (End of sermon.)

Actually, it’s not quite the end of the sermon. Because lousy password hygiene is so prevalent, you need to know if your personal email address been leaked in a data breach or, better yet, just assume that it has been. Haveibeenpwned.com is one place to go if you’re curious.

Personal email addresses present a huge vulnerability for most people and an infinite number of clear-sky lines of attack for hackers.

A recent data sample found that in the United States there are an average of 130 accounts assigned to a single email address. We’re talking about newsletters, e-commerce site, banks, gyms, portals to your medical records and healthcare coverage, investments, car loans, credit cards, and—as Matt Honan knows all-too-painfully well—social networking sites.

Your personal email address is one of your most visible forms of personally identifiable information (PII), and yet many websites require it. If your email is commandeered, whoever has control of it is just a few clicks away from taking control of your finances and anything else they might care to target. Think of your email address as a much less secure version of your Social Security number—especially if you have bad password habits.

I asked Yoskowitz about the use of personal email addresses as a login credential. After a quick scan of the top 210 Quantcast sites, he found that only 26 had no login. “Two had a username—instead of email—for logging in, so roughly 86% currently require email for login,” Yoskowitz told me.

Fewer Opportunities to Click and Get Got

So, is Joinesty addressing the personal email problem or taking advantage of it? Does the solution open up new vulnerabilities? Is this merely a ploy to sell ads and profit off our collective cyber-insecurity? 

The first thing you need to know is that Joinesty offers something of value.

It is not tokenization per se, but it’s like it in that Joinesty replaces PII (in this case your personal email address) with equally valid but non-identifiable data.

“We retain the purposes and benefits of tokenization allowing the user to retain all the functionality of giving out their personal email—logging into their accounts, receiving deals—without that email address having any inherent value to hackers because of its unique one-off nature.” 

Parting shot from my book Swiped: When creating an account on sites that allow a non-email login name, let your spirit fly. Be creative (but store it somewhere on a cheat sheet that resides on an encrypted memory stick). You might even consider using a long-and-strong password as your login name if the site will allow it.

image svetikd

The post Can You Hack-Proof Your Personal Email Address? appeared first on Credit.com.

5 Ways to Keep Your Personal Health Information Safe

4 Things About You Your Doctor Doesn’t Need to Know

Did members of the royal family go under the knife at an upscale London plastic surgery clinic? A recent hack at London Bridge Plastic Surgery may reveal the answer to that—and many other questions you never thought to ask.

Setting aside the obvious follow-up questions (Do you care? Is it any of your business?) and regardless of your curiosity about seeing the picture proof of royal rearrangements, you should be paying attention. The hack speaks to our collective vulnerability when it comes to protected health information (PHI).

What Happened

The hacker collective known as The Dark Overlord took responsibility for the royal family’s data grab. The group’s responsibility was confirmed by The Daily Beast after a reporter at the site reviewed both in-progress and before-and-after photographs of family members’ physical enhancements.

You may remember The Dark Overlord: it was behind an October hack that featured threatening texts sent to parents of school-age children in several states and voicemails left by victims being dumped online. The group was also behind a notorious Netflix-related hack. It memorably stole the fifth season of Orange Is the New Black from Larson Studios and released the first episode even after having received about $50,000 in Bitcoin to not do so.

As reported by Variety, The Dark Overlord had decided that its victims were in breach of contract. Specifically, “Larson Studios was in great delinquency of the agreement after sources confirmed law enforcement cooperation,” the group claimed. “Our agreement provides us the right to execute harmful action against any client who defrauds our agreement.”

Why It Matters

Did you notice how The Dark Overlord called the studio its “client”? I have long said that while we have day jobs, all of us collectively are hackers’ day job. Their sole objective in life is to seep their way into the assets of our identity. Always remember that your personal information is an asset with real, assignable value.

The Dark Overlord is not alone in viewing its victims in this transactional way. Hackers are in it for the money. Bigger operations offer customer service–style communication to make the ransom/payoff part of the process a high-touch consumer experience.

You may think, “This can’t happen to me.” But how do you know? Consider how your medical provider stores your PHI. Have you ever seen a physical file? Do you know where it’s stored and who has access to it? That sort of physical information is vulnerable. It could easily be stolen or

duplicated. What about electronic data? Everyone knows that just because an entity stores information digitally doesn’t make it secure from compromise.

5 Steps for Keeping Your PHI Safe

Security is complex and requires constant maintenance. Here are five steps you should take to keep your personal health information safe from hackers and other no-do-gooders.

  1. Ask if your medical provider implements a data security solution. While it may seem like a simple question, many providers don’t have a clue about data security. The only way to find out if yours does is to ask.
  2. Find out if your medical provider uses a vendor. If your medical provider uses a vendor, get the name and check out its reputation online.
  3. Ensure that your medical provider double encrypts your PHI. Your doctor may not know whether your PHI is double encrypted—especially if they use a vendor as their data security solution. Either way, push the point. The only way we all become more secure is if we all demand a high data-security IQ from our peers and service providers.
  4. Inquire about who has access to your PHI. By asking this question you may be pointing your provider to safer records. Only your doctor and other medically trained staff with a reason to be looking should have access to your PHI.
  5. Locate where your PHI is stored and how it moves around. Does your medical provider use a cloud server or onsite hardware to store your PHI? How are the servers connected to the network? Is there a secure network used solely for PHI and another for less sensitive traffic or smart devices used in the office?

We All Have Something to Lose

Granted, you may not have had any work done at a fancy plastic surgery clinic, but you’ve probably been to a doctor—and most likely at least once for an ailment that you’d rather not have broadcast to others. The victims of the data breach at London Bridge Plastic Surgery are just like you and me for that reason, even if they are royal. We all have something to lose: our privacy.

The sensitive data theft lottery definitely discriminates—high-end targets pay upper-class ransoms—but you can’t rely on your relative obscurity to protect your PHI.

As far as plastic surgeons getting compromised goes, this isn’t the first time a high-profile doc has gotten rolled for photographs and other PHI. And it probably won’t be the last, which should be reason enough to get you to call your doctor and ask how your information is protected.

If your protected health information or other personally identifying information gets hacked or leaked, it could negatively affect your credit score—and your ability to apply for a mortgage, personal loans, or credit cards. Keep an eye on your credit score by regularly reviewing your credit report for free on Credit.com.

Image: istock 

The post 5 Ways to Keep Your Personal Health Information Safe appeared first on Credit.com.

Why Spam Is More Dangerous Than Ever

Can I Deal With a Debt Collector Over Email?

Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.

There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.

Unfortunately, it was a repeating number.

Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.

Multi-Tiered Attacks

Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.

That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.

Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.

There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.

“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”

Stunning Advancements

Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.

Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.

These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.

Wide-Open Attack Vector

Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”

Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.

What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.

Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.

Image: istock 

The post Why Spam Is More Dangerous Than Ever appeared first on Credit.com.

Are Your Connected Devices Safe?

phone-bill

The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.

It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?

I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.

Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.

We need a time-out to think through and implement best security practices for the IoT market.

Are Connected Devices a Cyber Catastrophe Waiting to Happen?

With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.

IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.

On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.

Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.

So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.

Even the most cursory look backward reveals the likelihood of future attacks.

New Products, Better Prospects?

Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.

In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.

The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.

In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.

Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”

My questions:

There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?

What measures have been taken to protect other smart home products from hackers?

These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.

The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.

Image: istock

The post Are Your Connected Devices Safe? appeared first on Credit.com.

Post Equifax: Will Free Credit Freezes Help?

freeze your credit

When Equifax announced the historic data compromise that exposed the sensitive personal information of up to 143 million consumers, the company said victims would have access to credit freezes for a month free of charge. This was not exactly a solution to the fresh hell it had just announced.

Frankly, it seemed like a relatively cheeky move considering the staggering number of people who had just learned that they will be looking over their shoulders for a virtual mugger for the rest of their lives. I wouldn’t be surprised if Saturday Night Live re-creates Equifax’s offer of free credit freezes (for a whole month!) as a classic schoolyard drama featuring a bully holding a stolen bike in front of its owner and offering to give it back for a hefty fee.

My first thought was definitely not, “That seems fair.”

And while I can’t speak to whether there was any discussion of sketch comedy in their process, the Identity Theft Resource Center (ITRC) seems to have had a similar reaction. It launched a change.org petition that urged Experian, TransUnion, and Equifax to let consumers freeze, thaw, and refreeze their credit files, free of charge, once per year.

Sadly, this is not a solution either.

The Legislative Angle

Senators Elizabeth Warren (D-MA) and Brian Schatz (D-HI) recently introduced legislation that would force the Big Three credit bureaus to provide more robust solutions to the 24/7 identity-theft quagmire we now inhabit thanks to the Equifax breach.

One of the main provisos was a legislative version of the ITRC petition: Give all Americans access to free credit freezing (and unfreezing) for life. Additionally, the bill would force the credit bureaus to reimburse any fees collected for freezes purchased after the Equifax compromise was made public.

“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Warren said when announcing the bill.

The Freedom from Equifax Exploitation Act is a move in the right direction, a roadmap for the Big Three to provide consumers with more robust fraud protections as well as an additional free annual credit report. (One free report is already a consumer right in the United States. You can check your credit report for free at Credit.com.)

That SNL sketch encapsulates the feeling of the Freedom from Equifax Exploitation Act: credit bureaus shouldn’t be able to profit off the fear generated by their failures to protect our sensitive data.

Freezes Aren’t the Answer

While it is good to get those freezes (if you can figure out how to set them up), a credit freeze is by no means the be-all and end-all answer to the “What now?” reality of 143 million consumers.

Credit freezes do not mitigate all threats.

First of all, you are still vulnerable to attacks on existing accounts. Two easy ways to help diminish this threat is by setting up transaction alerts and opting for two-factor authentication wherever it is offered.

You are also more susceptible to spear phishing emails and texts now, since fraudsters now know where you bank, where you have debt, and who financed your car. They no longer have to guess which bank you use, thereby making the whole process of defrauding you much more expedient—a real win for scam artist productivity. Employment and tax fraud as well as medical/healthcare fraud are also real concerns after the breach.

The best course of action given all these variables is to change the way you think about your vulnerability and practice the Three Ms, which I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t over-share on social media; be a good steward of your passwords; whenever offered, opt for 2-factor authentication; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously; keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The Three Ms are not a solution to the threat of scams in the wake of the Equifax hack, but they are a lifestyle change that can help fend off the inevitable attempts to exploit your identity for ill-gotten gain.

Image: istock

The post Post Equifax: Will Free Credit Freezes Help? appeared first on Credit.com.

The Equifax Breach and the Cybersecurity Silver Bullet

acer hack

Some time ago, the popular show Mythbusters wanted to find out if the Lone Ranger was right about silver bullets being better than lead ones. Turns out silver bullets are actually slower and less accurate.

When it comes to cybersecurity, quick-fix silver bullets are also less effective than tried-and-true approaches. The most effective cybersecurity strategies begin with two certainties: mistakes will be made, and breaches like the one that hit Equifax will keep happening.

The 143 million consumers exposed in the Equifax breach provide plenty of evidence that there’s still no effective “silver bullet” when it comes to both chronic and acute threats to our collective cybersecurity.

While the Equifax breach is by no means the largest hack to date (that distinction still belongs to Yahoo), it definitely stands out as the breach with the greatest potential to harm its victims.

The Equifax hackers got the most complete data dossiers possible on millions of people. Those dossiers are worth about $30 on the black market and include Social Security numbers, names, addresses, birth dates, and, in some cases, driver’s license numbers. Additionally, the credit card numbers of 209,000 consumers were lifted.

What can be done with this information? Just about every sort of identity theft imaginable.

Credit lines and credit-worthiness can be destroyed overnight, health care records can be polluted with the information of thieves using your benefits illegally, and it can be nearly impossible to get medications filled in a timely manner. Crimes can even be committed in your name, since the thieves have all they need to create a driver’s license with your information and someone else’s photograph.

No Easy Fix

If there were any easy way to solve the data-breach problem, we’d be seeing fewer newsworthy compromises. But as yet, nothing works.

Take, for instance, biometrics. Fingerprints, retina scans, body weight, and shoe size—they offer a great addition to the various ways we authenticate ourselves to the systems storing our data. But they are not a true fix. If a security patch released by a software provider is not installed, as happened in the Equifax breach, it doesn’t matter how many body parts you scan.

Picture the mailboxes in the lobby of a city dwelling—the individual boxes can be opened with one master key so the letter carrier can slot the mail for all the apartments at the same time. It doesn’t matter how well you protect the key for your one apartment’s mailbox if a thief gets access to the master key. The same goes for individual cyber hygiene in the face of a breach.

One of the most promising solutions was once thought to be tokenization—a system of referents that create an impenetrable security trail—but it suffers from the same issue that was behind the Equifax hack: human beings messing up.

Tokenization systems have to be secured and validated using security best practices. That’s where the fallibility part creeps in. Those best practices still need to be implemented by fallible humans with busy lives who have not been told—and consistently reminded—that they are the only solution to the data breach problem.

Data breaches and the identity-related crimes that flow from them are the third certainty in life—right after death and taxes—because there will always be that fallible human element. Education can help mitigate the risks, but even the savviest populace will make mistakes.

Real Solutions

Senator Elizabeth Warren has set her sights on the three credit reporting bureaus, specifically demanding that they offer credit freezes for free. The looming threat of credit hijacking is made possible by the hoarding of information—the credit reporting bureaus’ daily bread. It seems logical, then, that the bureaus should have to pay for the most common crime that data can lead to: credit fraud.

While new laws are good, education is the only real solution.

For many years now I have been advocating a system called the Three Ms, which are the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

Practicing the Three Ms continues to be the best way to keep your personally identifiable information from being used in identity-related crimes. 

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t overshare on social media; be a good steward of your passwords; opt for two-factor authentication whenever it’s offered; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously (you can check your credit report for free on Credit.com); keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The odds of President Trump giving his entire fortune to the NAACP are probably better than the chances that we’ll be experiencing fewer big breaches in the future. An individual’s security protocol is only so useful, but an individual’s actions make all the difference.

Image: istock

The post The Equifax Breach and the Cybersecurity Silver Bullet appeared first on Credit.com.

Your Equifax Download: What You Need to Know about the Equifax Hack

Teenage girl with hands on face victim of cyber bullying

Everyone knows a mosquito bite doesn’t really start itching until the damage has already been done, and the same goes for many kinds of identity-related crimes. With news of the recent Equifax breach continuing to surface, what do you need to know now to limit your exposure?

Equifax has estimated the hack impacts 143 million people, mostly in the United States. (That’s almost half the US population!) The thieves stole names, Social Security numbers, birth dates, addresses, and driver’s license numbers.

Each item of personally identifiable information (PII) is like an ingredient for a recipe. The more ingredients you have, the more recipes you can prepare. Similarly, the more pieces of PII exposed, the more kinds of fraud thieves can commit. If there were a fraud equivalent of The Joy of Cooking, thieves just got access to all the ingredients necessary to make every recipe in the book.

The Problem with Freezing Your Credit Report

The New York Times reported still more bad news in the wake of the Equifax announcement.

The credit freeze service the credit bureau offered (originally offered for a fee until it finally decided to provide it for free for 30 days) generated PINs that were based on the time and date the PIN was created. These PINs are required to release the freeze whenever you need to grant access to your credit files in connection with a loan, an apartment rental, or a job application (where permitted by law). Unfortunately, they’re laughably easy for a hacker to guess before then.

The bigger problem is that a freeze needs to be in place at all three reporting agencies in order to be effective. As credit expert John Ulzheimer told the New York Times, putting a freeze on your credit with only one reporting agency is “like locking one of three doors in your house and leaving the other two unlocked. You’re hoping the thief stumbles on the locked door.”

Types of Fraud to Be Aware Of

The hackers also made off with 209,000 credit card numbers and 182,000 credit dispute documents containing personally identifying information.

In August, there was a spike in credit card fraud, according to the New York Post. It seemed odd to security experts at first, since credit card fraud typically increases around the holidays. The Equifax news seems to provide an explanation for the statistical oddity. “We saw a 15% increase in the overall fraud attempts in our system in August, which is an unusual time of year to see such a spike,” said Liron Damri, cofounder of Forter, a fraud-prevention service for online retailers.

But the threat goes way beyond maxed-out credit cards, fraudulent credit applications, and tax-refund fraud. With Department of Motor Vehicle information also in play, the risks are elevated. A fake ID made out in your name could cause you to get arrested for an outstanding warrant. In the realm of identity-related fraud products, a fake driver’s license is a luxury item for sure, but it’s still one that could hurt you if a scammer provides your information on a fake license the next time they’re pulled over for speeding or collared for a crime.

And then there’s the serious risk of medical-identity fraud. Consumers could see delays in prescription fulfillment because of fraudsters using their health care information. Worse, consumers may not be covered for health care expenses until they are able to prove they are who they claim to be using the same information that the crooks used—a frustrating and often complicated process.

Legal Remedies 

One can only assume there will be lawsuits galore. In fact, one enterprising person has already automated the process. A robot lawyer is on the case, allowing consumers to automatically file a claim against Equifax in small claims court.

According to the Verge, consumers are still able to join class action suits while pursuing a small claims court remedy.

“Even if you want to be part of the class action lawsuit against Equifax,” the Verge reported, “you can still sue Equifax for negligence in small claims court using the DoNotPay bot and demand maximum damages. Maximum damages range between $2,500 in states like Rhode Island and Kentucky to $25,000 in Tennessee.”

Protecting Yourself Now

To say that the Equifax PIN assignment process was incompetent is an understatement. Nevertheless, it is a teachable moment. While it’s okay to hope that your services and vendors will do things right, you need to stay vigilant. And this should go without saying: if you can change privacy and authentication settings on a product or service, do it. If that’s not possible, perhaps you should consider finding a new vendor or service.

The easiest way to protect yourself, in my opinion, is by using a system called the “Three Ms.” The Three Ms is the centerpiece of my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves, and the approach continues to be the best way to keep your personally identifiable information from being used in identity-related crimes.

And they are simple: 

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t oversshare on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
  2. Monitor your accounts. Check your credit report religiously, keep track of your credit score, and review major accounts daily if possible. (You can check your credit report for free at Credit.com.) If you prefer a more laid-back approach, sign up for free transaction alerts from financial services institutions and credit card companies, or purchase a sophisticated credit- and identity-monitoring program,
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly, and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and HR departments.

Your Chances of “Getting Got”

Scammers pay around $30 per complete ID dossier on the black market. With 143 million packets available through the Equifax breach, that’s more than 4 billion dollars’ worth of information. Though it may not seem so at first glance, this could actually be good news for you: your chances of “getting got” decrease with an increase in available targets.

Odds aside, though, Equifax is not the first, nor will it be the last, breach of note. Being prepared and alert is still the best remedy, because breaches have become the third certainty in life—right behind death and taxes.

A final tip: check with your insurance company, financial services institution, or employer. You may already have access to identity protection and resolution services, which is your best bet when it comes time to navigate the identity theft quagmire.

Image: AIMSTOCK

The post Your Equifax Download: What You Need to Know about the Equifax Hack appeared first on Credit.com.