Identity Theft and the New Tax Bill

Will Congress Overhaul Credit Reporting Laws?

The 2017 filing season could be the worst yet for tax-related crime. With widespread confusion about the new tax law, IRS budget cuts, and a record-breaking year for data compromises, there’s an opening for fraud that should be serious cause for alarm, but doesn’t seem to be.

The bottom line: you should be concerned.

Last tax year, the IRS stopped 787,000 confirmed identity theft returns, totaling more than $4 billion. For the same nine-month period in 2015, the IRS stopped 1.2 million confirmed identity theft returns, totaling about $7.2 billion. There were many other widely reported wins. But what did not get reported was how much money scammers stole. Given the IRS’s estimate that 2016 would see a loss of $21 billion via fraud, one wonders.

That was then. The compromise of 143 million people in the Equifax breach changed all that. It included Social Security numbers—compromised SSNs being the most common “pre-existing condition” of crimes committed against the U.S. Treasury, and as such that breach poses a significantly increased threat difference over previous years.

We’re looking at a far more significant threat of tax-related fraud in the 2017 filing season than ever before. Compounding this situation, the IRS is less able to fend off the threat of identity-related tax fraud than it was last year.


I know it’s risky to publicly sympathize with the nation’s most hated federal agency, but I can’t imagine it’s been much fun to work at the Internal Revenue Service since Congress passed its new tax bill (note that I’m not suggesting there was ever a time I could imagine it might be fun to work at the IRS).

With the new tax year just begun, the agency is racing to find real-world applications for the numerous changes to the tax code conceived in the hothouse of Congress, where ideas do not always (or perhaps even very often) jibe with real life, and the daily concerns of actual Americans has more the feel of an annoyance than a matter of, say, central importance.

There are significant logistical challenges posed by the new tax bill. First order of business is getting the changes in place that need to be implemented now, for instance the coding to adjust withholding, which the IRS hopes will make its first appearance on pay stubs as early as February. There are other provisions that affect the here-and-now, like the new trigger for healthcare deductions, as well as a decent-sized punch list of smaller changes—all of which needing the immediate attention of a greatly diminished staff in the coming months.


Remember those cuts back in 2010? The agency was denuded of $900 million, which led to the loss of 21,000 jobs. That’s a major problem right now.

The last time there was tax overhaul like the current one, “Walk Like an Egyptian” was on the radio and cable TV was just finding its way into the suburbs. Today, Twitter feeds are reloaded continually, and late-show hosts joke about the size of the presidential button.

In 1986, the IRS got a budget increase to accomplish the increased workload, but this time around, “the House and Senate appropriations bills for 2018 would cut the IRS budget by an additional $155 million and $124 million, respectively,” according to the National Treasury Employees Union.

What You Can Do

Wait times were more than an hour last year. The helpline matters because people don’t read tax bills, or even news stories about them. The questions will be many—far more than usual. They will be on a host of topics. People will call in reaction to good, bad and neutral information.

Is there nothing to worry about till this time next year? Do I need to fill out a new W4? Is my tax bracket the same?

The only question that matters is this one: What’s the best way to avoid becoming a victim of tax-related fraud. The answer: file your tax return as soon as you have all the necessary documents to get the job done.

While it’s important to sort out what’s what with regard to the coming changes in our nation’s tax code, it’s crucial to take a look at the simple fact that people are confused, and that creates a beneficial state for fraud to flourish.

For time being, the only “solution” is beating scammers to the punch.

With everything that the IRS needs to do to function well, budgetary issues necessarily come to the fore. We should all be voicing concern about the agency’s ability to safeguard taxpayers from refund fraud given the current situation. And we should all be doing everything we can to protect ourselves in a hostile environment.

If you’re concerned about your credit, you can check your three credit reports for free once a year. To track your credit more regularly,’s free Credit Report Card is an easy-to-understand breakdown of your credit report information that uses letter grades—plus you get two free credit scores updated each month.

You can also carry on the conversation on our social media platforms. Like and follow us on Facebook and leave us a tweet on Twitter.


Image iStock

The post Identity Theft and the New Tax Bill appeared first on

6 Ways to Make Your Family Harder to Hack 2018


While there are a thousand resolution-worthy action items out there, the time is always now for the things that need to change in our lives. Never were truer words spoken when it comes to our potential vulnerability to hackers.

The number of breaches and the granular nature of the data exposed in those attacks over the past year are both unprecedented. The Equifax breach alone included everything (and then some) that a scammer needs in order to buy a house or a car, pay for college or medical procedures, steal a tax refund or any other transaction.

But that’s not the only reason you should be on high alert. Technology is the friend of the hacker. Cybercriminals make a living being up-to-date on the latest security protocols and protections. They are also the most common spur for innovation, discovering the latest “eureka” moment in cybersecurity while reverse-engineering existing ones to steal data.

Side by side with the general threat is a “pre-set” attitude prevalent among consumers. Breaches and the identity theft that flows from them have become the third certainty in life, right behind death and taxes. The attitude tends to be, “There’s nothing I can do about it,” or “If it happens, it happens.”

I get it. I own a company that among other things, helps consumers resolve the fallout of identity theft. But working on the front lines of what amounts to a war of attrition against the bad guys, I can tell you that consumers can, and should, be doing more.

Here are my suggestions: 

  1. Avoid Account Takeover with Better Password Tactics

According to a recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts—a practice called daisy-chaining.

Here’s the scary part: You will almost certainly be able to guess the most popular password used by consumers in 2016. (It was “123456.”) Consider, there are affordable machines on the market today that can hit a website’s authentication system with billions of passwords per second. “Password” isn’t going to do much in the way of keeping you from getting got.

Even if your personal email address hasn’t been exposed in a data breach—you can check on—you need to take extra precautions.

Here’s why: If a scammer gets control of your personal email, they can commandeer many, if not all, of your accounts—retail, financial and beyond. For this reason, whenever possible, do not use your name or email address for login purposes. Rather, treat it like another password (but bear in mind, many sites will not allow you to do this).

If that seems like a hassle (remember, security and convenience aren’t always compatible) there’s an automated solution offered by a start-up called Joinesty that offers a Chrome extension that randomizes the email addresses used for login on various accounts thereby rendering your personal email address useless to a hacker.

  1. Use 2-Factor Authentication

Do you use 2-factor authentication on all your accounts that offer it? It’s a relatively seamless process whereby every account login requires both a password and a six-digit code that is emailed or sent to your smartphone via SMS.

It is not failsafe. If a criminal has control of your personal email account or possession of your phone—and your password—they can beat 2-factor authentication. That said, you are a much less attractive a target—the predator equivalent of a spiny hedgehog waddling down the road with an excessively plump piglet. Which one would you rather be? 

  1. Turn Off Location Services, and Don’t Overshare

Remember the bumbling duo in the holiday classic “Home Alone?” It used to be that burglars cased a neighborhood. With oversharing on social media, including location data posted in photographs that permit geotagging technology and-or volunteered by way of preference settings, we are constantly “casing” ourselves for the would-be thief.

An added layer of complication here is that even if your social sharing doesn’t include location data, other members of your family might be sharing it. Remember, you are only as secure as your most insecure family member.

The conversation about cybersecurity should be ongoing with those closest to you, because increasingly we’re all connected in ways that can get people robbed. 

  1. Have Nothing to Ransom

Ransomware is going to continue to plague consumers in 2018.

Ransomware is a form of malware that occupies a victim’s computer and then encrypts every file on its hard drive. There are few things scarier than a ransomware attack, especially when the victim has no idea what just happened.

First rule of thumb: never make a payment to get files back (or stop someone from sharing embarrassing files—another prevalent scam). Contact a resolution expert first.

Second rule: Back up your files daily.

If you want to be one-hundred percent unaffected by ransomware, back up your hard drive on an encrypted, long-and-strong password-protected external drive and store a mirror backup on a cloud server. Then when your would-be extortionist demands cryptocurrency (which if you own any, should also be stored on an external wallet), you can say: “No,” and go on with your day.

  1. Enroll in Transaction Alerts and Identity Monitoring

There is no better way to calm fears of account takeover than transaction alerts. All banks and credit card companies offer them for free. They make fraud a momentary crisis that’s easily contained, since the moment a fraudulent charge occurs, or a scammer attempts to open a new line of credit, the consumer is notified.

Think of it as an under-age keg party that gets shut down by the police—a quick burst of annoying nothing, and then everything is back to normal.

There is an added benefit to transaction alerts: Every charge you make pops up on your phone or in your email, detailing the purchase, which can help you curb spending since there is a constant—albeit instant—reminder of how much money is going to be due at the end of your billing period.

  1. Practice the 3 Ms

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
  1. Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on If you prefer a more laidback approach, see No. 5 above.
  1. Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The New Year offers the opportunity to turn a now-old threat into new peace of mind.

The dangers out there are manifold, but if you are prepared, even the worst attacks are survivable. The above suggestions aren’t resolutions. They are common sense. At their best, New Year’s resolutions are an arbitrary deadline to change your habits in one way or another. When it comes to hack-proofing your life, were way past midnight.


If you’re concerned about your credit, you can check your three credit reports for free once a year. To track your credit more regularly,’s free Credit Report Card is an easy-to-understand breakdown of your credit report information that uses letter grades—plus you get two free credit scores updated each month.

You can also carry on the conversation on our social media platforms. Like and follow us on Facebook and leave us a tweet on Twitter.


Image: iStock

The post 6 Ways to Make Your Family Harder to Hack 2018 appeared first on

The 12 Scams of Christmas for 2017

steal Christmas

Scammers make a killing during the holiday season. While you spend your time thinking of ways to bring holiday joy to others, they spend their time thinking up ways to steal from you. The saddest part about this is that the ghosts of Christmases past keep visiting Christmas present.

With that, I give you this year’s 12 scams of Christmas.

  1. The Gift Card Scam

While definitely a ghost of Christmas past, this still works so scammers still do it. It’s pretty simple. The thief records the numbers displayed on a gift card, and then calls the company that issued it to find out if it has been activated, which occurs when the card is purchased. The problem here is one of timing. If you buy a gift card early in the shopping season, it’s more exposed to fraud. That said, recipients of gift cards often take a while to use them.

Tip: If you are going to purchase a gift card, do it as close to Christmas Day as possible, and encourage the recipient to use it as soon as possible.

  1. Sneak Attacks on Your Credit

With the non-stop news of data breaches involving credit card numbers, many of us are walking around with compromised payment cards that can be used by a scammer, and there is no more perfect time of the year for them to try than Christmas. The usual warning signs of an account takeover, or a fraudulent charge, may be harder for financial institutions to spot, since Christmas gifts often don’t conform to a cardholder’s buying patterns.

Tip: Sign up for transaction alerts from your bank or credit card issuer that notify you any time there is activity on your accounts.

  1. Fake Charities

While it’s not exactly the way it plays out in our nation’s malls and shopping districts, Christmas is traditionally a time for contemplation and charitable giving—something captured very well in Charles Dickens’s classic, “A Christmas Carol.” So if you want to give during the holiday season, it’s crucial to make sure the appeal is real.

Tip: Before responding to an online appeal, visit the website by typing in the organization’s URL manually, or by using search to find the link. If you are still unsure, call. If you are still uncomfortable, use Charity Navigator or contact the Office of the Attorney General in your state to confirm the organization’s authenticity.

  1. Temporary Holiday Jobs

Holiday jobs are a good way to make some extra money, and there are a lot of them, but bear in mind there are myriad scammers out there who may offer fake jobs to harvest your very real personally identifiable information—the most valuable of which being your Social Security number.

Tip: Don’t give your Social Security number to anyone unless you absolutely have to, and don’t provide it before you confirm you’re dealing with a representative of a real organization that has offered a job to you. Never send your information digitally unless you know the recipient uses proper security protocols. (You may not be using secure tech either, so try to be conservative about what you send digitally.)

  1. Phishing, Vishing and Smishing

You might receive a phone call, a text or an email. It doesn’t matter what the delivery system is, it’s a fraud but it won’t necessarily look like one. It could look like a sales promotion from a brand you like, or an offer on a deal that seems too good to be true, or even just “pretty good.” Scam artists can be very nuanced. Be on the alert before you act on any offer.

Tips: Check to see the URL matches exactly, and that you never provide any personal information on any web page unless the URL is secure and starts with “https.” Email links should always be considered suspect.

  1. True Love

The holidays can be lonely, and catphishers know that. Love scams are the worst, as they prey on the emotions in the most exploitative ways disarming the heartstrings with an eye to loosening purse strings. The money lost can be considerable, and the upset unfathomable.

Tip: As corny as it seems, be careful with your heart and don’t give it away to just anyone. If you feel like you’re falling for someone and they somehow can never make an in-person appearance, don’t send them money to do so. You can do better.

  1. Hotel Scams

You might fall victim to the restaurant flyer scam, the menu for a non-existent eatery shoved under the door resulting in an order that gets you robbed, or it could be the front desk scam where you get a call after check-in asking for another credit card number because “the one you provided was rejected.”

Tip: Assume the worst when in unfamiliar territory, and be on guard when traveling. Always distrust. Always verify.

  1. Fake online shops

This is a tough one, but here’s the deal… Bargain? Amazing prices on things that should cost a lot more than they are asking on a fake online shop is alluring, which is why people fall for them all the time. Pop up shops are cool, but they may not always be legit.

Tip: Look at the About Us page and call the designated contact number. If there is no number, think twice before making a purchase. Also pay attention to detail. Are there spelling errors in the copy? Bad-looking stock photos? Look for trouble.

  1. E-Cards

We all appreciate the sentiment behind an e-card, but that should not outweigh the risk of malware that can take a computer hostage or record every keystroke so that your most sensitive credentials for financial accounts can be stolen. E-cards are a popular form of fraud among scam artists, and you should be very cautious when you receive one.

Tip: Email, call or text the sender and ask if they sent an e-card. In this environment of constant attack, they will understand (and if they don’t, your Christmas present to them can be forwarding this column).

  1. E-voucher scams

This scam is built for people old enough to remember a physical, printed voucher, which, presented in person at a brick and mortar store, would get you a discount. They were basically a coupon. E-vouchers are fine if they come in the form of a number sequence, discount code or keyword, but anything else should be considered suspect.

Tip: Be on the lookout for grammar or spelling errors. Always type in the URL of the site for which you have an e-voucher, and enter the code or number there. If it comes by way of text or email and it involves a link, don’t click through. 

  1. Fake Shipping Notifications

What could be worse than a message from your favorite e-tailer letting you know that the must-have item you ordered is out of stock or was sent to the wrong address. Another oldie but goodie among thieves is a notice informing you that the “Item has been delivered” when it hasn’t been.

Tip: Never click any link associated with this type of communication. Always log onto the e-tailer site for more information, or pick up your phone and call.

  1. Wish list scams

Online wish lists are a bad practice that should be discouraged. In theory, the online wish list creates a place where friends and relatives can find out what you want for Christmas, which many find preferable to guesswork. Beyond being horribly transactional, the practice opens the list-maker to phishing attacks, since scam artists will automatically know what interests you.

Tip: If you must post a wish list online, custom set the privacy on the post so that only particular people can see it, and don’t include any personally identifiable information.

At Christmas it’s always better to give the gift, than be the gift that keeps on giving to identity thieves.

If your personal information does fall into the hands of a scammer, be sure to monitor your credit for signs of identity theft. You can do so by viewing your free credit report snapshot, updated every 14 days, on


Image: iStock

The post The 12 Scams of Christmas for 2017 appeared first on

How the Uber Hack Could Get You Robbed This Christmas (Again)


News that Uber got hacked and 57 million records were compromised may not seem like an overt threat after this year’s constant mega breaches—but it is. A recent study suggests that even something as “harmless” as a breach involving names, phone numbers, and email addresses can lead to account takeover.

The study, entitled “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was backed by Google and conducted in partnership with the University of California, Berkeley, and the International Computer Science Institute.

While the title may sound boring, the takeaway is terrifying: Account takeover isn’t happening the way many people think.

What Is Account Takeover?

The first thing you need to know about account takeover is this: It’s an incredibly serious matter.

Account takeover is a form of fraud. A criminal attempting account takeover may target your bank account, your credit card accounts, or any other financial service where you do business. Once a criminal has control of an account, you will be robbed.

It’s easy to understand how your Social Security number can be used to defraud you, not to mention the time-suck of setting the record straight with whatever companies composed part of the digital “crime scene.”

Since the days of the rotary telephone, our Social Security numbers have acted as virtual skeleton keys to our financial realities. It was the way we proved that we were the right person to access our money at a bank or to be granted credit. For a long time criminals have found creative ways to use that same key to rob people—whether through the creation of new credit accounts or through account takeover.

Stolen credentials come in many forms, and they are not equal by any means. The importance of the Google study hinges on this new reality: Social Security numbers aren’t the worst threat to your accounts based on current statistics. And herein lies the kernel of what matters most in the study.

Account takeover can also zero in on your email.

How you can be robbed if a criminal has control of your email account? Think about how many of your active online accounts will send a link to reset your password via email—and then continue reading after you stop hyperventilating.

In a world where most of the day-to-day transactions we make are digital but two-factor authentication has not been universally adopted, the control of your email account by a third party may create an even greater vulnerability to fraud than the possession of your Social Security number.

Why Uber Matters (and Doesn’t)

The Uber hack was discovered more than a year before it was reported, and the company paid the hackers $100,000 to keep the incident under wraps. That such things aren’t considered serious crimes in the US is something to ponder, but that’s not the reason the hack matters.

The longer your information is “out there” unbeknownst to you, the longer you are unwittingly exposed to all stripes of crime—including account takeover.

There are many ways you can be attacked, but with the Uber hack, email would be the way in. The phishing ruse can be anything. Social engineering, or the art of tricking people into doing what you need them to do so you can rob them, can be endlessly creative.

Because the Uber hack included names and phone numbers in addition to email addresses, affected consumers may have spent the past 12 months being exposed to the more insidious threat of spearphishing and fraud via vishing (voice phishing).

In spearphishing attacks, the fraudster does a little research. For instance, using an Uber customer’s phone number, they may locate a Facebook account, and, from there, identify close friends and family. The criminal sends a spoofed email from what he or she guesses will be a trusted sender with a link that downloads keystroke-logging malware and thus puts the recipient one login away from account takeover. A majority of people use the same passwords at different sites, which means the fraudster will likely have access to multiple accounts once they determine one password.

Some questions you should always ask:

  • Is it the right time of the month? (Your banks and other accounts usually send statements on the same day every month.)
  • Does it make sense? (Has your cousin ever sent you a cute animal video before?)
  • Can you trust those links? (A general rule of thumb now that spoofs are impossible to detect is to distrust all links, always, and type URLs to wherever you need to go.)

And of course, check the email address behind the display name on any email you receive before replying, and never be shy about asking a sender if they sent you something.

Another thing you should do whenever possible: Enable two-factor authentication. But bear in mind that even if you do everything right you may still be compromised. Unfortunately, there is no silver bullet. There is only vigilance and the three Ms (minimize your exposure, monitor your security, and manage the damage), which I discuss in my book, Swiped.

The violation of privacy associated with the takeover of an email account is disturbing, but it is nothing compared to the potential life disruption it can cause. Now more than ever, you need to be exceedingly careful about the links you click on in email and the calls you take—because you truly never know who’s on the other end.

If you fear you have been the victim of fraud, check your credit report for suspicious activity. You can get your free credit report at

Image: istock 

The post How the Uber Hack Could Get You Robbed This Christmas (Again) appeared first on

Tips for Buying Safe Connected Devices This Cyber Monday


Keeping up with news alerts about cybersecurity flaws in consumer electronics is a lot like picking up spilled jelly beans one at a time with a plumber’s wrench. Even if you figure out how to do it and have endless patience, a few will skitter out of sight.

Assume for the moment that, unlike most people, you think a lot about cybersecurity and you do your homework before buying a connected device. (I know. This is a truly ridiculous proposition. But let’s just say it’s the case.)

As you prepare for Cyber Monday, make cybersecurity part of the purchase process. What does your thinking about cybersecurity look like? What form does it take? Perhaps you like to use a search engine to see if there have been any obvious problems associated with the product, service, or device you’re considering. And by problems, I mean specifically cybersecurity and privacy issues.

This simple action can save you from a time-consuming hassle later. Security lapses abound. It’s your job to know about them.

Your Role in Cybersecurity

If you think this sort of research is too hard, relax. It’s easy. A simple search using the name of the item in question as well as terms like “compromise,” “privacy,” and “breach” is a good place to start.

For example, maybe you’re thinking about giving someone a credit monitoring gift that protects them from fraud. You might do the following searches:

  • “Equifax hacked”—About 901,000 results (0.58 seconds)
  • “Experian hacked”—About 128,000 results (0.63 seconds)
  • “TransUnion hacked”—About 62,800 results (0.37 seconds)

Now, bear in mind, many of the search hits on Experian and TransUnion (both of which offer sophisticated monitoring programs) come by way of obligatory mentions in the coverage of the Equifax compromise.

You’re Still Not Safe

Let’s say you get a connected cam to monitor an aging parent. There are some basics to consider. You’ve got to assume, for example, that Mom may not want to be the star of a Russian reality TV show called something along the lines of “Stupid Americans I Have Hacked.” But you also have to assume it could happen.

If you did your homework right, you know there’s been a problem with many plug-and-play webcams involving the use of manufacturer default passwords.

Checking for known security issues or a history of poor security is important, but there is still more work to be done before Cyber Monday to make sure you’re not giving someone a gift that robs them blind, opens them up to public ridicule, or simply embarrasses them.

The Most Important Question

That camera with seemingly perfect security you got your mom could become a live feed to her own version of The Truman Show for an avoidable reason: the cam wasn’t patchable. This means that when a security flaw is discovered, there is no way to protect the cam because it cannot receive security patches.

You’ve read privacy policies online and have made sure the product you’re thinking about doesn’t get significant revenue by selling data collected from this or that smart device, but the item also needs to be patchable.

Many companies do a very good job. Contrary to the folklore about planned obsolescence at Apple, the company is excellent at supporting older devices and operating systems, and it is a top player when it comes to security patches.

Let’s focus on gadgets. If the connected device you’re considering is not properly maintained after the launch of later generations of that product or a related service, keep looking for a device that does.

And ask, Is this connected device patchable?

This Cyber Monday, the only way to find those errant jelly beans mentioned above is to do the requisite research.

While nobody has the time to read every news item about product security, with the holiday shopping season upon us, it’s imperative to think about cybersecurity basics.

Data breaches and other compromises are the third certainty in life, right behind death and taxes. The simplest way to avoid falling prey to products and services that offer shabby or nonexistent cybersecurity? Don’t buy them.

If you fear your information has been compromised through an unsecure device, review your credit report for any suspicious activity. You can get your credit report for free through

Image: istock

The post Tips for Buying Safe Connected Devices This Cyber Monday appeared first on

Can You Hack-Proof Your Personal Email Address?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

How would you feel if the digital “you” were deleted? The common wisdom in cybersecurity circles is that if you think it can’t happen to you, it probably will. Consider Mat Honan’s story.

“First my Google account was taken over, then deleted,” Honan wrote. “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” Honan’s AppleID was used to remotely delete all the data on his iPhone, iPad, and MacBook.

“My accounts were daisy-chained together,” Honan confessed. Sound familiar? Most people have to authenticate via daisy-chain. Even if you have everything segregated and use multi-factor authentication, chances are good that your personal email address is used to log in to most of the places you go online.

If a hacker gains access to your personal email account and, like most people, you’re lax when it comes to personal cyber hygiene, it could be game over for you—not only with regard to your data, but for whatever assets and accounts you manage online.

Can Your Personal Email Be Hack-Proofed? 

The short answer is no. Hacks and data breaches are the third certainty in life, right behind death and taxes. In fact, the most likely reason you haven’t been hacked yet is that there is a staggering number of sitting ducks out there. Needless to say, however, there is no safety in numbers. Hackers become more efficient all the time. 

While there is no silver bullet to our collective vulnerability, brothers Steve and Robert Yoskowitz think they might be able to help with Joinesty, a Chicago-based digital security startup that recently released an interesting Chrome extension.

Like LastPass and other password managers, Joinesty allows users to change passwords for everything they access online. Login credentials are automatically generated and easy to manage.

What makes Joinesty different is that they also let users create unique email addresses (to be forwarded in real time or delivered in daily digest form) for everything they access online, thereby shielding their personal email address from prying eyes.

In addition to email management, Joinesty lets users know about deals that are available at over 7,500 merchants in real time.

“The feature injects into Google so users can see what deals are available within their search results,” CFO and co-founder Steve Yoskowitz told me. “As cybersecurity and privacy become everyday and every-person concerns, we are trying to create an environment of security appealing to a demographic which may not know how much they need it, while targeting the interactions and online behavior that expose users the most.”

Before you decide that Joinesty is an advertising vehicle disguised as a cybersecurity solutions company, I asked about revenue, which is subscription based. Users can choose between monthly or annual subscriptions at $6.99 a month or $41.99 a year.

“The pillars of the Joinesty brand are trust, transparency, and simplicity,” Yoskowitz told me.  “We structured every aspect of our platform around these pillars, including our revenue model.”

Why Personal Email Addresses?

Nobody needs a disquisition on the dangers of using the same password for different accounts and services, though the number of consumers who still do it is alarming.

Instead, how about a quick lecture: According to one recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts. The most popular password in 2016 was “123456.” For less than $1,000, hackers can buy a machine that has the capacity to test billions of passwords per second. Effect: You are vulnerable. Password managers work, so use one. (End of sermon.)

Actually, it’s not quite the end of the sermon. Because lousy password hygiene is so prevalent, you need to know if your personal email address been leaked in a data breach or, better yet, just assume that it has been. is one place to go if you’re curious.

Personal email addresses present a huge vulnerability for most people and an infinite number of clear-sky lines of attack for hackers.

A recent data sample found that in the United States there are an average of 130 accounts assigned to a single email address. We’re talking about newsletters, e-commerce site, banks, gyms, portals to your medical records and healthcare coverage, investments, car loans, credit cards, and—as Matt Honan knows all-too-painfully well—social networking sites.

Your personal email address is one of your most visible forms of personally identifiable information (PII), and yet many websites require it. If your email is commandeered, whoever has control of it is just a few clicks away from taking control of your finances and anything else they might care to target. Think of your email address as a much less secure version of your Social Security number—especially if you have bad password habits.

I asked Yoskowitz about the use of personal email addresses as a login credential. After a quick scan of the top 210 Quantcast sites, he found that only 26 had no login. “Two had a username—instead of email—for logging in, so roughly 86% currently require email for login,” Yoskowitz told me.

Fewer Opportunities to Click and Get Got

So, is Joinesty addressing the personal email problem or taking advantage of it? Does the solution open up new vulnerabilities? Is this merely a ploy to sell ads and profit off our collective cyber-insecurity? 

The first thing you need to know is that Joinesty offers something of value.

It is not tokenization per se, but it’s like it in that Joinesty replaces PII (in this case your personal email address) with equally valid but non-identifiable data.

“We retain the purposes and benefits of tokenization allowing the user to retain all the functionality of giving out their personal email—logging into their accounts, receiving deals—without that email address having any inherent value to hackers because of its unique one-off nature.” 

Parting shot from my book Swiped: When creating an account on sites that allow a non-email login name, let your spirit fly. Be creative (but store it somewhere on a cheat sheet that resides on an encrypted memory stick). You might even consider using a long-and-strong password as your login name if the site will allow it.

image svetikd

The post Can You Hack-Proof Your Personal Email Address? appeared first on

5 Ways to Keep Your Personal Health Information Safe

4 Things About You Your Doctor Doesn’t Need to Know

Did members of the royal family go under the knife at an upscale London plastic surgery clinic? A recent hack at London Bridge Plastic Surgery may reveal the answer to that—and many other questions you never thought to ask.

Setting aside the obvious follow-up questions (Do you care? Is it any of your business?) and regardless of your curiosity about seeing the picture proof of royal rearrangements, you should be paying attention. The hack speaks to our collective vulnerability when it comes to protected health information (PHI).

What Happened

The hacker collective known as The Dark Overlord took responsibility for the royal family’s data grab. The group’s responsibility was confirmed by The Daily Beast after a reporter at the site reviewed both in-progress and before-and-after photographs of family members’ physical enhancements.

You may remember The Dark Overlord: it was behind an October hack that featured threatening texts sent to parents of school-age children in several states and voicemails left by victims being dumped online. The group was also behind a notorious Netflix-related hack. It memorably stole the fifth season of Orange Is the New Black from Larson Studios and released the first episode even after having received about $50,000 in Bitcoin to not do so.

As reported by Variety, The Dark Overlord had decided that its victims were in breach of contract. Specifically, “Larson Studios was in great delinquency of the agreement after sources confirmed law enforcement cooperation,” the group claimed. “Our agreement provides us the right to execute harmful action against any client who defrauds our agreement.”

Why It Matters

Did you notice how The Dark Overlord called the studio its “client”? I have long said that while we have day jobs, all of us collectively are hackers’ day job. Their sole objective in life is to seep their way into the assets of our identity. Always remember that your personal information is an asset with real, assignable value.

The Dark Overlord is not alone in viewing its victims in this transactional way. Hackers are in it for the money. Bigger operations offer customer service–style communication to make the ransom/payoff part of the process a high-touch consumer experience.

You may think, “This can’t happen to me.” But how do you know? Consider how your medical provider stores your PHI. Have you ever seen a physical file? Do you know where it’s stored and who has access to it? That sort of physical information is vulnerable. It could easily be stolen or

duplicated. What about electronic data? Everyone knows that just because an entity stores information digitally doesn’t make it secure from compromise.

5 Steps for Keeping Your PHI Safe

Security is complex and requires constant maintenance. Here are five steps you should take to keep your personal health information safe from hackers and other no-do-gooders.

  1. Ask if your medical provider implements a data security solution. While it may seem like a simple question, many providers don’t have a clue about data security. The only way to find out if yours does is to ask.
  2. Find out if your medical provider uses a vendor. If your medical provider uses a vendor, get the name and check out its reputation online.
  3. Ensure that your medical provider double encrypts your PHI. Your doctor may not know whether your PHI is double encrypted—especially if they use a vendor as their data security solution. Either way, push the point. The only way we all become more secure is if we all demand a high data-security IQ from our peers and service providers.
  4. Inquire about who has access to your PHI. By asking this question you may be pointing your provider to safer records. Only your doctor and other medically trained staff with a reason to be looking should have access to your PHI.
  5. Locate where your PHI is stored and how it moves around. Does your medical provider use a cloud server or onsite hardware to store your PHI? How are the servers connected to the network? Is there a secure network used solely for PHI and another for less sensitive traffic or smart devices used in the office?

We All Have Something to Lose

Granted, you may not have had any work done at a fancy plastic surgery clinic, but you’ve probably been to a doctor—and most likely at least once for an ailment that you’d rather not have broadcast to others. The victims of the data breach at London Bridge Plastic Surgery are just like you and me for that reason, even if they are royal. We all have something to lose: our privacy.

The sensitive data theft lottery definitely discriminates—high-end targets pay upper-class ransoms—but you can’t rely on your relative obscurity to protect your PHI.

As far as plastic surgeons getting compromised goes, this isn’t the first time a high-profile doc has gotten rolled for photographs and other PHI. And it probably won’t be the last, which should be reason enough to get you to call your doctor and ask how your information is protected.

If your protected health information or other personally identifying information gets hacked or leaked, it could negatively affect your credit score—and your ability to apply for a mortgage, personal loans, or credit cards. Keep an eye on your credit score by regularly reviewing your credit report for free on

Image: istock 

The post 5 Ways to Keep Your Personal Health Information Safe appeared first on

Why Spam Is More Dangerous Than Ever

Can I Deal With a Debt Collector Over Email?

Spam is supposed to be a thing of the past, but it’s not—and today it comes weaponized with manifold data-grabbing threats—from ransomware to keystroke recorders and beyond. Your email has never been more dangerous.

There was a time in the early 2000s when email spam and malicious botnets were viewed as mere nuisances. A confident Bill Gates waved it away at the 2004 World Economic Forum in Davos, Switzerland: “Two years from now, spam will be solved.” The technical community was on the job—it had spam’s number.

Unfortunately, it was a repeating number.

Today, criminals are spreading evermore malicious forms of email spam, and the number of spam emails is still robust. Though not at early-days numbers, spam accounts for more than half of all email traffic.

Multi-Tiered Attacks

Spambots are multitaskers these days. First, they trawl the internet for email addresses. (Yes, emails are sensitive information for this reason.) Next, they compile a gargantuan mailing list. Final step: they send your grandmother an email that promises to solve her male-pattern balding.

That is, unless that email offers her a discount on a medication that she takes, and she clicks a link that downloads software that exfiltrates all her user credentials.

Onliner is an especially pernicious spambot. Crafted to bypass many types of spam filters, Onliner specializes in the delivery of messages containing malicious attachments. It may name the IRS, hotel chains, or delivery services as the sender. The social engineering is nuanced, designed to trick the recipient into clicking on the attachment, thus triggering a copy of the Ursnif Trojan to install. Ursnif then swiftly steals account logins, credit card details, and other personal information.

There are others. We know about Onliner because its creators neglected to lock down a server, which allowed access to Onliner’s master mailing list of 711 million email addresses.

“What this tells us is that the spamming industry is alive and well and continues to adapt to produce a steady stream of profits,” observes Christian Lees, chief security officer at threat intelligence company InfoArmor. “Email continues to be an efficient attack vector. A high percentage of major data breaches are directly sourced via email.”

Stunning Advancements

Some historical context is helpful in understanding just how far spam and botnets have advanced. When Bill Gates spoke at Davos, spamming was carried out manually, and spammers had to actually rent or steal time on physical servers housed at hosting companies. Meanwhile, botnets were comprised of PCs surreptitiously infected and controlled by script-kiddie hackers out to make a name for themselves.

Today, spam delivery has become highly automated, thanks to the wide availability of resilient botnets for hire. Instead of having to bother with hosting services, spammers retain the services of a botnet operator who is in command of tens of thousands of infected PCs, supplemented with tens of thousands more virtual instances of computing devices.

These virtual bots represent stunningly clever use of public cloud computing resources, such as Amazon Web Services, Microsoft Azure, and Google Cloud. Botnet operators can now spin up hundreds of thousands of virtual bots cost-effectively and in the public cloud, which is why we now experience periodic surges of garden-variety advertising spam.

Wide-Open Attack Vector

Understandably, spambots are of acute concern to financial services companies, health care businesses, and other vertical industries that do business with their consumers online. These organizations recognize the “potential for losing their credibility,” says Giovanni Verhaeghe, product strategy director at VASCO Data Security. “Customers are wondering which messages are fake and which ones are really sent by the bank.”

Most organizations today filter email aggressively. But as Onliner makes clear, filtering is not enough. Email remains a wide-open attack vector that criminals continue to successfully exploit. The very existence of spambots reminds us that each individual bears the burden for staying alert, reducing their digital footprint whenever the opportunity to do so presents itself, and responding quickly if their email is hacked.

What does this mean for you? First: it’s time to dial back on convenience and use multi-factor authentication whenever it’s offered. And for sure it’s time to stop sharing every detail of our digital lives. Companies can help by providing efficacious employee training and encouraging a security-first culture. Employees need to be continually reminded of the spam threat. Spearphishing has never been more nuanced. “Trust but verify” should be everyone’s watchword these days.

Someday our technocrats may “solve” the spam problem, as Bill Gates predicted. But it won’t be tomorrow.

Image: istock 

The post Why Spam Is More Dangerous Than Ever appeared first on

Are Your Connected Devices Safe?


The number of Internet of Things (IoT) devices in use is forecasted to hit 8.4 billion this year. That’s more than the human population on planet Earth. And with successful attacks like Mirai (which was the malware used in the 2016 Dyn cyberattack) already a part of the IoT story, there’s plenty to worry about.

It’s crucial we give this latest market exuberance a brief time-out. Unfortunately, the chances of that happening are fairly unlikely. So, what to do between now and the next zero-day exploit?

I’m specifically recommending a cyber “time-out,” and not a “breather” or any other term signifying a pause or cessation of activity. IoT technology is in its infancy and growing faster than projected. And it’s flawed.

Connected devices have not been around very long, and yet they’ve already managed to cause no end of trouble—whether we’re talking about hijacked baby monitors, IP cameras, or exercise trackers that broadcast granular details about your sex life to anyone who might be curious about it.

We need a time-out to think through and implement best security practices for the IoT market.

Are Connected Devices a Cyber Catastrophe Waiting to Happen?

With total spending on IoT or connected devices pegged to hit $2 trillion this year, the market is undergoing a period of staggering growth.

IoT is increasingly present in daily life. It can be found in kitchen appliances, cars, health care equipment, toys, exercise gear, and peripherals like watches and monitors. It’s in security systems and many of the creature comforts populating our homes.

On all fronts, the upside is impressive. Consumers get to shop for a whole new universe of things they never knew they wanted, and manufacturers are increasing their revenues. In case you don’t have the figures handy, the revenue target for 2017 represents 31% growth over the previous year.

Sounds great, right? But while everyone benefits from the hunger for next-generation, hyper-connected everything, consumers may lose sight of the security pitfalls associated with them. At the risk of being a killjoy, I believe it doesn’t just seem reasonable, but absolutely essential, to assume many new devices currently hitting the IoT market aren’t cybersecure.

So, while the boom in connected devices looks like a win for everyone, it’s not. When consumers connect new devices to the Internet, their attackable surface expands. Data is being moved around. New doors are opened.

Even the most cursory look backward reveals the likelihood of future attacks.

New Products, Better Prospects?

Nest is a popular smart home player in the IoT sector. The company just released some new devices, including home security cameras, which made me wonder about the lessons learned from recent zero-day fails.

In the Persai/Mirai catastrophe, IP cameras and routers were hijacked and roped into a botnet that hackers used to launch a massive distributed denial of service (DDoS) attack against Dyn, which routed traffic for major websites. The sites affected by the attack included The New York Times, HBO, PlayStation, Etsy, Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, and PayPal.

The Dyn attack was the direct result of rushing connected devices to market. IoT devices were sold to consumers with default passwords that many people never bothered to change (some don’t permit passwords to be changed), security taking a backseat in the race to the marketplace. While there was little to no issue with the affected devices on the consumer end, the hackers were able to use all those points of contact to launch the crippling attack on Dyn. And yes, that attack affected everyone. A back-of-the-napkin estimate on total cost is in the billions, not millions, of dollars.

In addition to Nest, I reached out to other IoT device manufacturers this week to hear what they’re doing to protect consumers in the wake of the Dyn attack and the mad rush to cash in on the robust market for connected devices. Of the 10 companies I contacted, only three got back to me.

Both Nest and Vivint (a leader in smart devices with excellent security) responded with answers that were music to my cyber-paranoid ears, though I’ll spare you the details. The same was not true of the third response, which came from a Honeywell representative: “I’d need quite a bit more time to fact check answers through our various businesses given the breadth of your questions.”

My questions:

There have been many instances of cams with factory-default passwords getting hacked—do new [Honeywell] cam products require the end user to create a secure password before they will function? Do they allow the consumer to create a password? What security measures were designed into the product?

What measures have been taken to protect other smart home products from hackers?

These questions are elementary. One has to suspect the reason so many companies failed to reply is that they don’t have great security built into the design of their products.

The takeaway here is simple, but important. When you are shopping for a connected device, security should be the first thing you ask about—even before checking out proffered features. The future is as safe as you make it.

Image: istock

The post Are Your Connected Devices Safe? appeared first on

Post Equifax: Will Free Credit Freezes Help?

freeze your credit

When Equifax announced the historic data compromise that exposed the sensitive personal information of up to 143 million consumers, the company said victims would have access to credit freezes for a month free of charge. This was not exactly a solution to the fresh hell it had just announced.

Frankly, it seemed like a relatively cheeky move considering the staggering number of people who had just learned that they will be looking over their shoulders for a virtual mugger for the rest of their lives. I wouldn’t be surprised if Saturday Night Live re-creates Equifax’s offer of free credit freezes (for a whole month!) as a classic schoolyard drama featuring a bully holding a stolen bike in front of its owner and offering to give it back for a hefty fee.

My first thought was definitely not, “That seems fair.”

And while I can’t speak to whether there was any discussion of sketch comedy in their process, the Identity Theft Resource Center (ITRC) seems to have had a similar reaction. It launched a petition that urged Experian, TransUnion, and Equifax to let consumers freeze, thaw, and refreeze their credit files, free of charge, once per year.

Sadly, this is not a solution either.

The Legislative Angle

Senators Elizabeth Warren (D-MA) and Brian Schatz (D-HI) recently introduced legislation that would force the Big Three credit bureaus to provide more robust solutions to the 24/7 identity-theft quagmire we now inhabit thanks to the Equifax breach.

One of the main provisos was a legislative version of the ITRC petition: Give all Americans access to free credit freezing (and unfreezing) for life. Additionally, the bill would force the credit bureaus to reimburse any fees collected for freezes purchased after the Equifax compromise was made public.

“Credit reporting agencies like Equifax make billions of dollars collecting and selling personal data about consumers without their consent, and then make consumers pay if they want to stop the sharing of their own data,” Warren said when announcing the bill.

The Freedom from Equifax Exploitation Act is a move in the right direction, a roadmap for the Big Three to provide consumers with more robust fraud protections as well as an additional free annual credit report. (One free report is already a consumer right in the United States. You can check your credit report for free at

That SNL sketch encapsulates the feeling of the Freedom from Equifax Exploitation Act: credit bureaus shouldn’t be able to profit off the fear generated by their failures to protect our sensitive data.

Freezes Aren’t the Answer

While it is good to get those freezes (if you can figure out how to set them up), a credit freeze is by no means the be-all and end-all answer to the “What now?” reality of 143 million consumers.

Credit freezes do not mitigate all threats.

First of all, you are still vulnerable to attacks on existing accounts. Two easy ways to help diminish this threat is by setting up transaction alerts and opting for two-factor authentication wherever it is offered.

You are also more susceptible to spear phishing emails and texts now, since fraudsters now know where you bank, where you have debt, and who financed your car. They no longer have to guess which bank you use, thereby making the whole process of defrauding you much more expedient—a real win for scam artist productivity. Employment and tax fraud as well as medical/healthcare fraud are also real concerns after the breach.

The best course of action given all these variables is to change the way you think about your vulnerability and practice the Three Ms, which I discuss in my book, Swiped: How to Protect Yourself in a World Full of Scammers, Phishers and Identity Thieves.

  1. Minimize your exposure. Don’t click on suspicious or unfamiliar links; don’t authenticate yourself to anyone unless you are in control of the interaction; don’t over-share on social media; be a good steward of your passwords; whenever offered, opt for 2-factor authentication; safeguard any documents that can be used to hijack your identity; and freeze your credit.
  2. Monitor your accounts. Check your credit reports religiously; keep track of your credit scores; review major financial accounts daily if possible (better yet, sign up for free transaction alerts from financial services institutions and credit card companies); read the Explanation of Benefits statements you receive from your health insurer; and seriously consider purchasing a sophisticated credit- and identity-monitoring program.
  3. Manage the damage. Make sure you get on top of any incursion into your identity quickly and enroll in a program where professionals help you navigate and resolve identity compromises—oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions, and employers.

The Three Ms are not a solution to the threat of scams in the wake of the Equifax hack, but they are a lifestyle change that can help fend off the inevitable attempts to exploit your identity for ill-gotten gain.

Image: istock

The post Post Equifax: Will Free Credit Freezes Help? appeared first on