How to Avoid Credit Card Theft while Traveling

Identity Theft Travel

Whether you plan to travel now or in a year, you should take steps to protect yourself from identity theft and credit card fraud while you’re on vacation. Tourists are often victims of theft, including passport and credit card theft—both of which can compromise personal information. Thieves can gain data by physically taking belongings the old-fashioned way or by hacking into your phone or computer.

By following these six tips before and after you travel, you could save yourself years or even a lifetime of credit and financial nightmares.

1.Notify Your Creditors of Your Travel Plans

Before you travel anywhere, call your credit card companies and your banks to let them know where you will be and when you plan to travel. Many banks and credit card companies keep track of your spending habits, so any purchases out of the norm may prompt them to lock down your account—this could be especially frustrating if you are out of the country and have no way of reaching your bank or credit card company.

If you do end up going overseas, find out the best way to get in touch with your creditors should your credit card or bank card get lost or stolen while you are away. Keep this information and all creditor phone numbers in a safe place that is separate from your cards—then you’ll have it on hand no matter what happens to your wallet or purse.

2. Set Up Email or Text Alerts

As you prepare to travel, subscribe to mobile email or text alerts. By doing so, you will be notified of all activity on your accounts. Receiving email or text alerts on your phone can stop credit card fraud in its tracks, since transaction information is sent to you almost instantaneously. This timely warning can help you resolve unauthorized purchases on the spot.

3.Make Copies

Whenever you travel, make photocopies of both the front and back of your credit cards. Give the copies to a trusted family member or friend at home. In the unfortunate event that your credit card is lost or stolen, you can quickly obtain all the information you need to cancel your credit card.

If you prefer to store copies digitally, you can scan and upload your copies to a secure cloud storage site, such as Google Docs or Dropbox. Should you access your documents while traveling, make sure you are connected to a secure network and not to an open Wi-Fi connection where hackers can steal your passwords and get into your accounts.

Whatever you do, do not keep copies in your luggage. Should your luggage get lost or stolen, you are putting yourself at risk for credit card fraud as your credit card numbers can be used to make fraudulent purchases.

4.Check Your Credit Card and Bank Accounts Often

If you haven’t done so already, sign up for online access to your bank accounts and credit card statements. Consider downloading the mobile apps for your bank and credit cards for easy and convenient access to your accounts. With these apps, you can not only view your bank balances and credit limits but also see all current transactions.

As soon as you see anything suspicious, immediately contact your bank or credit card company to report the questionable charge. Once you’re home, review the transactions from your trip to ensure you didn’t miss any unusual activity that should be reported.

5.Update Your Account Passwords and PINs

If you can’t remember the last time you updated your password or account PIN, it’s probably a good idea to do so now. Create passwords that are long and unique to each credit card and bank account. Updating your passwords and PINs may be a cumbersome task, but the time you take to do so will be well worth the extra protection and security.

6.Stay Alert at All Times

With the recent Equifax data breach, many are on high alert and constantly looking out for suspicious activity. But with time, people may grow lax and check their accounts less often—and this is when a credit card thief’s strike will hurt the most.

Some thieves may sit on your information in hopes of catching you unaware. So it’s important to continually monitor your credit and keep your files and important documents in safe and secure locations where thieves may not think to look.

If you’re thinking of taking a trip, use these tips to avoid credit card theft and protect your financial standing. Credit card fraud can be damaging if not handled properly, so don’t be afraid to check your accounts frequently or err on the side of caution. You can never be too careful.

 

Image: iStock

The post How to Avoid Credit Card Theft while Traveling appeared first on Credit.com.

6 Ways to Make Your Family Harder to Hack 2018

Hacking

While there are a thousand resolution-worthy action items out there, the time is always now for the things that need to change in our lives. Never were truer words spoken when it comes to our potential vulnerability to hackers.

The number of breaches and the granular nature of the data exposed in those attacks over the past year are both unprecedented. The Equifax breach alone included everything (and then some) that a scammer needs in order to buy a house or a car, pay for college or medical procedures, steal a tax refund or any other transaction.

But that’s not the only reason you should be on high alert. Technology is the friend of the hacker. Cybercriminals make a living being up-to-date on the latest security protocols and protections. They are also the most common spur for innovation, discovering the latest “eureka” moment in cybersecurity while reverse-engineering existing ones to steal data.

Side by side with the general threat is a “pre-set” attitude prevalent among consumers. Breaches and the identity theft that flows from them have become the third certainty in life, right behind death and taxes. The attitude tends to be, “There’s nothing I can do about it,” or “If it happens, it happens.”

I get it. I own a company that among other things, helps consumers resolve the fallout of identity theft. But working on the front lines of what amounts to a war of attrition against the bad guys, I can tell you that consumers can, and should, be doing more.

Here are my suggestions: 

  1. Avoid Account Takeover with Better Password Tactics

According to a recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts—a practice called daisy-chaining.

Here’s the scary part: You will almost certainly be able to guess the most popular password used by consumers in 2016. (It was “123456.”) Consider, there are affordable machines on the market today that can hit a website’s authentication system with billions of passwords per second. “Password” isn’t going to do much in the way of keeping you from getting got.

Even if your personal email address hasn’t been exposed in a data breach—you can check on Haveibeenpwned.com—you need to take extra precautions.

Here’s why: If a scammer gets control of your personal email, they can commandeer many, if not all, of your accounts—retail, financial and beyond. For this reason, whenever possible, do not use your name or email address for login purposes. Rather, treat it like another password (but bear in mind, many sites will not allow you to do this).

If that seems like a hassle (remember, security and convenience aren’t always compatible) there’s an automated solution offered by a start-up called Joinesty that offers a Chrome extension that randomizes the email addresses used for login on various accounts thereby rendering your personal email address useless to a hacker.

  1. Use 2-Factor Authentication

Do you use 2-factor authentication on all your accounts that offer it? It’s a relatively seamless process whereby every account login requires both a password and a six-digit code that is emailed or sent to your smartphone via SMS.

It is not failsafe. If a criminal has control of your personal email account or possession of your phone—and your password—they can beat 2-factor authentication. That said, you are a much less attractive a target—the predator equivalent of a spiny hedgehog waddling down the road with an excessively plump piglet. Which one would you rather be? 

  1. Turn Off Location Services, and Don’t Overshare

Remember the bumbling duo in the holiday classic “Home Alone?” It used to be that burglars cased a neighborhood. With oversharing on social media, including location data posted in photographs that permit geotagging technology and-or volunteered by way of preference settings, we are constantly “casing” ourselves for the would-be thief.

An added layer of complication here is that even if your social sharing doesn’t include location data, other members of your family might be sharing it. Remember, you are only as secure as your most insecure family member.

The conversation about cybersecurity should be ongoing with those closest to you, because increasingly we’re all connected in ways that can get people robbed. 

  1. Have Nothing to Ransom

Ransomware is going to continue to plague consumers in 2018.

Ransomware is a form of malware that occupies a victim’s computer and then encrypts every file on its hard drive. There are few things scarier than a ransomware attack, especially when the victim has no idea what just happened.

First rule of thumb: never make a payment to get files back (or stop someone from sharing embarrassing files—another prevalent scam). Contact a resolution expert first.

Second rule: Back up your files daily.

If you want to be one-hundred percent unaffected by ransomware, back up your hard drive on an encrypted, long-and-strong password-protected external drive and store a mirror backup on a cloud server. Then when your would-be extortionist demands cryptocurrency (which if you own any, should also be stored on an external wallet), you can say: “No,” and go on with your day.

  1. Enroll in Transaction Alerts and Identity Monitoring

There is no better way to calm fears of account takeover than transaction alerts. All banks and credit card companies offer them for free. They make fraud a momentary crisis that’s easily contained, since the moment a fraudulent charge occurs, or a scammer attempts to open a new line of credit, the consumer is notified.

Think of it as an under-age keg party that gets shut down by the police—a quick burst of annoying nothing, and then everything is back to normal.

There is an added benefit to transaction alerts: Every charge you make pops up on your phone or in your email, detailing the purchase, which can help you curb spending since there is a constant—albeit instant—reminder of how much money is going to be due at the end of your billing period.

  1. Practice the 3 Ms

  1. Minimize your exposure. Don’t authenticate yourself to anyone unless you are in control of the interaction, don’t over-share on social media, be a good steward of your passwords, safeguard any documents that can be used to hijack your identity, and freeze your credit.
  1. Monitor your accounts. Check your credit report religiously, keep track of your credit score, review major accounts daily if possible. (You can check two of your credit scores for free every month on Credit.com.) If you prefer a more laidback approach, see No. 5 above.
  1. Manage the damage. Make sure you get on top of any incursion into your identity quickly and/or enroll in a program where professionals help you navigate and resolve identity compromises–oftentimes available for free, or at minimal cost, through insurance companies, financial services institutions and employers.

The New Year offers the opportunity to turn a now-old threat into new peace of mind.

The dangers out there are manifold, but if you are prepared, even the worst attacks are survivable. The above suggestions aren’t resolutions. They are common sense. At their best, New Year’s resolutions are an arbitrary deadline to change your habits in one way or another. When it comes to hack-proofing your life, were way past midnight.

 

If you’re concerned about your credit, you can check your three credit reports for free once a year. To track your credit more regularly, Credit.com’s free Credit Report Card is an easy-to-understand breakdown of your credit report information that uses letter grades—plus you get two free credit scores updated each month.

You can also carry on the conversation on our social media platforms. Like and follow us on Facebook and leave us a tweet on Twitter.

 

Image: iStock

The post 6 Ways to Make Your Family Harder to Hack 2018 appeared first on Credit.com.

Who Do I Call If I Lost My Social Security Card?

social security card

If you lose your Social Security card, you’ll have to order a replacement card from the Social Security Administration (SSA). But unfortunately, a simple phone call will not do the trick. Instead, you will have to apply online using a my Social Security account or supply verification to a Social Security office in person or by mail.

Online Application for a Replacement Social Security Card

To apply online with a my Social Security account, you’ll need to meet all the following criteria:

  • You are an 18-year-old or older US citizen with a US mailing address.
  • You have a driver’s license or other state-issued identification from a specific list of states.
  • You are not requesting any changes to your card, including a name change.

In-Person or Mail Application for a Replacement Social Security Card

If you don’t meet the criteria for an online application, you have to apply in person or by mail. And you’ll need to gather a few documents to supply verification to the SSA office.

Documents must be current (not expired) and must show your name, date of birth or age, and—when applicable—a recent photograph. And they have to be originals, not photocopies. There are two separate categories of documents, and you’ll need one from each:

  • Citizenship
    • US birth certificate
    • US passport
  • Identity
    • US driver’s license
    • State-issued non-driver identification card
    • US passport

If you don’t have any of the documents from the Identity category and can’t get a replacement in 10 days, you can use another current document. It still needs to show your name, date of birth or age, and preferably a recent photograph. The following cards are often acceptable forms of ID:

  • School identification card
  • Employee identification card
  • US military identification card
  • Health insurance card other than a Medicare card

If you were not born in the US and have not established citizenship with SSA, you’ll need to provide acceptable proof of citizenship as well. 

Children’s Application for a Replacement Social Security Card

While some teens may have their driver’s license already, many minors don’t. And if your child doesn’t have a passport yet, you may have to dig around for alternative documentation.

A birth certificate may prove age or citizenship, but as the SSA states, “Social Security needs evidence that shows the child continues to exist beyond the date of birth.” Therefore, you’ll also have to produce a more recent document with their name, identifying information, and—if possible—a recent photograph. There are a few documents you could use:

  • Adoption decree
  • State-issued non-driver identification card
  • Doctor, clinic, or hospital record
  • Religious record
  • School identification card

In addition, a parent must provide their own proof of identity and, if required, their proof of citizenship or a current Department of Homeland Security document such as a green card. 

How Long Does It Take?

If you can get to a local SSA office just before opening, you can get in and out of there in about 15 minutes. If you can only go later in the day, the wait time could vary from location to location. After they process your application, they’ll give you a letter indicating that a card has been requested, which you can show to employers or other parties who request a Social Security card. Your new card will arrive within two weeks.

For online or mail requests for a replacement card, the application process could take a tad longer. But after your application is processed, you can expect your new card within two weeks.

Once you get your card, be sure you keep it in a safe place only you or trusted family members can access, such as a safe or lockbox.

Don’t Forget the Next Step

If you’ve lost your Social Security card, replacing it is just one step. A lost card could make you an easy target for identity theft, so you should take additional steps to protect your identity, especially if you suspect the card may have fallen into the wrong hands. Here’s what to do: 

  • Get a free annual credit report to make sure you recognize all information reported there.
  • Keep a close eye on your credit scores for abrupt changes, which could signal fraud. You can get a free credit report snapshot updated monthly through Credit.com.
  • If you notice suspicious activity, consider placing a fraud alert on your credit reports. In severe cases, a credit freeze may be appropriate. 

Note that monitoring your credit is an ongoing task. Once your information is compromised, it could be at risk for years to come.

If you’ve lost your Social Security card, use the information above to get your replacement. And remember to keep a vigilant eye on your credit activity to ensure your Social Security number hasn’t fallen into the wrong hands.
Image: Fuse

The post Who Do I Call If I Lost My Social Security Card? appeared first on Credit.com.

The 12 Scams of Christmas for 2017

steal Christmas

Scammers make a killing during the holiday season. While you spend your time thinking of ways to bring holiday joy to others, they spend their time thinking up ways to steal from you. The saddest part about this is that the ghosts of Christmases past keep visiting Christmas present.

With that, I give you this year’s 12 scams of Christmas.

  1. The Gift Card Scam

While definitely a ghost of Christmas past, this still works so scammers still do it. It’s pretty simple. The thief records the numbers displayed on a gift card, and then calls the company that issued it to find out if it has been activated, which occurs when the card is purchased. The problem here is one of timing. If you buy a gift card early in the shopping season, it’s more exposed to fraud. That said, recipients of gift cards often take a while to use them.

Tip: If you are going to purchase a gift card, do it as close to Christmas Day as possible, and encourage the recipient to use it as soon as possible.

  1. Sneak Attacks on Your Credit

With the non-stop news of data breaches involving credit card numbers, many of us are walking around with compromised payment cards that can be used by a scammer, and there is no more perfect time of the year for them to try than Christmas. The usual warning signs of an account takeover, or a fraudulent charge, may be harder for financial institutions to spot, since Christmas gifts often don’t conform to a cardholder’s buying patterns.

Tip: Sign up for transaction alerts from your bank or credit card issuer that notify you any time there is activity on your accounts.

  1. Fake Charities

While it’s not exactly the way it plays out in our nation’s malls and shopping districts, Christmas is traditionally a time for contemplation and charitable giving—something captured very well in Charles Dickens’s classic, “A Christmas Carol.” So if you want to give during the holiday season, it’s crucial to make sure the appeal is real.

Tip: Before responding to an online appeal, visit the website by typing in the organization’s URL manually, or by using search to find the link. If you are still unsure, call. If you are still uncomfortable, use Charity Navigator or contact the Office of the Attorney General in your state to confirm the organization’s authenticity.

  1. Temporary Holiday Jobs

Holiday jobs are a good way to make some extra money, and there are a lot of them, but bear in mind there are myriad scammers out there who may offer fake jobs to harvest your very real personally identifiable information—the most valuable of which being your Social Security number.

Tip: Don’t give your Social Security number to anyone unless you absolutely have to, and don’t provide it before you confirm you’re dealing with a representative of a real organization that has offered a job to you. Never send your information digitally unless you know the recipient uses proper security protocols. (You may not be using secure tech either, so try to be conservative about what you send digitally.)

  1. Phishing, Vishing and Smishing

You might receive a phone call, a text or an email. It doesn’t matter what the delivery system is, it’s a fraud but it won’t necessarily look like one. It could look like a sales promotion from a brand you like, or an offer on a deal that seems too good to be true, or even just “pretty good.” Scam artists can be very nuanced. Be on the alert before you act on any offer.

Tips: Check to see the URL matches exactly, and that you never provide any personal information on any web page unless the URL is secure and starts with “https.” Email links should always be considered suspect.

  1. True Love

The holidays can be lonely, and catphishers know that. Love scams are the worst, as they prey on the emotions in the most exploitative ways disarming the heartstrings with an eye to loosening purse strings. The money lost can be considerable, and the upset unfathomable.

Tip: As corny as it seems, be careful with your heart and don’t give it away to just anyone. If you feel like you’re falling for someone and they somehow can never make an in-person appearance, don’t send them money to do so. You can do better.

  1. Hotel Scams

You might fall victim to the restaurant flyer scam, the menu for a non-existent eatery shoved under the door resulting in an order that gets you robbed, or it could be the front desk scam where you get a call after check-in asking for another credit card number because “the one you provided was rejected.”

Tip: Assume the worst when in unfamiliar territory, and be on guard when traveling. Always distrust. Always verify.

  1. Fake online shops

This is a tough one, but here’s the deal… Bargain? Amazing prices on things that should cost a lot more than they are asking on a fake online shop is alluring, which is why people fall for them all the time. Pop up shops are cool, but they may not always be legit.

Tip: Look at the About Us page and call the designated contact number. If there is no number, think twice before making a purchase. Also pay attention to detail. Are there spelling errors in the copy? Bad-looking stock photos? Look for trouble.

  1. E-Cards

We all appreciate the sentiment behind an e-card, but that should not outweigh the risk of malware that can take a computer hostage or record every keystroke so that your most sensitive credentials for financial accounts can be stolen. E-cards are a popular form of fraud among scam artists, and you should be very cautious when you receive one.

Tip: Email, call or text the sender and ask if they sent an e-card. In this environment of constant attack, they will understand (and if they don’t, your Christmas present to them can be forwarding this column).

  1. E-voucher scams

This scam is built for people old enough to remember a physical, printed voucher, which, presented in person at a brick and mortar store, would get you a discount. They were basically a coupon. E-vouchers are fine if they come in the form of a number sequence, discount code or keyword, but anything else should be considered suspect.

Tip: Be on the lookout for grammar or spelling errors. Always type in the URL of the site for which you have an e-voucher, and enter the code or number there. If it comes by way of text or email and it involves a link, don’t click through. 

  1. Fake Shipping Notifications

What could be worse than a message from your favorite e-tailer letting you know that the must-have item you ordered is out of stock or was sent to the wrong address. Another oldie but goodie among thieves is a notice informing you that the “Item has been delivered” when it hasn’t been.

Tip: Never click any link associated with this type of communication. Always log onto the e-tailer site for more information, or pick up your phone and call.

  1. Wish list scams

Online wish lists are a bad practice that should be discouraged. In theory, the online wish list creates a place where friends and relatives can find out what you want for Christmas, which many find preferable to guesswork. Beyond being horribly transactional, the practice opens the list-maker to phishing attacks, since scam artists will automatically know what interests you.

Tip: If you must post a wish list online, custom set the privacy on the post so that only particular people can see it, and don’t include any personally identifiable information.

At Christmas it’s always better to give the gift, than be the gift that keeps on giving to identity thieves.

If your personal information does fall into the hands of a scammer, be sure to monitor your credit for signs of identity theft. You can do so by viewing your free credit report snapshot, updated every 14 days, on Credit.com.

 

Image: iStock

The post The 12 Scams of Christmas for 2017 appeared first on Credit.com.

How the Uber Hack Could Get You Robbed This Christmas (Again)

hacked

News that Uber got hacked and 57 million records were compromised may not seem like an overt threat after this year’s constant mega breaches—but it is. A recent study suggests that even something as “harmless” as a breach involving names, phone numbers, and email addresses can lead to account takeover.

The study, entitled “Data Breaches, Phishing, or Malware? Understanding the Risks of Stolen Credentials,” was backed by Google and conducted in partnership with the University of California, Berkeley, and the International Computer Science Institute.

While the title may sound boring, the takeaway is terrifying: Account takeover isn’t happening the way many people think.

What Is Account Takeover?

The first thing you need to know about account takeover is this: It’s an incredibly serious matter.

Account takeover is a form of fraud. A criminal attempting account takeover may target your bank account, your credit card accounts, or any other financial service where you do business. Once a criminal has control of an account, you will be robbed.

It’s easy to understand how your Social Security number can be used to defraud you, not to mention the time-suck of setting the record straight with whatever companies composed part of the digital “crime scene.”

Since the days of the rotary telephone, our Social Security numbers have acted as virtual skeleton keys to our financial realities. It was the way we proved that we were the right person to access our money at a bank or to be granted credit. For a long time criminals have found creative ways to use that same key to rob people—whether through the creation of new credit accounts or through account takeover.

Stolen credentials come in many forms, and they are not equal by any means. The importance of the Google study hinges on this new reality: Social Security numbers aren’t the worst threat to your accounts based on current statistics. And herein lies the kernel of what matters most in the study.

Account takeover can also zero in on your email.

How you can be robbed if a criminal has control of your email account? Think about how many of your active online accounts will send a link to reset your password via email—and then continue reading after you stop hyperventilating.

In a world where most of the day-to-day transactions we make are digital but two-factor authentication has not been universally adopted, the control of your email account by a third party may create an even greater vulnerability to fraud than the possession of your Social Security number.

Why Uber Matters (and Doesn’t)

The Uber hack was discovered more than a year before it was reported, and the company paid the hackers $100,000 to keep the incident under wraps. That such things aren’t considered serious crimes in the US is something to ponder, but that’s not the reason the hack matters.

The longer your information is “out there” unbeknownst to you, the longer you are unwittingly exposed to all stripes of crime—including account takeover.

There are many ways you can be attacked, but with the Uber hack, email would be the way in. The phishing ruse can be anything. Social engineering, or the art of tricking people into doing what you need them to do so you can rob them, can be endlessly creative.

Because the Uber hack included names and phone numbers in addition to email addresses, affected consumers may have spent the past 12 months being exposed to the more insidious threat of spearphishing and fraud via vishing (voice phishing).

In spearphishing attacks, the fraudster does a little research. For instance, using an Uber customer’s phone number, they may locate a Facebook account, and, from there, identify close friends and family. The criminal sends a spoofed email from what he or she guesses will be a trusted sender with a link that downloads keystroke-logging malware and thus puts the recipient one login away from account takeover. A majority of people use the same passwords at different sites, which means the fraudster will likely have access to multiple accounts once they determine one password.

Some questions you should always ask:

  • Is it the right time of the month? (Your banks and other accounts usually send statements on the same day every month.)
  • Does it make sense? (Has your cousin ever sent you a cute animal video before?)
  • Can you trust those links? (A general rule of thumb now that spoofs are impossible to detect is to distrust all links, always, and type URLs to wherever you need to go.)

And of course, check the email address behind the display name on any email you receive before replying, and never be shy about asking a sender if they sent you something.

Another thing you should do whenever possible: Enable two-factor authentication. But bear in mind that even if you do everything right you may still be compromised. Unfortunately, there is no silver bullet. There is only vigilance and the three Ms (minimize your exposure, monitor your security, and manage the damage), which I discuss in my book, Swiped.

The violation of privacy associated with the takeover of an email account is disturbing, but it is nothing compared to the potential life disruption it can cause. Now more than ever, you need to be exceedingly careful about the links you click on in email and the calls you take—because you truly never know who’s on the other end.

If you fear you have been the victim of fraud, check your credit report for suspicious activity. You can get your free credit report at Credit.com.

Image: istock 

The post How the Uber Hack Could Get You Robbed This Christmas (Again) appeared first on Credit.com.

Tips for Buying Safe Connected Devices This Cyber Monday

phone-bill

Keeping up with news alerts about cybersecurity flaws in consumer electronics is a lot like picking up spilled jelly beans one at a time with a plumber’s wrench. Even if you figure out how to do it and have endless patience, a few will skitter out of sight.

Assume for the moment that, unlike most people, you think a lot about cybersecurity and you do your homework before buying a connected device. (I know. This is a truly ridiculous proposition. But let’s just say it’s the case.)

As you prepare for Cyber Monday, make cybersecurity part of the purchase process. What does your thinking about cybersecurity look like? What form does it take? Perhaps you like to use a search engine to see if there have been any obvious problems associated with the product, service, or device you’re considering. And by problems, I mean specifically cybersecurity and privacy issues.

This simple action can save you from a time-consuming hassle later. Security lapses abound. It’s your job to know about them.

Your Role in Cybersecurity

If you think this sort of research is too hard, relax. It’s easy. A simple search using the name of the item in question as well as terms like “compromise,” “privacy,” and “breach” is a good place to start.

For example, maybe you’re thinking about giving someone a credit monitoring gift that protects them from fraud. You might do the following searches:

  • “Equifax hacked”—About 901,000 results (0.58 seconds)
  • “Experian hacked”—About 128,000 results (0.63 seconds)
  • “TransUnion hacked”—About 62,800 results (0.37 seconds)

Now, bear in mind, many of the search hits on Experian and TransUnion (both of which offer sophisticated monitoring programs) come by way of obligatory mentions in the coverage of the Equifax compromise.

You’re Still Not Safe

Let’s say you get a connected cam to monitor an aging parent. There are some basics to consider. You’ve got to assume, for example, that Mom may not want to be the star of a Russian reality TV show called something along the lines of “Stupid Americans I Have Hacked.” But you also have to assume it could happen.

If you did your homework right, you know there’s been a problem with many plug-and-play webcams involving the use of manufacturer default passwords.

Checking for known security issues or a history of poor security is important, but there is still more work to be done before Cyber Monday to make sure you’re not giving someone a gift that robs them blind, opens them up to public ridicule, or simply embarrasses them.

The Most Important Question

That camera with seemingly perfect security you got your mom could become a live feed to her own version of The Truman Show for an avoidable reason: the cam wasn’t patchable. This means that when a security flaw is discovered, there is no way to protect the cam because it cannot receive security patches.

You’ve read privacy policies online and have made sure the product you’re thinking about doesn’t get significant revenue by selling data collected from this or that smart device, but the item also needs to be patchable.

Many companies do a very good job. Contrary to the folklore about planned obsolescence at Apple, the company is excellent at supporting older devices and operating systems, and it is a top player when it comes to security patches.

Let’s focus on gadgets. If the connected device you’re considering is not properly maintained after the launch of later generations of that product or a related service, keep looking for a device that does.

And ask, Is this connected device patchable?

This Cyber Monday, the only way to find those errant jelly beans mentioned above is to do the requisite research.

While nobody has the time to read every news item about product security, with the holiday shopping season upon us, it’s imperative to think about cybersecurity basics.

Data breaches and other compromises are the third certainty in life, right behind death and taxes. The simplest way to avoid falling prey to products and services that offer shabby or nonexistent cybersecurity? Don’t buy them.

If you fear your information has been compromised through an unsecure device, review your credit report for any suspicious activity. You can get your credit report for free through Credit.com.

Image: istock

The post Tips for Buying Safe Connected Devices This Cyber Monday appeared first on Credit.com.

Uber Data Breach Impacts 57 Million — Here’s What You Need to Know

uber data breach hack
iStock

Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident. 

Some 57 million Uber users’ personal information was exposed in October 2016 when the car-hailing company experienced a cyber attack, the company announced Tuesday — more than a year after the occurrence of the incident. 

Bloomberg reported the company paid $100,000 to the hackers responsible for the attack to keep the breach private.  

What happened? 

Dara Khosrowshahi, Uber’s new CEO who was appointed by the board in August, said in a statement that two people outside the company “inappropriately accessed user data stored on a third-party cloud-based service that we use.” 

The attackers stole data of the 57 million people across the globe, including their names, email addresses and mobile phone numbers. About 600,000 U.S.-based drivers were among 7 million Uber drivers whose license numbers and names were exposed in the breach. 

The data breach was the latest in a string of high profile cyber attacks that weren’t revealed until months or years later.  Fortunately, it doesn’t appear that Uber users have to worry about any of their financial information being exposed. Khosrowshahi said no evidence indicated that trip location history, credit card numbers, bank account numbers, or dates of birth were stolen.  

What was done? 

After the attack happened, Uber “took immediate steps” to safeguard the data and blocked further unauthorized access to the information, according to Khosrowshahi. The company identified the hackers and made sure the exposed dada had been destroyed. Security measures were also taken to enhance control on the company’s cloud storage. 

“None of this should have happened, and I will not make excuses for it,” Khosrowshahi said. “While I can’t erase the past, I can commit on behalf of every Uber employee that we will learn from our mistakes. We are changing the way we do business, putting integrity at the core of every decision we make and working hard to earn the trust of our customers.” 

The company let go two employees who led the response to the incident on Tuesday, according to the statement. Uber is also reporting the attack to regulatory authorities.  

What can you do? 

Uber said no evidence shows fraud or misuse connected to the data breach.  

If you are an Uber rider…

The company said you don’t need to take any action. Uber is monitoring the affected accounts and have marked them for additional fraud protection, Khosrowshahi said. But you are encouraged to regularly monitor your credit and Uber accounts for any unexpected or unusual activities.

If anything happens, notify Uber via the Help Center immediately. You can do this by tapping “Help” in your app, then “Account and Payment Options” > “I have an unknown charge” > “I think my account has been hacked.” 

If you are an Uber driver…

If you are affected, you will be notified by Uber via email or mail and the company is offering free credit monitoring and identity theft protection.  

You can check whether your Uber account is at risk here 

Check out our guide on credit freezes and other steps you can take to protect your identity if personal information is compromised in a data breach.

The post Uber Data Breach Impacts 57 Million — Here’s What You Need to Know appeared first on MagnifyMoney.

7 Ways to Protect Yourself as You Shop for the Holidays

Here are nine ways to protect yourself while shopping this holiday season.

The holiday season is an enormous economic event, so much so that the National Retail Federation estimates that holiday shopping represents as much as 30% of a retailer’s annual sales. But as a consumer, increased spending can leave you more vulnerable to theft and fraud.

However, there are steps you can take to guard against theft. Here are seven ways to protect yourself as you shop for the holidays.

1. Pay with a Credit Card

Stolen cash isn’t easily recovered, and a thief could use your debit card to empty your bank account. Credit cards offer better protection.

Even if your card is stolen, federal law dictates that you can’t be held liable for more than $50 in charges. That liability drops to $0 if you report the card’s loss before fraudulent charges occur or if it’s your card number, not your physical card, that was stolen. Many credit card issuers will automatically waive the $50 no matter the scenario.

2. Use a Virtual Card Number Online

Some credit card companies offer virtual card numbers, which can keep your information safe as you shop online. These temporary 16-digit numbers are linked to your account, but allow you to set predetermined spending limits and an expiration date. If a thief gets ahold of your virtual number, your exposure is limited and you won’t have to go through the hassle of canceling and replacing your card.

There are third-party virtual card providers out there if your credit card company doesn’t offer this service, but their quality may vary and they will require you to sign up for a separate service.

3. Protect Your Account Logins 

Your accounts are only as strong as your password. Use different passwords for every account; this way, if one of your passwords is compromised, your other accounts will still be safe. Many online retailers (including Amazon) now offer two-factor authentication, which gives you an additional layer of security when you login. 

4. Shop with One Account

It’s more difficult to track your spending when you use multiple credit cards or bank accounts. You should limit your holiday shopping to one account, which makes it easier for you to identify unauthorized charges.

5. Shop at Secure Websites

Be careful about the websites you visit. You should only make purchases at trustworthy retailers. Also, check for the secure padlock icon and an “https” at the beginning of the retailer’s web address, both of which indicate that the site is encrypted. This makes it more difficult for hackers to steal your information.

6. Monitor Your Accounts

You should be closely monitoring charges on your account all year long. While many financial institutions now offer account monitoring, their systems aren’t foolproof. Make sure to carefully read over your monthly statements to identify unauthorized charges.

7. Monitor Your Credit Report

Credit card numbers are replaceable, but if thieves get hold of really important information—like Social Security numbers, birthdates, and addresses—you could become a victim of identity theft. Check your credit report regularly to make sure no one is opening fraudulent accounts in your name. You can see your credit report for free at Credit.com.

Image: Eva-Katalin

The post 7 Ways to Protect Yourself as You Shop for the Holidays appeared first on Credit.com.

Can You Hack-Proof Your Personal Email Address?

This simple trick can help reduce spam and add an additional layer of protection against phishers and identity thieves.

How would you feel if the digital “you” were deleted? The common wisdom in cybersecurity circles is that if you think it can’t happen to you, it probably will. Consider Mat Honan’s story.

“First my Google account was taken over, then deleted,” Honan wrote. “Next my Twitter account was compromised, and used as a platform to broadcast racist and homophobic messages.” Honan’s AppleID was used to remotely delete all the data on his iPhone, iPad, and MacBook.

“My accounts were daisy-chained together,” Honan confessed. Sound familiar? Most people have to authenticate via daisy-chain. Even if you have everything segregated and use multi-factor authentication, chances are good that your personal email address is used to log in to most of the places you go online.

If a hacker gains access to your personal email account and, like most people, you’re lax when it comes to personal cyber hygiene, it could be game over for you—not only with regard to your data, but for whatever assets and accounts you manage online.

Can Your Personal Email Be Hack-Proofed? 

The short answer is no. Hacks and data breaches are the third certainty in life, right behind death and taxes. In fact, the most likely reason you haven’t been hacked yet is that there is a staggering number of sitting ducks out there. Needless to say, however, there is no safety in numbers. Hackers become more efficient all the time. 

While there is no silver bullet to our collective vulnerability, brothers Steve and Robert Yoskowitz think they might be able to help with Joinesty, a Chicago-based digital security startup that recently released an interesting Chrome extension.

Like LastPass and other password managers, Joinesty allows users to change passwords for everything they access online. Login credentials are automatically generated and easy to manage.

What makes Joinesty different is that they also let users create unique email addresses (to be forwarded in real time or delivered in daily digest form) for everything they access online, thereby shielding their personal email address from prying eyes.

In addition to email management, Joinesty lets users know about deals that are available at over 7,500 merchants in real time.

“The feature injects into Google so users can see what deals are available within their search results,” CFO and co-founder Steve Yoskowitz told me. “As cybersecurity and privacy become everyday and every-person concerns, we are trying to create an environment of security appealing to a demographic which may not know how much they need it, while targeting the interactions and online behavior that expose users the most.”

Before you decide that Joinesty is an advertising vehicle disguised as a cybersecurity solutions company, I asked about revenue, which is subscription based. Users can choose between monthly or annual subscriptions at $6.99 a month or $41.99 a year.

“The pillars of the Joinesty brand are trust, transparency, and simplicity,” Yoskowitz told me.  “We structured every aspect of our platform around these pillars, including our revenue model.”

Why Personal Email Addresses?

Nobody needs a disquisition on the dangers of using the same password for different accounts and services, though the number of consumers who still do it is alarming.

Instead, how about a quick lecture: According to one recent survey, more than 80% of people 18 and older re-use the same password across multiple accounts. The most popular password in 2016 was “123456.” For less than $1,000, hackers can buy a machine that has the capacity to test billions of passwords per second. Effect: You are vulnerable. Password managers work, so use one. (End of sermon.)

Actually, it’s not quite the end of the sermon. Because lousy password hygiene is so prevalent, you need to know if your personal email address been leaked in a data breach or, better yet, just assume that it has been. Haveibeenpwned.com is one place to go if you’re curious.

Personal email addresses present a huge vulnerability for most people and an infinite number of clear-sky lines of attack for hackers.

A recent data sample found that in the United States there are an average of 130 accounts assigned to a single email address. We’re talking about newsletters, e-commerce site, banks, gyms, portals to your medical records and healthcare coverage, investments, car loans, credit cards, and—as Matt Honan knows all-too-painfully well—social networking sites.

Your personal email address is one of your most visible forms of personally identifiable information (PII), and yet many websites require it. If your email is commandeered, whoever has control of it is just a few clicks away from taking control of your finances and anything else they might care to target. Think of your email address as a much less secure version of your Social Security number—especially if you have bad password habits.

I asked Yoskowitz about the use of personal email addresses as a login credential. After a quick scan of the top 210 Quantcast sites, he found that only 26 had no login. “Two had a username—instead of email—for logging in, so roughly 86% currently require email for login,” Yoskowitz told me.

Fewer Opportunities to Click and Get Got

So, is Joinesty addressing the personal email problem or taking advantage of it? Does the solution open up new vulnerabilities? Is this merely a ploy to sell ads and profit off our collective cyber-insecurity? 

The first thing you need to know is that Joinesty offers something of value.

It is not tokenization per se, but it’s like it in that Joinesty replaces PII (in this case your personal email address) with equally valid but non-identifiable data.

“We retain the purposes and benefits of tokenization allowing the user to retain all the functionality of giving out their personal email—logging into their accounts, receiving deals—without that email address having any inherent value to hackers because of its unique one-off nature.” 

Parting shot from my book Swiped: When creating an account on sites that allow a non-email login name, let your spirit fly. Be creative (but store it somewhere on a cheat sheet that resides on an encrypted memory stick). You might even consider using a long-and-strong password as your login name if the site will allow it.

image svetikd

The post Can You Hack-Proof Your Personal Email Address? appeared first on Credit.com.

5 Ways to Keep Your Personal Health Information Safe

4 Things About You Your Doctor Doesn’t Need to Know

Did members of the royal family go under the knife at an upscale London plastic surgery clinic? A recent hack at London Bridge Plastic Surgery may reveal the answer to that—and many other questions you never thought to ask.

Setting aside the obvious follow-up questions (Do you care? Is it any of your business?) and regardless of your curiosity about seeing the picture proof of royal rearrangements, you should be paying attention. The hack speaks to our collective vulnerability when it comes to protected health information (PHI).

What Happened

The hacker collective known as The Dark Overlord took responsibility for the royal family’s data grab. The group’s responsibility was confirmed by The Daily Beast after a reporter at the site reviewed both in-progress and before-and-after photographs of family members’ physical enhancements.

You may remember The Dark Overlord: it was behind an October hack that featured threatening texts sent to parents of school-age children in several states and voicemails left by victims being dumped online. The group was also behind a notorious Netflix-related hack. It memorably stole the fifth season of Orange Is the New Black from Larson Studios and released the first episode even after having received about $50,000 in Bitcoin to not do so.

As reported by Variety, The Dark Overlord had decided that its victims were in breach of contract. Specifically, “Larson Studios was in great delinquency of the agreement after sources confirmed law enforcement cooperation,” the group claimed. “Our agreement provides us the right to execute harmful action against any client who defrauds our agreement.”

Why It Matters

Did you notice how The Dark Overlord called the studio its “client”? I have long said that while we have day jobs, all of us collectively are hackers’ day job. Their sole objective in life is to seep their way into the assets of our identity. Always remember that your personal information is an asset with real, assignable value.

The Dark Overlord is not alone in viewing its victims in this transactional way. Hackers are in it for the money. Bigger operations offer customer service–style communication to make the ransom/payoff part of the process a high-touch consumer experience.

You may think, “This can’t happen to me.” But how do you know? Consider how your medical provider stores your PHI. Have you ever seen a physical file? Do you know where it’s stored and who has access to it? That sort of physical information is vulnerable. It could easily be stolen or

duplicated. What about electronic data? Everyone knows that just because an entity stores information digitally doesn’t make it secure from compromise.

5 Steps for Keeping Your PHI Safe

Security is complex and requires constant maintenance. Here are five steps you should take to keep your personal health information safe from hackers and other no-do-gooders.

  1. Ask if your medical provider implements a data security solution. While it may seem like a simple question, many providers don’t have a clue about data security. The only way to find out if yours does is to ask.
  2. Find out if your medical provider uses a vendor. If your medical provider uses a vendor, get the name and check out its reputation online.
  3. Ensure that your medical provider double encrypts your PHI. Your doctor may not know whether your PHI is double encrypted—especially if they use a vendor as their data security solution. Either way, push the point. The only way we all become more secure is if we all demand a high data-security IQ from our peers and service providers.
  4. Inquire about who has access to your PHI. By asking this question you may be pointing your provider to safer records. Only your doctor and other medically trained staff with a reason to be looking should have access to your PHI.
  5. Locate where your PHI is stored and how it moves around. Does your medical provider use a cloud server or onsite hardware to store your PHI? How are the servers connected to the network? Is there a secure network used solely for PHI and another for less sensitive traffic or smart devices used in the office?

We All Have Something to Lose

Granted, you may not have had any work done at a fancy plastic surgery clinic, but you’ve probably been to a doctor—and most likely at least once for an ailment that you’d rather not have broadcast to others. The victims of the data breach at London Bridge Plastic Surgery are just like you and me for that reason, even if they are royal. We all have something to lose: our privacy.

The sensitive data theft lottery definitely discriminates—high-end targets pay upper-class ransoms—but you can’t rely on your relative obscurity to protect your PHI.

As far as plastic surgeons getting compromised goes, this isn’t the first time a high-profile doc has gotten rolled for photographs and other PHI. And it probably won’t be the last, which should be reason enough to get you to call your doctor and ask how your information is protected.

If your protected health information or other personally identifying information gets hacked or leaked, it could negatively affect your credit score—and your ability to apply for a mortgage, personal loans, or credit cards. Keep an eye on your credit score by regularly reviewing your credit report for free on Credit.com.

Image: istock 

The post 5 Ways to Keep Your Personal Health Information Safe appeared first on Credit.com.