329 posts categorized "Identity Theft" Feed

Data Breaches At Maryland Parking Garages Affect Thousands

Data breaches at three parking garages in downtown Annapolis, Maryland habe put the sensitive personal and payment data of thousands of consumers at risk. WJZ, the CBS affiliate in Annapolis, reported a:

"... preliminary investigation shows that the breach took place from December 23, 2015 to June 11, 2016 — nearly six months — at the Noah Hill, Gott’s Court and Knighton garages... The breach affects drivers who used the daily parking option, not those who have monthly plans or residents."

After learning about the breach, the city switched to cash-only payments. While the city responded quickly, questions remain. The news report did not mention when and how affected persons would be notified of the breach. A brief scan on Monday of the Annapolis Parking website didn't not find any breach notices. Consumers need to be notified promptly.

Also, the nature of the breach suggests that the payment terminals were compromised. Many consumers are probably thinking: I don't live in nor visit Annapolis, so no problem.

Well, big problem. We all visit and park our vehicles at downtown city locations. Some people visit more often than others. You don't have to look far to find breaches at parking garages in Chicago, Cleveland, and at this parking vendor which serves several cities.

This Annapolis parking-garage breach is a reminder of the vulnerability of payment terminals at all parking garages. Like the pumps at gas stations, parking garages have free-standing payment terminals that are unattended for long periods of time. This creates an opportunity for criminals to tamper with the terminals, and install skimming devices either inside or on the exterior of terminals. It is a popular tactic by criminals on both ATM machines and gas stations.

So, when you pay using a debit- or credit card at a parking garage, you are betting that the garage operator regularly inspects their payment terminals for skimming devices, and adequately protects their computer systems from hacks and malware.


LinkedIn Data Breach Was Larger And Worse Than Consumers First Told. 117 Million Persons Affected

LinkedIn.com logo The 2012 data breach at LinkedIn.com was far larger and worse than originally thought. Motherboard reported:

"A hacker is trying to sell the account information, including emails and passwords, of 117 million LinkedIn users. The hacker, who goes by the name “Peace,” told Motherboard that the data was stolen during the LinkedIn breach of 2012. At the time, only around 6.5 million encrypted passwords were posted online, and LinkedIn never clarified how many users were affected by that breach... The paid hacked data search engine LeakedSource also claims to have obtained the data. Both Peace and the one of the people behind LeakedSource said that there are 167 million accounts in the hacked database. Of those, around 117 million have both emails and encrypted passwords."

So, the breach included 167 records affecting as many persons, not 6.5 million. And, 117 million people are at risk now. To make matters worse, hackers have already cracked the encryption method LinkedIn.com used to protect users' passwords:

"The passwords were originally encrypted or hashed with the SHA1 algorithm, with no “salt,” which is a series of random digits attached to the end of hashes to make them harder to be cracked. One of the operators of LeakedSource told Motherboard in an online chat that so far they have cracked “90% of the passwords in 72 hours..."

And, the incident cast doubt on both LinkedIn.com's breach detection methods and the response by the company's executives:

"... LinkedIn spokesperson Hani Durzy told Motherboard that the company’s security team was looking into the incident, but that at the time they couldn’t confirm whether the data was legitimate. Durzy, however, also admitted that the 6.5 million hashes that were posted online in 2012 were not necessarily all of the passwords stolen. “We don’t know how much was taken,” Durzy told me in a phone call. The lesson: For LinkedIn, the lesson is the same as four years ago: don’t store password in an insecure way..."

LinkedIn released a statement yesterday. Relevant portions:

"Yesterday, we became aware of an additional set of data that had just been released that claims to be email and hashed password combinations of more than 100 million LinkedIn members from that same theft in 2012. We are taking immediate steps to invalidate the passwords of the accounts impacted, and we will contact those members to reset their passwords. We have no indication that this is as a result of a new security breach... For several years, we have hashed and salted every password in our database, and we have offered protection tools such as email challenges and dual factor authentication. We encourage our members to visit our safety center to learn about enabling two-step verification, and to use strong passwords... We're moving swiftly to address the release of additional data from a 2012 breach, specifically: We have begun to invalidate passwords for all accounts created prior to the 2012 breach​ that haven’t update​d​ their password since that breach. We will let individual members know​ ​if they need to reset their password. However, regularly changing your password is always a good idea..."

Many people use the LinkedIn.com social site to network with professionals in their field, and find jobs. If you use the site, experts advise consumers to change your password immediately and don't reuse the same password at multiple websites.


Tax Related Identity Theft And Fraud: Next Steps For Victims

This morning, a friend sent the following via e-mail:

"Just learned today that I was a victim of identity theft. My accountant tried to electronically file my income tax but it was rejected. The IRS told him I already filed. Since the early return is obviously fraudulent I was told I could not electronically file but had to file with paper. Spent the last couple hours notifying credit bureaus and the Federal Trade Commission. It doesn't appear they have applied for any new credit card yet. I wonder whether they got a refund in my name. I also have been involved in a couple big data breaches where the company who lost my data has provided free credit monitoring services. None of the services have detected fraudulent activities. It must've been through one of these that someone got hold my Social Security number. So far so good, but this is an extra headache I didn't need."

It was sad to read this e-mail message. Identity theft is always a major pain and inconvenience. I experienced this in 2007 after IBM, Inc. had its massive data breach. There's a lot to consider and to do. Most consumers have no idea what to do next. That’s why I started me blogging about identity theft, data breaches, and corporate responsibility. The blog has been a good tool for me to catalog what I've learned about what to do next.

Since my friend's sensitive information (e.g., name, address, phone, social number, and maybe more) are out in the wild, that means thieves will sell and resell it as long as they think the information is usable. The criminals now know enough about my friend that they will try to commit more fraud -- often by impersonating my friend to gain access to their financial accounts. Thieves may call the customer service departments at banks pretending to be my friend. While writing this blog the last 8+ years, I've learned that identity thieves are smart, persistent, and go where the money is.

I suggested that my friend do the following to protect their self:

  1. It seemed like my friend is already following the advice by Internet Revenue Service (IRS) for victims of tax-related identity theft and fraud. That’s a good start. Another good place to start is the Identify Theft site by the U.S. Federal Trade Commission (FTC). Follow the next steps recommended by the FTC.
  2. File a police report with the local police department. They’ll probably do nothing, but this will help my friend create a paper trail. Certain documents will be needed when filing claims with insurance companies.
  3. While my friend has already contacted the three major credit reporting agencies (TransUnion, Experian, and Equifax), don't stop with a Fraud Alert. That’s weak tea. Do a Security Freeze instead. That will prevent fraudsters from taking out new loans or getting credit in my friend's name. This will cost up to $10 for each.
  4. Call financial institutions and advise them of your identity theft. Follow any processes the banks have. Get new debit/credit card numbers if your card information (card name, account number, security code, etc.) was exposed in #6.
  5. Change online passwords for all financial accounts (e.g., checking, savings, mortgages, insurance, credit cards, 401-K, IRA’s, etc.). Notify them that your data has been stolen and used. Follow any procedures the banks have for reporting fraud. Don’t use the same password at multiple sites. Why? Thieves will use a stolen password at several websites, to see where else they can break in.
  6. Since one or more companies had data breaches that exposed my friend's sensitive information, my friend should notify each company that thieves have used their sensitive information for tax-related fraud. These companies will probably deny that their breach was the cause, but my friend is informing them of the consequences. If the breach was bad, there may be an upcoming class action, so I encouraged my friend to consider and join any class-action lawsuits. The financial rewards may be beneficial.
  7. Thieves will continue to use my friend's stolen information as long as they think it is useful. So, my friend will need to be vigilant. That means continuing to periodically monitor bank account statements and credit reports for fraudulent entries (if my uses only the Fraud Alert option). This sucks, but that is the reality in the digital information economy. When companies have data breaches, we consumers are usually left with the cleanup burden.
  8. If the companies in #6 offer free credit monitoring services, accept the offer and use it. Those monitoring services can help with #7. Plus, these monitoring services usually offer fraud resolution services: the detailed, time-consuming, and complicated process of cleaning up accounts and records muddled by thieves. If the corporate data breaches in #6 included my friend's spouse and/or dependents, be sure that any credit monitoring services cover these persons.
  9. Keep a solid paper trail. My friend will likely need some of this documentation later.
  10. Stay in touch with both the IRS and the Department of Revenue in the state where you live. The thieves may file fraudulent state tax returns, too. Both the federal and my friend's state tax agencies have fraud procedures. Respond to any notifications you receive from both; preferably in writing.
  11. If any of the companies in #6 was a health care provider and the breach included medical records, then my friend is at risk for both financial fraud and medical fraud. More steps apply for medical fraud and the resolution process is even more complicated. For example, the thief's blood type and other health data could be co-mingled with the victim's, introducing errors and other risks.
  12. Some criminals use stolen identity information to get bogus driver’s licenses. If my friend gets stopped by the police while driving, don’t panic. Explain to law enforcement the identity theft and and #2. My friend may have to get fingerprinted, since that is a good method to distinguish the fraudster from my friend.
  13. Some criminals sell stolen information to undocumented people to gain employment. So, my friend's stolen Social Security Number may be used by another person. When several persons use the same Social Security number for employment, there are plenty of consequences. (There's the infamous case of 81 persons using the same SSN.) The Identity Theft Resource Center recommends solutions for SSN fraud victims. See the Social Security Administration's process for reporting fraud. Check the contractual agreement for a credit monitoring service to see if its resolution services cover this.
  14. Keep the anti-virus software updated on all devices (e.g., desktop, laptop, phone, tablet) and run scans at least once monthly.

That was my advice to my friend. What might you advise?


Learn How To Spot These 5 Energy Scams So You Don't Get Duped

Eversource logo Maybe it was a visit by door-to-door sales person. Maybe it was a phone call; or a text or e-mail message. There are six energy scams you should be aware of, so you don't get duped and lose your hard-earned money. Eversource, the largest energy delivery service in New England, alerted its customers about common scams:

  1. Shut-off Threats: callers claim to represent the Billing or Disconnect Department, and state that your power will be shut off if you don't make a payment immediately.
  2. Pay immediately: callers instruct you to make a payment immediately to a third-party location, such as a grocery store, or to a "Green Dot" VISA card. Then, the scammer directs victims to call another phone number to report the card payment information, so the scammers can drain the card account online.
  3. Faulty meters: callers claim your electric (or gas) meter is broken and it overcharging you. Then, the scammer directs victims to buy a $200.00 prepaid card. The scammers calls again claiming the first payment hasn't posted, and the consumer should buy a $300.00 prepaid card. Of course, the scammer lies about the meter being fixed soon.
  4. Unsolicited technician: a door-to-door person, with a hard-to-read badge, claims he is there to check your usage since your neighbors reported have claimed about high monthly bills.
  5. Unsolicited salesperson: a door-to-door person claims there is a problem with your utilities, and you failed to respond to urgent notices. The scammers insisted that you could get a rebate, or savings, but needs to see a copy of your energy bill.

These are all scams because:

"Eversource would never ask you to purchase prepaid cards or make an immediate payment at a third-party location, like a grocery store. We have a very secure, protected billing system, and you have multiple, convenient options to pay your bills, including direct debit, check, credit card and cash. Customers who are scheduled for disconnection due to nonpayment receive written notice that includes the actions they can take to maintain service... All [Eversource] employees carry company-issued identification, and any electrical contractors working with us carry documentation explaining the nature and location of their work. Customers can always call us to verify this information. Eversource would never solicit door-to-door or over the phone on behalf of a specific competitive/alternate energy supplier."

The information on your monthly energy bill is sensitive information. Protect it. Eversource advises:

"Never provide personal financial or utility account information to any unsolicited individual, in person, on the phone, or online, even if the individual seems legitimate."

And Eversource advises its consumers to:

"Always verify whether these contacts are legitimate by asking for some basic information about your account. Our representatives will always be able to provide the name on the account, the account address, and the exact past due balance. If the caller cannot provide that information, the call is not from us."

If you use a different energy provider, check it's website for scams. For example, earlier this month PG&E warned its customers in California about similar scams.

I've received some of these robocalls from scammers. Long ago, I registered both my landline and mobile phone numbers in the National Do Not Call Registry. When I receive unwanted and un-requested robocalls, I hang up the call immediately and submit a complaint to the U.S. Federal Trade Commission (FTC). You should, too.


FCC Seeks $29.6 Million Fine Against Phone Carriers For Alleged Cramming And Slamming

Federal communications Commission logo The U.S. Federal Communications Commission (FCC) seeks $29.6 million in fines against three phone providers for allegedly switching (a/k/a "slamming") consumers' long distance service without their consent, applying (a/k/a "cramming") unauthorized charges on their monthly bills, and obstructing the FCC investigation. The FCC press release stated:

"... the Commission asserts that OneLink Communications, Inc., TeleDias Communications, Inc., TeleUno, Inc., and Cytel, Inc., “slammed” consumers by switching their long distance carriers without authorization and “crammed” unauthorized charges onto consumers’ bills. In addition, it is alleged the companies, which operate as a single enterprise, fabricated audio recordings that they then submitted to the FCC as “proof” the consumers authorized these changes and charges... The FCC found that the companies’ apparent unauthorized charges and deceptive marketing calls constituted “unjust and unreasonable” practices under the Communications Act. The FCC also determined that the companies apparently violated federal law by submitting fake consumer authorizations and providing false and misleading information to the FCC during its investigation..."

OneLink Communications logo The FCC action included a Notice of Apparent Liability for Forfeiture. More than 140 consumers filed complaints with the FCC. There was an FCC order in August 2009 against TeleDias Communications for slamming. The OnelInk website lists an office in Tamarac, Florida. The Cytel, Inc. website lists an office in Pompano Beach. Florida. A check of both the Cytel or OneLink sites couldn't find lists of their executives or corporate officers.

How the companies allegedly performed deceptive marketing:

"Some consumers alleged that the companies’ telemarketers pretended to be from the post office calling about a nonexistent package delivery to obtain information to create fake consumer authorization recordings. In other cases, it appears the companies impersonated individuals in the authorization recordings. The companies then allegedly provided the fake authorizations to the FCC in response to its investigation into the consumer complaints. Even after consumers repeatedly contacted the companies about the alleged unauthorized charges and carrier switches, the companies purportedly refused to provide refunds until consumers filed complaints with the FCC, Better Business Bureau, or state regulators."

Kudos to the FCC for investigating the complaints. Kudos to consumers for filing complaints with the FCC, BBB, and state regulators when a company fails to do the right thing.


New Federal Agency For Stronger Protections Of Background Investigations

Office of Personnel Management logo Fallout continues from the massive data breach at the Office of Personnel Management (OPM) in 2015. The U.S. Federal government announced a reorganization to provide stronger protections of sensitive information collected during background investigations for federal employees and contractors. The reorganization features several changes including a new agency, the National Background Investigations Bureau (NBIB). The WhiteHouse.gov site announced:

"... the establishment of the National Background Investigations Bureau (NBIB), which will absorb the U.S. Office of Personnel Management’s (OPM) existing Federal Investigative Services (FIS), and be headquartered in Washington, D.C.  This new government-wide service provider for background investigations will be housed within the OPM. Its mission will be to provide effective, efficient, and secure background investigations for the Federal Government. Unlike the previous structure, the Department of Defense will assume the responsibility for the design, development, security, and operation of the background investigations IT systems for the NBIB."

After the massive data breach at OPM, several federal agencies conducted a joint 90-Day Suitability and Security review. The agencies involved included the Performance Accountability Council (PAC), the Office of Management and Budget (OMB), the Director of National Intelligence (DNI), the Director of the U.S. OPM, the Departments of Defense (DOD), the Treasury, Homeland Security, State, Justice, Energy, the Federal Bureau of Investigation, and others.

According to its Fact Sheet, the OPM’s Federal Investigative Services (FIS) unit currently conducts investigations for more than 100 Federal agencies. The FIS conducts more than 600,000 security clearance investigations and 400,000 suitability investigations annually. An NBIB Transition Team will oversee the migration to the new information technology systems and procedures. Transition project goals include:

  1. Establish a five-year re-investigation requirement for all personnel with security clearances, regardless of the level of access,
  2. Reduce the number of personnel with active security clearances by 17 percent
  3. Introduce programs to continuously evaluate personnel with security clearances to determine whether ongoing security clearances are necessary, and
  4. Develop recommendations to enhance information sharing between State, local, and Federal Law Enforcement agencies regarding background investigations.

The changes were announced jointly on January 22, 2016 by James R. Clapper (the Director of National Intelligence), Beth Cobert (Acting Director of the OPM), Marcel Lettre (Under Secretary of Defense for Intelligence, Department of Defense), Tony Scott (U.S. Chief Information Officer), and J. Michael Daniel (Special Assistant to the President and Cybersecurity Coordinator, National Security Council, The White House).


Smart Devices Create Challenges And Privacy Threats For Consumers

There are plenty of smart devices you can buy online or in retail stores for your smart home: smart televisions, home audio speakers, fitness bands, smart watches, light switches, talking dolls and toys, smart home thermometers, cars with GPS and sensors, drones, and much more. And, your utility company probably uses smart meters to transmit via wireless your usage, instead of paying technicians to visit your home.

Many or most of these devices have hands-free voice controls. That feature provides a huge convenience, but along with it comes the privacy threat that it can (or does) record everything you say... whether you intend it for the device or not.

The Times Union highlighted several problems smart devices create for consumers. The first is the hope that the device manufacturer adequately protects your information from data breaches and thieves:

"You may never know for sure. At best, you can hope the company keeps its promises on privacy. More important, you have to trust that its computer systems are really secure, or those promises are suddenly worthless. That part is increasingly difficult to guarantee — or believe — as hacking becomes routine."

At least one fitness maker already had a substantial data breach. People want to try the new devices to see if and how they might benefit. There's nothing wrong with that. The second problem:

"Every technological benefit comes with a cost in the form of a threat to privacy. Yet not paying that price has its own cost: an inability to participate in some of technology's greater achievements."

There has to be a better way. Consumers should not have a to choose between giving up privacy in order to use smart devices versus living under a rock without smart devices to maintain privacy. What are your opinions?


Data Breach: Unprotected Online Database Exposed The Sensitive Information Of About 3.3 Million Hello Kitty Users

Hello Kitty logo A security researcher found online a database containing the sensitive information of customers of the Hello Kitty gaming site. Just before the Christmas holiday, C|Net reported:

"Personal information for fans who connect through SanrioTown.com has been sitting openly viewable on the Internet and easily accessible with the click of a mouse, no hack required... SanrioTown.com, designed for fans of Sanrio characters like Hello Kitty, hosts all the accounts for players of a popular game called Hello Kitty Online."

C|Net also reported that the security researcher:

"... showed CNET a sample of the records he saw, which includes a list of usernames, scrambled up passwords, first and last names, genders, birth dates and answers to security questions like "What is your favorite food." In the random sample of 15 records, two appeared to be of minors. Sanrio declined to verify whether the data listed in the sample was from its database. Vickery found the database, he said, while looking for unprotected information on the Internet by searching a website that can find data stored in the cloud."

Reportedly, the database sat open and exposed for about a month. This breach was found by the same security researcher that found earlier in December a flaw in the Mackeeper security software, which exposed the sensitive information of 13 million Apple users. SanrioTown is still investigating its breach, and its users must change both their passwords and security questions.

The Washington Times reported:

"Sanrio Digital, a subsidiary of the Japanese owner of “Hello Kitty,” a popular children’s brand, told Reuters on Tuesday that it patched a security glitch that had affected one of its databases being tipped off by Chris Vickery, a U.S.-based researcher who helps identify and fix vulnerable computer systems... Sanrio has insisted that evidence has so far failed to suggest that anyone other than Mr. Vickery had accessed the database with authorization..."

Reportedly, the breach exposed the following data elements: full names, birthdays, genders, email addresses and related information about 3.3 million account holders. That included information about 186,261 persons under the age of 18. Payment information (e.g., credit cards) was not exposed, according to the SanrioTown security statement.

Two items about this breach need to be highlighted:

  1. The operative phrase in the company's statement is, "that evidence so far..." More evidence may surface later; and
  2. The company did not discover its own database sitting open, unprotected in the wild. An external security researcher found it. That fact does not bode well for the company's security team and data security processes.

What are your opinions of this data breach?


Survey: 40 Percent Of Companies Expect Data Breaches Caused By Employees

eSecurity Planet reported the results of a recent survey of information technology managers and employees. The survey included workers in the United States, United Kingdom, Germany, and Australia. The key findings:

"... 40 percent of companies expect to experience a data breach resulting from employee behavior in the next 12 months... 75 percent of employees believe their company doesn't give them enough information about data policies... 58 percent don't understand what would actually constitute a security breach... 50 percent of respondents admitted that they disregard their companies' data protection policies in order to get their jobs done."

The phrase "insider data breach" refers to data breaches caused by employees. Companies seem focused on external threats from hackers, while not focusing also upon insider threats. Lax or untrained employees and poor internal processes are often the root causes.

These survey results are not good. The results indicate that companies are not doing everything they can (and should) to protect the sensitive customer, client, employee, and retiree information they have collected.


Learning Apps Company Confirms Data Breach Affecting 11.6 Million Persons

Vtech logo Earlier today, educational toy maker VTech confirmed a data breach affecting 11.6 million persons. On November 27, Motherboard first reported the breach affecting 5 million parents and 200,000 children. The data breach is larger than first reported by many news organizations.

In its FAQ page, VTech confirmed that on November 14 hackers accessed its customer database:

"... on our Learning Lodge app store customer database and Kid Connect servers. Learning Lodge allows our customers to download apps, learning games, e-books and other educational content to their VTech products.  Kid Connect allows parents using a smartphone app to chat with their kids using a VTech tablet."

The company learned of the data breach on November 24 when a journalist inquired. During its current breach investigation, During its breach investigation, Vtech has temporarily suspended operations at Learning Lodge, the Kid Connect network, and a dozen websites including both PlanetVtech and VSmileLink sites in the US, France, Germany, United Kingdom, and Spain. Vtech's customer data includes the USA, Canada, United Kingdom, Ireland, France, Germany, Spain, Belgium, the Netherlands, Denmark, Luxembourg, Latin America, Hong Kong, China, Australia and New Zealand.

The number of persons affected by the breach:

"In total 4,854,209 customer (parent) accounts and 6,368,509 related kid profiles worldwide are affected, which includes approximately 1.2 million Kid Connect parent accounts.  In addition, there are 235,708 parent and 227,705 kids accounts in PlanetVTech. Kid profiles unlike account profiles only include name, gender and birthdate."

The VTech FAQ page also listed the number of breach victims by country. Parent accounts include the following data elements: name, e-mail address, security question and answer for password retrieval, IP address, mailing address, download history, and encrypted password. VTech's customer database does not contain credit card payment information, nor Social Security and similar identification information.

VTech describes itself as a global leader in electronic learning products for children and the world's largest manufacturer of cordless phones. Founded in 1976, VTech is headquartered in Hong Kong and has operations in 11 countries including manufacturing facilities in China. It employs about 30,000 employees, with 1,500 research and development professionals in Canada, Germany, Hong Kong, and China.

Even though customers' passwords were encrypted, VTech advised breach victims to change their passwords anyway, as skilled hackers may break the encryption. This is critical if breach victims used the same passwords, security questions, and security answers at other online sites.

This is not good. Whatever security detection software VTech used needs to be upgraded or replaced. A company should not learn about a breach from a journalist. The data elements stolen are sufficient for criminals to impersonate data breach victims, attempt to break into victims' other online accounts (e.g., banking), and send spam e-mail messages.

Do you or your children use VTech apps, games, or e-books? If so, what breach notifications have you received?


Safe Shopping Tips For the Holidays

The holiday shopping season is here. Experts estimate that consumers will spend about $83 billion. Everyone wants to shop safely and avoid both identity theft and fraud. The California Attorney General's office issued several safe-shopping tips for consumers that are applicable everywhere and not only in California. Some of the items were already covered in this blog, so I added links.

Online

  • Shop at secure websites. Look for https in the website address, or for the yellow lock icon
  • Don't shop online at public WiFi hotspots, such as coffee shops. This can put at risk your payment information (e.g., bank account, credit/debit card numbers, etc.). If you must use a public WiFi hotspot, use encryption software on your mobile device.
  • Do not send personal and payment information in e-mail messages. Legitimate companies won't ask you to do this, since it is an insecure way of transmitting information. Learn to spot package delivery scams.
  • Use reputable websites when booking travel or lodging for trips. However, scammers also insert listings on vacation websites. If the price is too good to be true, it usually is. Learn to spot vacation payment scams.
  • Identity thieves and fraudsters use mobile apps. Before purchasing an app, find and read independent reviews. Also, read the terms of use and privacy policy for the app desired. Download and buy apps only at reputable websites. Use these tips to protect your phone from online crime.
  • If you receive text messages on your phone claiming you have won a prize or gift card, do not click on the link in the message. It probably is a scam and may install a virus on your phone. E-mail scams are common. Learn to spot phishing e-mails. Be wary of e-mails from persons claiming to be a shipping company. These e-mail message often contain attached files that contain computer viruses. Do not open attached files from strangers.
  • Consider using a two-step process to protect your email account and sensitive personal information. For example, after inputting your password, you will then receive a text on your phone, that provides a one-time-use code to sign into your e-mail account. Your e-mail provider has instructions about how to set this up.

In Stores

  • Thieves use handheld scanners and counterfeit credit cards to use gift cards that they do not actually have. Only buy gift cards that are kept behind the store’s customer service counter or activated upon checkout. Before buying the card ask for it to be scanned to show that it is fully valued.
  • Learn to spot and avoid prepaid gift card app fraud.
  • Package theft is happening more frequently. If you do not have a secure area for delivery companies to leave packages, consider requiring a signature for packages, or have your packages held for pickup at a nearby shipping center.

General

  • Review your bank and credit card statements frequently for fraudulent transactions. Contact your bank or card issuers immediately if you see unusual or suspicious transactions.
  • If you receive a phone call from somebody claiming to be your bank or credit card company, who asks you to verify your account information, don't. Instead, ask them for their phone number so you can call them back. Then, call the phone number listed on the back of your credit card.
  • Learn to spot and avoid prepaid card phone scams.
  • Parents and grandparents should be wary of phone calls, e-mails, and social networking posts by scam artists pretending to be a child, friend, or relative stuck in an emergency abroad and needing cash immediately. Scammers try to get the victim to wire cash or disclose sensitive personal and financial information. Don't do this. Before taking any action, verify the health or status of the child, friend, or relative abroad.
  • Use these ten tips for safe vacation travel.

Happy holidays!


How The Teenager Hacked The CIA Director's Email Account

Central Intelligence Agency logo You've probably heard about it, or read some of the initial news reports. The New York Post broke the story about a teenager hacking into the e-mail account of John Brennan, Director of the Central Intelligence Agency (CIA). The methods the hacker used are a good example of pretexting: when a criminal pretends to be somebody they aren't in order to acquire sensitive information about the target(s).

Wired provided a detailed report about the incident, which I've distilled into seven steps:

  1. The hacker did a reverse number lookup of Brennan's mobile phone number. Several websites provide this feature. From that, the hacker learned that Verizon was Brennan's provider of phone services.
  2. Pretending to be a Verizon technician, the teenage hacker and his accomplices, called Verizon asking for details about Brennan's account. The Verizon phone rep asked for their Vcode, a unique number assigned to each Verizon technician. The hacker provided a fake Vcode which somehow passed Verizon's security. From that, the hacker learned Brennan’s account number, four-digit PIN, the backup mobile number on Brennan's account, Brennan’s AOL email address, and the last four digits on Brennan's bank card.
  3. The hacker accessed Brennan's AOL e-mail account on October 12, and read several e-mail messages including messages forwarded from his work e-mail account. From that, the hacker learned Brennan's secure White House e-mail address, his security clearance application, topics discussed by Brennan and other intelligence officials, and work-related documents attached to several e-mail messages. One attachment included a spreadsheet with names and Social Security numbers of several persons, including intelligence officials.
  4. The hackers posted photos of several documents online via a Twitter account they had set up. The hackers accessed Brennan's account for at least three days.
  5. On October 16, the hacker posted via Twitter that Brennan had deleted his AOL e-mail account supposedly because the hackers had accessed it.
  6. Brennan reset the password on his AOL account, which the hackers accessed again. This suggests that they called AOL customer service pretending to be Brennan and reset the password on his account so they could access it. Reportedly, the dueling password resets happened three times.
  7. The hackers called Brennan's mobile phone number and told him his account had been hacked. After asking them what they wanted, the hackers reportedly answered, "We just want Palestine to be free and for you to stop killing innocent people."

What should consumers make of this incident? First, the incident provides a window into the hassles and inconveniences when your e-mail account is hacked and taken over by a criminal. The hackers could have sent out spam messages from Brennan's account to his friends, family, and coworkers. Second, the incident highlights the necessity of not using the same password on multiple accounts. When consumers do this, it makes it easy for criminals to access several of your online and financial accounts. Hackers will try the same stolen password at other online accounts to see where else they access.

Third, the incident is a reminder for consumers never to disclose sensitive personal and financial information over the phone. Why? Simply, the caller's identity is unknown and unverified. We consumers frequently receive calls from identity thieves from fake computer support vendors or bogus cardholder services.

Verizon logo Fourth, Verizon should improve its security processes. A fake Vcode should not allow access to customers' sensitive information. There should be consequences for Verizon for this breach. Fifth, the hackers' techniques provide a tiny view of the activities spies and counter-intelligence agencies perform, and why these entities want to hack into government agencies' websites, such as the Office of Personnel Management breach earlier this year.

Sixth, adding your mobile phone number to your social networking and e-mail accounts is not a data security cure-all. Smart hackers will target your mobile phone number so that they receive any notifications  you've set up about changes to your account.

Seventh and perhaps most troubling, the Brennan and Clinton e-mail incidents suggest that many government officials highly value convenience (just as consumers do), by forwarding work-related e-mails and documents from secure work systems to less secure commercial systems. You could argue that this desire for convenience is a security weakness. Fifth, you can bet that spies will try to take advantage of this weakness by replicating pretexting attacks on other high-value executive targets, in both the public and private sectors. If a teenager can do it, then so can an experienced spy.

What are your opinions of the hacking incident? Of Verizon's role?


Experian Data Breach Affects 15 Million T-Mobile Customers, And Highlights Privacy Concerns

Experian logo Experian, one of the three major credit-reporting agencies in the United States, announced last week a data breach at affected at least 15 million T-Mobile customers. Unauthorized persons accessed an Experian server which contained personal information about consumer who had applied for T-Mobile USA services between September 1 and September 16, 2015.

Experian discovered the breach on September 15, 2015. The information accessed and stolen included names, addresses, Social Security Numbers, birth dates, identification numbers (e.g., driver's license, military ID, passport number, etc.), and additional data related to T-Mobile's credit-check process. The credit reporting agency also said:

"Experian’s consumer credit database was not accessed in this incident, and no payment card or banking information was obtained."

Thank heavens for little favors. Thankfully, at least one Experian employee had the good sense to segregate its database of T-Mobile customers from its database of everyone else. Otherwise, the hackers would have accessed and stolen sensitive personal information for 250 million persons. And, the "no payment card or banking information was obtained," is like saying bank thieves stole everything but not the one-, five-, and ten-dollar bills. This is bad folks, and Experian should not issue statements in a failed attempt to perfume-a-pig. The pig still stinks.

Experian has notified and is working with both federal and international law enforcement agencies. The post-breach investigation is ongoing. The company is notifying affected persons and will offer two years of free credit monitoring and identity resolution services. Some security experts are skeptical, and questioned whether Experian deployed the data-breach-detection services of 41st Parameter, a wholly owned subsidiary.

John Legere, the t-Mobile Chief Executive, said in a statement:

"Obviously I am incredibly angry about this data breach and we will institute a thorough review of our relationship with Experian..."

Understandable and justified anger. No doubt, lawsuits will result.

This is not good. The data elements stolen are sufficient for criminals to apply for fraudulent loans, create fraudulent identification cards, and effectively approach the family, friends, coworkers, and classmates by impersonating breach victims.

This is not the first data breach at Experian. In February 2014, hackers used a client's login credentials to access an undisclosed number of consumers' records. The data stolen included consumer credit reports, names, addresses, Social Security Numbers, birth dates, and additional information commonly found in credit reports. In May 2012, Experian announced a breach where hackers accessed an undisclosed number of consumers' records between October 19, 2011 and February 13, 2012. A breach in 2009 affected Maryland residents, and a lawsuit was filed in July 2015 against Experian for allegedly selling consumer information to a criminal posing as a data broker. That criminal allegedly resold data to other identity thieves.

Some critics demand stronger consequences. Fight for the Future's Jeff Lyon said:

"Experian CEO Brian Cassin has put the profits of his company above the well-being of his customers and our nation's cybersecurity. Why should Experian bother fixing their security when they can just lobby their way out of the messes they make?"... This type of thinking is putting millions of people at risk. Cassin should resign..."

I agree. Cassin should resign. Lyon's comments allude to the Cybersecurity Information Sharing Act (CISA) of 2013, which is making its way through Congress. Privacy advocates argue that the bill fails to provide adequate data security protections and instead promotes data sharing of consumers' information with the federal government to facilitate surveillance. Some argue that the bill will actually hurt privacy.

I agree. It's poor legislation. Now, back to Experian. The credit reporting agency's track record of breaches is troubling. Paying post-breach related costs (e.g., free credit monitoring), again, is not enough of an incentive to change executives' behavior. Companies won't change until there are direct consequences for executives. Experian executives know better. It is in the business of collecting, archiving, and protecting consumers' sensitive personal and financial information.

What are your opinions?


Luxury Trump Hotel In Las Vegas Begins Notification Of Consumers About Data Breach

Trump International Hotel and Tower Las Vegas logo The law firm representing the luxury Trump International Hotel and Tower property in Las Vegas announced at data breach affecting its client. To comply with breach notification laws in many states, corporations (or their agents) typically submit breach notices (e.g., sample or final) to the attorney general or applicable legal agency in each state where there are affected residents.

The breach notice at the California Attorney General website (Adobe PDF) read, in part:

"... we are providing notice of a security incident possibly affecting certain individuals who made payment card purchases at Trump International Hotel & Tower Las Vegas, located at 2000 Fashion Show Drive, Las Vegas, NV... Although an independent forensic investigation has not conclusively determined that any particular customer’s payment card information was taken from the Hotel’s payment card system or misused as a result of the incident, we are providing this notice out of an abundance of caution to inform potentially affected customers of the incident... it appears that there may have been unauthorized malware access to payment card information as it was inputted into the payment card systems... including payment card account number, card expiration date, security code, and cardholder name) of individuals who used a payment card at the Hotel between May 19, 2014, and June 2, 2015, may have been affected..."

It seems that payment information was stolen by malware installed within infected terminals. The breach notice also mentioned that the hotel is working with law enforcement, banks, and an independent forensic investigation vendor. All, pretty standard stuff. The notice did not disclose the total number of records or consumers affected.

The breach notice includes instructions for affected customers to sign up for one year of free fraud resolution and identity protection services with Experian ProtectMyID. The offer is only for U.S. residents who used a payment card at the Hotel between May 19, 2014, and June 2, 2015. (Since the hotel's website includes content in several languages besides English, I guess that deep-pocketed customers from other countries are simply screwed.) That duration seems skimpy, since many other corporations have offered two years. The breach notice lists a hotel toll-free number for affected customers to get assistance and ask questions.

A check this morning of the hotel's home page did not find a link to a breach notice. Typically, a well-organized post-breach response also includes a website providing affecting customers with more information (or dedicated pages at their main site).

So, there seems to be two massive failures in this data breach. The first was a failure to promptly detect the unauthorized access. The second was a lengthy delay of more than a year to notify affected consumers. And, the investigation is still underway so things could be even worse.

Note: the Krebs On Security blog first broke news in July about data breaches at several hotels, including the Trump hotel in Las Vegas. One wonders why the hotel didn't announce the breach then.


Medical Informatics Engineering, Concentra, Employers, Data Sharing, And Privacy

Medical Informatics Engineering logo After receiving the breach notice from Medical Informatics Engineering (MIE) via postal mail, my wife and I wondered how MIE acquired her information. MIE's breach notice mentioned Concentra, a healthcare company we haven't and don't do business with. Today's blog post describes what we learned during our search for answers, and how consumers aren't in control of our sensitive personal information.

Background

The breach was massive. The Journal Gazette reported 3.1 million breach notices sent to affected consumers nationwide. The U.S. Department of Health & Human Services listed 3.9 million consumers affected.  Readers of this blog have reported breach notices received via postal mail in Alabama, California, Colorado, Florida, Georgia, Idaho, Indiana, Kansas, Kentucky, Maryland, Massachusetts, New Hampshire, Tennessee, Texas, and the District of Columbia. Concentra was one of many health care providers involved.

During our search for answers, my wife contacted her employer and a local clinic. Neither does business with No More Clipboard (MIE's cloud-based service) or with Concentra. On her behalf I contacted Concentra's nearest office in Wilmington, Massachusetts. The office's administrative person searched for information about my wife in Concentra's database. No record. The administrator referred me to regional human resources representative, who confirmed the breach and suggested that Concentra may have obtained my wife's information from data-sharing during a sales pitch with employers. We continued to look for firmer answers.

Select Medical logo The HR representative referred me to Edwin Bodensiek, the Vice President of Public Relations at Select Medical, the corporation that acquired Concentra in May, 2015. Select Medical's First Quarter 2015 10-Q Filing (Adobe PDF) explained:

"[Select Medical Holdings] announced on March 23, 2015 that MJ Acquisition Corporation, a joint venture that the Company has created with Welsh, Carson, Anderson & Stowe XII, L.P. (“WCAS”), has entered into a stock purchase agreement, dated as of March 22, 2015 (the “Purchase Agreement”), as buyer with Concentra Inc. (“Concentra”) and Humana Inc. (“Humana”) to acquire all of the issued and outstanding equity securities of Concentra from Humana. Concentra, a subsidiary of Humana, is a national health care company that delivers a wide range of medical services to employers and patients, including urgent care, occupational medicine, physical therapy, primary care, and wellness programs... For all of the outstanding stock of Concentra, MJ Acquisition Corporation has agreed to pay a purchase price of $1.055 billion..."

Humana had acquired Concentra in 2010. Now, Concentra is part of Select Medical. i contacted Mr. Bodensiek asking when, why, and how Concentra obtained my wife's sensitive personal information. My wife and I weren't sure we'd get any answers, and if so how long it would take.

What We Learned

After about a month, Mr. Bodensiek called with some answers. My wife had taken a temporary part-time job in February 2014 and that second employer used the Humana Wellness (e.g., Concentra) health care services. Mr. Bodensiek explained that the second employer sent an "eligibility file" to Concentra with data about its employees that were eligible for the employer-sponsored health care plan. That's when my wife's name, address, phone, and Social Security Number were transmitted to Concentra; and then to MIE, the electronic medical records vendor for Humana Wellness. Mr. Bodensiek described this as standard business practice.

My wife and I have health care coverage elsewhere, so she never had any intentions nor did not register for health care through this second employer. My wife's situation is not unique since five percent of the U.S. workforce works two or more jobs. (Vermont, South Dakota, Nebraska, Kansas, and Maine lead the nation with people working two or more jobs.) It's great that this second employer offered health care to its employees, but not so great that employees' sensitive information was shared regardless of whether or not the employees expressed an interest in coverage.

I'd like to publicly thank Mr. Bodensiek for his hard work and diligence. He didn't have to help, but he did. It gave us a good first impression of Select Medical. Hopefully, other breach victims have had success getting answers.

Implications And Consequences

Our experience highlights a business practice consumers should know: your employer may share your information with their health care provider whether you subscribe or not, and maybe without your knowledge. Maybe this sharing was for employees' convenience (e.g., faster, easier sign-up for health care), or for the employer's convenience (e.g., minimize processing effort and expense) by sending one, massive eligibility file. Regardless, the business practice has implications and consequences.

First, when an employer's administrative process sends to their health care vendor data about all employees (without an opt-out mechanism), then more data is shared than otherwise, and the process is arguably less private. Why? The health care provider receives and archives information about both subscribers and non-subscribers; patients and non-patients. A process based upon opt-in would be better and more private, since the data shared includes employees who want to sign up for their employer's health care plan. Simply, fewer employee records with sensitive data (e.g., name, address, phone, Social Security Number) are shared, and less data for the health care provider to archive and protect (and further share with a cloud vendor).

Regarding the MIE breach, eligibility-file-sourced data about my wife was archived by MIE. That means MIE archived eligibility-file data about many other employees. So, MIE's database includes data about health-care subscribers and non-subscribers; patients and non-patients. When data breaches happen, the stolen archived data about non-subscribers opens those non-subscribers to identity theft and fraud risks. How long will this data about non-subscribers be archived? When will data about non-subscribers be deleted? Select Media didn't say. I can only assume the archiving will continue as long as they decide, either solely or in combination with their employer clients.

Second, costs matter. The more data shared, the more records the health care provider and electronic records vendor must archive and protect. When data breaches happen, more data is lost and data breach costs (e.g., investigation, breach notification, identity protection services) are greater. A 2015 study by IBM found that the average total cost of a data breach was $3.8 million, up 23 percent from 2013. Given this high cost, you'd think that employers and health care providers would work together to minimize data sharing. Probably not as long as consumers bear the risks.

Third, if my wife had signed up for health care services with Concentra, then much more sensitive information would have been stolen in the MIE breach. One may argue who is to blame for the data security failure (e.g., breach), but at the end of the day: the employer hired Concentra, and Concentra hired MIE. There is enough blame to go around.

Fourth, the MIE breach highlights some of the places employees' sensitive information can be shared without their knowledge (or consent). If the MIE breach hadn't happened, would employees know their medical records were stored in the cloud? Would employees know about the eligibility-file sharing? One wonders. Employees deserve to know upfront.

Your sensitive personal information also moves when companies (e.g., health care providers, employers, cloud vendors) buy, sell, and merge with other companies. that includes your medical records. Since eligibility-file sourced data is archived, you don't have to be a health care plan subscriber or patient.

Fifth, for information to be private there must be control. The eligibility-file sharing suggests that employers have the control and not employees. Consumers like my wife have been taken steps to protect themselves and their sensitive information by locking down their credit reports with Security Freezes. That data protection is largely undone by eligibility-file sharing with health care providers. Not good.

Consumers need a comparable mechanism to lock down their medical records and prevent eligibility-file sharing. Without a mechanism, then consumers have no control over both their medical and personal information. Without control, consumers lack privacy. You lack privacy.

It will be interesting to watch how Select Medical manages its new acquisition. The Select Medical website lists these core values:

"We deliver superior quality in all that we do. At Select Medical, we set high standards of performance for ourselves and for others. We provide superior services to our patients. We continually strive to uphold and improve our reputation for excellence.

We treat others as they would like to be treated. At Select Medical, we treat each other with respect and promote a positive environment where people feel valued. We are honest and open in our relationships and straightforward in our communications.

We are results-oriented and achieve our objectives. At Select Medical, we are focused and decisive in achieving our objectives and helping others achieve theirs. We accept responsibility for our decisions and actions. We are accountable for using our time, talents and resources effectively."

My wife and I know how we want to be treated. We wanted to be treated with respect. We know how we want our sensitive personal and health information treated:

  • Don't collect it unless we're patients,
  • Don't archive it unless we're patients,
  • Don't share it without notice and consent. Consent must be explicit, specific, for a stated duration, and for specific purposes,
  • Don't collect and archive it if you can't protect it,
  • Be transparent. Provide clear, honest answers about breach investigations and data-sharing practices,
  • Don't try to trick us with promises of convenience,
  • Hold your outsourcing vendors to the same standards,
  • Don't make consumers assume the risk. You benefited from data sharing, so you pay the costs, and
  • Two years of credit monitoring is insufficient since the risk is far longer.

What are your opinions? Does the data sharing by employers bother you?


OPM And DOD Hire ID Experts For Credit Monitoring And Post-Breach Services

Office of Personnel Management logo Just before the long holiday weekend, the Office of Personnel Management (OPM) and the Department of Defense (DOD) announced a contract with Identity Theft Guard Solutions LLc (a/k/a ID Experts) to assist the 21.5 persons affected by the massive breach first reported in June. The contract provide three years of free services for persons with sensitive information stolen, such as Social Security numbers.

Breach victims will be notified during September. The contract includes coverage for breach victims and their dependent children under the age of 18. ID Experts will provide credit monitoring, identity monitoring, identity theft insurance, and identity restoration services. Beth Cobert, the Acting Director at OPM, said:

“We remain fully committed to assisting the victims of these serious cybercrimes and to taking every step possible to prevent the theft of sensitive data in the future.. Millions of individuals, through no fault of their own, had their personal information stolen and we’re committed to standing by them, supporting them, and protecting them against further victimization. And as someone whose own information was stolen, I completely understand the concern and frustration people are feeling.”

To learn more, the OPM suggested that breach victims sign up for email alerts and visit https://www.opm.gov/cybersecurity. The OPM announcement included advice for all breach victims to protect themselves and their sensitive information, plus additional information for residents of California, Kentucky, Maryland, and North Carolina.

Read the OPM announcement about its contract with ID Experts.


Leaked Documents From The Ashley Madison Data Breach Highlight The Company's Technology Vendors

The fallout continues from the data breach at infidelity website Ashley Madison. Besides several class-action lawsuits filed against Ashley Madison, Forbes magazine reported that stolen documents highlight the company's information technology (I.T.) vendor relationships:

"In response to challenges of the data’s authenticity, Impact Team began a second series of dumps, including what appears to be essentially all corporate records, including source code, internal business documents and corporate emails of Avid Life Media/Ashley Madison... Within those hundreds of thousands of documents is one entitled Areas of Concern – Customer Data (abbreviated in this article, AoC)... The needle in the treasure trove haystack of corporate data... In the AoC, the IT business practices of Avid/Ashley Madison began to emerge, including its relationships with third party vendors. New Relic is mentioned as one of three third party IT vendors to Avid. Also mentioned in that document as vendors are OnX (publicly reported as being an Ashley Madison vendor) and Redis/Memcached (alternative open source caching tools)... The AoC identifies New Relic as being a customer data “concern” (worry), by mentioning that it could employ “a hacker/bad actor” who could gain access to customer data. There was nothing in the AoC to indicate any reason to call out New Relic as a third party vendor presenting particular customer data security risks."

Assuming the leaked documents are accurate, one reason why this is important:

"The existence of third party IT vendors may be of interest to the increasing numbers of plaintiffs suing Avid and Ashley Madison. These plaintiffs have, to date, apparently not named these vendors as defendants."

Noel Biderman, the chief executive at Avid Life Media, Ashley Madison's parent company, resigned last week. The Wired article highlighted another reason:

"... the Missouri suit states that its anonymous plaintiff paid a $19 fee to have Ashley Madison delete her personal information from its servers but failed to deliver on that service."


Silent Phone Calls Indicate The Start Of Identity Theft And Fraud

At some point we all have received these "silent" phone calls. After answering the call, there's nobody on the line. The call is silent and then we hang up. The problem is over, right?

Security experts reported that these "silent" phone calls can be the start of identity theft and fraud. An NPR report explained the identity theft and fraud process.

Step one includes an Internet-based robocall (e.g., an automated phone call using computers) from anywhere in the world -- usually offshore -- by scammers to verify your 10-digit phone number. With the multitude of corporate data breaches, the criminals may have acquired your name and phone number from hackers. Step two is another robocall pretending to be your bank, computer company, collection agency, or tax agency to trick you into revealing sensitive personal information (e.g., e-mail, address, age, bank name, bank account numbers, card numbers, etc.) over the phone.

NPR reported:

"... these robocalls are on the rise because Internet-powered phones make it cheap and easy for scammers to make illegal calls from anywhere in the world... researchers estimate 1 in every 2,200 calls is a fraud attempt."

Experts advise consumers not to disclose any personal information over the phone. Verify the caller first. Demand their name, company name, e-mail, phone number, website address, and how they acquired your phone number. (Most phone scammers will refuse or make excuses.) If the do provide contact information, check to see if matches the contact information you can verify independently (e.g., the phone numbers on the back of your bank card). If it doesn't match, then the caller is probably a scammer.

I always tell callers two things: a) I don't give out personal information over the phone, and b) I need to verify the caller first. If the caller provides a website address, I will check it during the phone call. If the site doesn't exist or looks crappy, that's a huge clue the caller is probably a scammer.

When you disclose personal information over the phone, the criminals' proceed with step three of the identity theft and fraud process. They will contact your bank or credit card company pretending to be you to takeover your account by changing the address on your account. How? The scammers will use the personal information you provided.

What should consumers do when you receive these robocalls? Experts advise that you simply hang up. Don't ask to be taken off their phone lists. Don't access their voicemail system to be removed from their calls. All that does it help the scammers verify your existence.

Parents: now you know what to teach your children about phone calls, privacy, and safety.